Jennifer Bisceglie, CEO and founder of cyber firm Interos, writes of how protecting the supply chain is now integral to cyber security.
This year has seen a rolling crisis of major supply chain cyber attacks – the most far-reaching being July’s Kaseya ransomware attack. In the hack, the Russia-based cybercriminal syndicate REvil infiltrated Kaseya VSA, an endpoint protection software solution used by large managed service providers (MSPs). Through this extensive software supply chain, the attackers were able to widely infiltrate roughly 50 of Kaseya’s direct customers, as well as 800-1,500 SMEs further down in their networks.
This recent spate of supply chain cyberattacks comes at a time of immense disruption in the global supply chain. Indeed, factors such as COVID, the Suez Canal blockage, international trade disputes and Brexit are all straining an increasingly overwhelmed system. Disruptions to the global supply chain – be it through cyberattacks or geopolitical event – originate from a wide range of causes, but should be examined holistically. This is because they serve as a blueprint for hostile actors – such as cybercriminals and opponent nation states – to learn how the international supply chain can be disrupted for political or monetary gain.
Supply chain disruption as a learning opportunity
Whatever the disruption, adversaries can learn from its unique set of circumstances the effectiveness of various techniques, viability of targets, and suitability of global conditions to ignite supply chain chaos. This goes beyond threat actors identifying the most effective avenue of a specific attack, but gaining perspective into government organisation and business ecosystems so that they can wreak the most damage.
One important lesson for both sides has been that the scope of the battlefield is huge. The previously accepted idea of the enterprise as a collection of endpoints that need protecting is dated in today’s world of macro-networks. Indeed, the sweeping nature of supply chain shocks underline the interconnectivity of the modern enterprise and its network.
This being the case, traditional defensive measures no longer hold the same relevancy in protecting the modern enterprise, and instead, organisations must study the wider dimension of supply chain security across enterprise networks to transportation and logistics tools, to environment and labour fragility. The core principle of enterprise security should now be in understanding the relationship between these varying elements. For example, beyond the immediate effects of the ransomware attack itself, the Kaseya attack led to 800 shuttered supermarket locations and disrupted Swedish rail services, and the disruption of operations in the country’s pharmacies. Enterprises must anticipate the knock-on-effects of cyberattacks and evaluate the concentration of risk if so many critical systems in a single country are reliant on one source of digital infrastructure.
Kaseya and the other recent supply chain cyberattacks are redefining how targets are selected by threat actors. It used to be that attackers would strike a single target and yield a one-time payment from the victim. Now threat actors are taking advantage of the supply chain to probe though vulnerabilities in large, interconnected digital infrastructure. When a weak point is found and exploited, the attackers can target numerous companies, and collect untraceable ransoms through cryptocurrency payments on a continuing basis.
The problem of nested networks
The cybersecurity dynamic is made worse by the complexity of supply chain networks. Many of today’s enterprises exist as a part of networks within networks.
When subtle connections and dependencies are understood, the impact of disruption resulting from a cyberattack can be limited and resources can be strategically relocated to reduce impact to organisations and wider society. In the worst-case supply chain attack, small disruptions become sweeping as damage fans out across the supply chain. Those contending with this threat must have a full picture of this potential web to know where and how damage can be limited.
Kaseya as a microcosm
The Kaseya attack was a textbook example of how cyberattacks can fan out across the supply chain. MSPs offer tools such as Kaseya VSA to multiple large enterprises allowing them to easily deploy software across complex IT environments. While this is convenient, software that is shared across enterprises is what allows IT supply chain attacks to be targeted across vast multi-organisational networks. This is the nature of supply chain vulnerabilities in a globalised world – the greater the connectivity between organisations, the worse the fallout from a supply chain disruption event.
The complexity of global supply chains and the cyber threats they face is not an issue that has an easy fix – and with increasing digitalisation, this problem is only going to become more complex. Countries opposed to UK and US interests will continue to probe our supply chains in the hopes of creating mayhem or stealing information. In the face of this issue, security leaders, C-suite leadership, and governments need to stop looking at the problem in isolation and begin considering the broader context. To gain this vision into the supply chain, organisations must implement comprehensive, multi-tier, multi-factor, continuous risk monitoring across the supply chain if they are to understand where they are most vulnerable and where defensive resources are best allocated.
