Supply chain cyber security refers to the protection of digital assets, data, and systems within the supply chain network from cyber threats. This includes manufacturers, suppliers, distributors, and other entities involved in the production and distribution of goods and services.
With the increasing interconnectedness and digitization of supply chains, cyber security has become a critical concern for businesses worldwide. For organizations, these advancements have created more interconnected and interdependent supply chains. Organizations share data with their suppliers and rely on third-party equipment and services to improve productivity. Yet, organizations are now more vulnerable to supply chain cyber security threats as each supplier acts as an entry point – directly or indirectly.
A report by BlueVoyant, found that a concerning 93% of organizations feel the direct impact of a supplier’s security weaknesses. And while there is a general awareness regarding supply chain cyber threats, few are aware of those related to hardware-based attacks.
Supply Chain Cyber Security Vulnerabilities
Supply chains allow bad actors to launch widespread attacks from a single point. With the SolarWinds and Kaseya attacks being two well-known examples. Supply chain interconnectedness is so sensitive that 97% of organizations have been negatively affected by a cyber security incident occurring in the supply chain, according to BlueVoyant.
When it comes to hardware attacks, the ability to amass multiple victims from one point of execution is highly appealing. Hardware-based attacks require physical access, meaning, to have multiple victims, the perpetrator must physically enter each entity. Yet, this is very inefficient, challenging, and time-consuming for opportunistic cybercriminals who want maximum reward for minimum effort. The supply chain offers a solution to such predicament by enabling “spray and pray” attacks. Compromising just one supplier with a Rogue Device gives the perpetrator multiple victims.
However, not all hardware-based attackers exploiting supply chain cyber security threats are opportunistic. Many have a specific target in mind. Often, in such instances, the target is of high value (such as critical infrastructure providers), meaning they are extremely well protected and, thus, difficult to physically breach. Suppliers, on the other hand, may not implement such stringent security measures, leaving them more exposed. The perpetrator, who is usually a state-sponsored actor with advanced resources, will conduct thorough reconnaissance activities to determine the supply chain weak links and, subsequently, gain physical access to one (or more) of the less secure suppliers. From here, the bad actor implants a Rogue Device which executes an attack that, thanks to interconnectedness, impacts the intended target.
How Supply Chains Act as a Pathway for Organizational Threats
Suppliers are not always victims of a hardware-based attack themselves. They might act as a pathway for an attack tool to enter a target organization.
Let’s use an example. Assume that a police precinct wants to update all keyboards, mice, and security cameras in the building. Following a cost-benefit analysis, they decide to purchase Logitech keyboards and mice and Samsung security cameras. These products get assembled along a production line involving several suppliers, moving from point A to B, B to C, etc. At any such point, one or more of the devices can get manipulated by a hardware-based attacker posing as an employee (or by an actual employee acting with malicious intent), who takes the device(s) off the production line and inserts an attack tool inside (Raspberry Pi Risks – A Friend or Foe ?). The Rogue Device, known as a spoofed peripheral, gets put back in transit. It eventually reaches the precinct and executes an attack.
The Threats Facing Supply Chain Cyber Security
Exploiting supply chain cyber security threats through hardware-based attacks is highly appealing for malicious actors as Rogue Devices go undetected. Spoofed peripherals impersonate legitimate HIDs, appearing genuine to both humans and security software solutions, such as NAC, EPS, IDS, or IoT Network Security. Just as the former lack x-ray vision, the latter lack Layer 1 visibility – and both are necessary to identify hidden hardware attack tools.
Without Layer 1 visibility, Rogue Devices remain in the entity’s infrastructure, allowing for harmful activity, such as data theft, malware injection, DDoS, MiTM attacks, and more, to take place. Organizations must achieve complete asset visibility to detect any Rogue Devices that may have entered through the supply chain. However, since suppliers are often targets of hardware-based attacks themselves, they, too, must gain Layer 1 visibility to prevent such attacks from exploiting supply chain interconnectedness.
Sepio Solution
Sepio’s platform provides a panacea to gaps in device visibility to prevent hardware-based attacks from exploiting supply chain cyber security threats. Sepio deep visibility capabilities mean no device goes unmanaged. The solution identifies, detects, and handles all IT/OT/IoT devices. Moreover, Sepio’s policy enforcement mechanism and Rogue Device Mitigation capabilities instantly block any unapproved or rogue hardware. In doing so, Sepio enables a Zero Trust Hardware Access approach, which stops attackers at the first line of defense.
See every known and shadow asset. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.
