When it comes to supply chain risks, cybersecurity and data loss are top of mind for security analysts and other professionals. The EU Agency for Cybersecurity (ENISA) notes that there has been a marked increase in such attacks since early 2020—and that most supply chain attacks target data (mainly personal information and intellectual property).
Manufacturers are typically involved in long and complex supply chains with many actors, making them particularly vulnerable to disruption and malicious activity in the supply chain. You must protect against these risks. Keep reading to learn more, including prevention tips.
Five manufacturing supply chain cyber risks
First, let’s look at five crucial supply chain cyber risks for manufacturers. We’ll then consider how manufacturers can improve their supply chain cybersecurity, referencing some real-life examples.
1. Intellectual property theft
One major concern for manufacturers is that third parties in their supply chain may abuse their access to intellectual property and other valuable or sensitive data. According to research by Kroll, guarding against supply chain IP theft is a priority for nearly three-quarters of companies.
Even if all your supply chain partners are legitimate, there is always the possibility that a rogue employee could steal your IP or trade secrets and pass them on to your competitors. Don’t believe us? Check out these 17 examples of real-world insider threats.
2. Supply chain attacks
Supply chain attacks leverage security vulnerabilities to steal data and spread malware such as ransomware. Some recent high-profile supply chain attacks include the attacks on software companies Solarwinds and Kaseya. These incidents involved software vendors pushing compromised updates to their customers, resulting in widespread malware infections.
There’s a reason that supply chains are particularly vulnerable to cyberattacks. The more organizations are involved in a manufacturing process, the greater the likelihood that one of the members will fall victim to a cyberattack and spread malware to their business partners. But that doesn’t mean that the chain is “only as strong as its weakest link.” A well-defended organization can stop a supply chain attack in its tracks.
Case study: supply chain attack
Here’s an example of a supply chain attack that leveraged email in an attempt to undermine a company’s security defenses. This type of threat is known as an “account take over” (ATO) attack. The cybercriminals targeted a medium-sized construction firm by first infiltrating one of the company’s trusted vendors.
The attackers managed to take over the email account of one of this vendor’s employees. By reading the employee’s emails, the criminals learned that the employee was in contact with several high-ranking staff members at the construction firm.
After observing the employee’s communication patterns and email style, the attackers then used the mailbox to send phishing emails to a targeted group of individuals at the construction firm.
The phishing emails encouraged the recipients to click a link to a cloud storage folder, claiming that the folder contained a request for a proposal. Clicking the link would have downloaded malware onto the recipient’s device.
Protecting against supply chain attacks
Protecting against supply chain attacks requires a comprehensive cybersecurity policy, including staff training, network defenses, and security software. Implementing email security software is a vital part of your defensive strategy in the case of email-based supply chain attacks, such as the one above.
The case study above is a real-life example of how Tessian, a comprehensive email security solution driven by machine learning, can help thwart supply chain attacks. Tessian Defender scans inbound emails for suspicious activity. The software also learns your employees’ communication patterns to understand what constitutes “normal” email activity.
In the attack described above, Tessian noted several subtle signs—including the sender’s location and choice of cloud storage platform—suggesting that the email could be part of a supply chain attack. Tessian alerted the employee to the potential danger, and the supply chain attack was averted.
It’s important to note that legacy email security software, which normally operates on a “rule-based” basis, can fall short when it comes to sophisticated account take-over attacks like this. Tessian was not the only security product this construction firm was running. But it was the only one to spot the attack.
3. Compromised hardware and software
Malicious actors can compromise hardware and software during the manufacturing process, creating vulnerabilities that are passed on down the supply chain or to equipment end-users. Hardware can be tampered with at any stage in the supply chain. As a manufacturer, you might obtain compromised hardware—or malicious actors could interrupt the manufacturing process downstream, tampering with products to install rootkits or other technologies.
But as a manufacturer, you must also protect against threats in your own portion of the supply chain—where internal or external actors could interfere with the products or components you create.
Case study: compromised software
In August 2020, reports emerged that Chinese phone manufacturer Transsion had shipped thousands of mobile devices containing pre-installed malware that signed users up to subscription services without their consent.
The pre-installed malware, known as Triada, automatically downloads and installs a trojan called “xHelper” that cannot be easily removed by users. The program covertly submits requests for subscription products at the user’s expense.Transsion blamed a malicious actor in its supply chain for installing Triada on its devices—but the culprit has yet to be discovered.
Defending against software compromise
One step towards to avoiding any type of malicious actor in your supply chain is conducting thorough due diligence. Identify and document all supply chain partners—as mentioned, you could be accountable for their malicious or negligent activity.
Integrating cybersecurity measures into your quality assurance regime may also be a way to prevent upstream malicious actors from tampering with firmware before your manufacturing process takes place.
And as we’ve seen, it’s crucial to protect your own systems from cyberattacks—which means ensuring the security of key communications channels like email.
4. Downstream software or hardware security vulnerabilities
It’s vital to protect data against access by other parties in your supply chain. But even if you could trust your supply chain partners not to steal your data, you must also ensure that they don’t make it accessible to unauthorized third parties.
No matter how much work you put into protecting your own systems from unauthorized access, your efforts could be rendered futile due to software or hardware vulnerabilities among other parties downstream.
5. Legal non-compliance
In addition to maintaining poor cybersecurity practices that directly impact your own organization’s security, third parties in the supply chain may follow poor information security practices for which you could be liable.
Case study: third-party legal non-compliance
In 2019 a U.K. pharmaceuticals company was fined after a third-party contractor left documents containing personal information publicly accessible in unsecured containers.
Under the GDPR, “data controllers” are responsible for many of the actions of their service providers. As such, the pharmaceuticals company was deemed liable for the error. The firm received a fine and engaged in a drawn-out legal battle with the U.K.’s data regulator.
Mitigating poor security practices among third parties
Research is crucial to ensure you’re working with reputable third parties that will undertake compliant and responsible data protection practices. Contracts stipulating particular security measures are also important. Such agreements can also contain contractual clauses that serve to indemnify your company against legal violations by the other party.
Under some data protection laws, including the GDPR and the upcoming Colorado Privacy Act, service providers processing personal information on another company’s behalf are required to submit to audits and inspections. Routinely inspecting the data security practices of your vendors and other service providers is an excellent way to ensure they are meeting their compliance obligations on your behalf.
How to prevent manufacturing supply chain risks
In general, manufacturers can manage cyber risks in supply chains via a robust and comprehensive cybersecurity program. Here are some key cybersecurity principles for supply chain management from the National Institute for Standards and Technology (NIST):
- Assume your systems will be breached. This means considering not only how to defend against breaches, but determining how you will mitigate breaches once they have occurred.
- Think beyond technology. Cybersecurity is also about people, processes, and knowledge.
- Cybersecurity also means physical security. Threat actors can use physical security vulnerabilities to launch cyberattacks.
Implementing a cybersecurity framework is key to defending against supply chain threats. Manufacturers of any size can work towards cybersecurity framework compliance, implementing controls according to their resources and priorities.
The NIST Cybersecurity Framework Version Manufacturing Profile: NISTIR 8183 Revision 1 is an excellent starting point for manufacturers. For more information about the NIST framework, read our article on NIST and email security.
More specifically, manufacturers should be taking the following steps to protect their data and systems in supply chains:
- Identify and document all supply chain members
- Conduct careful due diligence on parties in the supply chain
- Require supply chain partners to contractually agree to maintain good cybersecurity and data protection practices
- Ensure inbound communications (particularly via email) are scanned for signs of phishing and other social engineering attacks
- Scan outbound communications to prevent data loss
- Ensure all employees are aware of the risks and their responsibilities
Email is a key supply chain vulnerability
Of all the risks inherent to working in a supply chain, cyberattacks are perhaps the most critical in the current climate.
As ENISA notes, most supply chain attacks use malware to target company data. We also know that 96% of phishing attacks—which are the primary means of infecting business networks with malware—take place via email. The bottom line: email security is a crucial step for manufacturers to defend against supply chain cyber risks.