When it comes to supply chain hacks, it’s not a matter of if, it’s a matter of when your organization will be hacked. Attacks on critical infrastructure and systems are on the rise, and with hackers gaining skill and in some cases getting paid out through ransomware attacks, that trajectory of supply chain hacking is only headed upwards.
What is the Definition of a Supply Chain Hack?When infrastructure is attacked, it is known as a supply chain hack. This attack happens when a bad actor infiltrates a vulnerable supply chain system through an outside vendor or provider that has access to systems and networks. In other words, a bad actor gains access to a third-party vendor’s access point and then has the ability to get in and wreak havoc on critical infrastructure. The SolarWinds hack in 2020 was a prime example of supply chain vulnerabilities — hackers got inside the development operations of SolarWinds and managed to insert malware inside a software update that was distributed by the company in March. SolarWinds is a third-party vendor to a variety of government organizations, so the malware disrupted the Treasury Department, the Pentagon, the Commerce Department, and more. According to a 2019 Ponemon Institute report, 90% of the companies that help provide critical national infrastructures had at least one cyberattack between 2017 and 2019. These recent supply chain hacks have (and could in the future) result in gas shortages, higher meat prices, sensitive information exposed, and endless other worst-case scenarios. The term critical access is often employed when speaking about these systems because the supply chain, and the information therein, is nothing short of critical.
Why are Supply Chains so Vulnerable to Hacking?1. Supply chains and infrastructure organizations contain a vast amount of third-party connections. Look back at the SolarWinds supply chain hack. That software was connected to three major government components (at least), and the company stated that 18,000 customers downloaded the affected version of the software. That means there were 18,000-plus points of entry for a potential bad actor. It can be difficult to keep track of third-party suppliers, and according to the 2020 Ponemon report, too few organizations are keeping track diligently. The supply chain attack statistics show:
- 49% of respondents say their organization does not assess the security and privacy practices of all third parties before granting them access to sensitive information.
- 53% of industrial and manufacturing respondents say their organizations do not have a comprehensive inventory of all third parties with access to their network.
- 74% of respondents who’ve experienced a hack said it was the result of giving too much privilege to third parties.