Supply Chains are an Easy Target for Cybercriminals
The supply chain crisis is a reminder that the systems that power the global economy are frighteningly fragile. When COVID-19 hit, it interrupted logistics networks across the planet and caused shortages so severe that it prompted The New York Times to hyperbolically claim the world “ran out of everything” in 2021. We have seen the effects a microprocessor drought has had on manufacturing. Let’s hope we don’t have to deal with a breakdown in food supply chains.
The pandemic was a black swan event—an unexpected disaster. By comparison, cyberattacks are predictable because everyone working in the security industry knows there is always another incident looming on the horizon. After all, just one employee engaging with a single phishing email can spark a major incident. Attacks on supply chains could have devastating economic and social effects. So, these critical systems are protected by the very toughest defenses, right? Well, unfortunately, they are not. In fact, supply chains and other parts of national critical infrastructure are often easy targets and can be breached using the most basic hacking techniques like phishing. Unless something changes across the sector, a major incident with serious real-world consequences is almost inevitable.
Critical National Vulnerabilities
Supply chains in manufacturing and critical infrastructure are attractive to attackers because they are high-value targets that are vulnerable and often under-protected. Threat actors know that attacks on the supply chain can knock out vital parts of our national infrastructure, which means victims may be more likely to pay up to end a ransomware attack, for example. No oil company wants to see a repeat of the Colonial Pipeline incident.
Breaches cause reputational and financial damage to the victim. Attacks on supply chains have wider macroeconomic effects and could even pull down the columns that hold up our civilization and send the roof tumbling inwards. When a simple phishing email is enough to earn a payday of millions or even tens of millions of dollars, it is no surprise that threat actors would seek to target the supply chain. And when the stakes are so high, it is little wonder why many organizations will simply pay a ransom rather than risk the consequences if they don’t.
Undersupplied Infrastructure
The first problem in supply chain security is the lack of investment. Sectors such as banking or insurance typically pour vast sums of money into cybersecurity compliance. In comparison, manufacturing firms lack the same regulatory incentives for cybersecurity and have slimmer profit margins. As a result, they tend to have smaller budgets available to deploy sophisticated defense systems, making them much more vulnerable. Many supply chain organizations are also still reliant on legacy technology that does not integrate with the latest defense systems and cannot be patched with new security updates. In response to the pandemic, many companies are undergoing rapid digital transformation, but this has made a bad situation worse as technology is adopted without proper security controls and training in place. The combination of legacy technology and accelerated digital transformation is a perfect storm, offering attackers an abundance of weaknesses to target.
Critical infrastructure supply chains are heavily focused on people. The human element is involved in 85% of breaches, according to Verizon’s 2021 Data Breach Investigations Report. In an era of social media oversharing, it is easy for criminals to gather enough open source intelligence to enable social engineering campaigns based on techniques like CEO fraud. Phishing continues to be a threat to all industries, and the supply chain is no different. This old, trusted technique is a major threat to supply chains.
New Threats, Old Tactics
Phishing is often the first stage in an attack campaign. Traditionally, attackers would use malicious emails to harvest financial information, steal passwords or obtain valuable personally identifiable information (PII). Today, a phishing attack can be a staging post that provides an entry point to enable threat actors to extend their attack. Once adversaries have made an initial intrusion, they may seek opportunities to move laterally, access sensitive data, launch business email compromise attacks or spread a ransomware infection.
While it’s an older technique, phishing is still a perfectly effective tactic used today. Remote workers are often more vulnerable to scams because they are isolated and more likely to interact with a dangerous email. Modern workforces rely on services like Office 365 and the native security features provided by Microsoft, but it takes multiple layers of security to sufficiently secure the email attack vector. This means organizations are facing an increased risk of phishing, as well as the added danger of account takeover attacks in which adversaries hijack legitimate email accounts and use them to seek and target more victims—both within the affected organization and also its vendors.
How to Beat The Phishers
There is one advantage to cybercriminals’ reliance on phishing: We know how to combat it. The first step is basic cybersecurity hygiene. Deploy an email filter and enable multi-factor authentication (MFA). Every team member should be trained to recognize a phishing email and given a basic level of cybersecurity knowledge through security awareness training (SAT) and education. However, humans are fallible so you must plan for failure, and email threats like business email compromise are known to evade email filters.
To increase the effectiveness of an organization’s defenses against phishing and business email compromise requires continuously scanning email inboxes for threats and implementing an automated incident response when latent threats are discovered. Advances in machine learning and behavioral analytics make this practical, especially for cloud email environments. Provide users with tools to scan suspicious emails so they can play a more active role in securing the enterprise. This will help reduce or eliminate the flood of low-quality alerts that security analysts have to investigate.
It is crucial to stop attackers from moving within a company’s network or accessing other targets along the supply chain. Supply chains are too important to be left vulnerable to attack. But just as they can be targeted using simple techniques, they can be protected by embedding good security practices across the industry. We have seen what happens when an oil pipeline is attacked. Let’s not wait to learn what happens when an even more important or sensitive part of the critical national infrastructure is brought to its knees. The time to prepare is now.
