Presentation and Podcast: The Underestimated Risk of Cyber Supply Chain Attacks

Presentation:

The Brandenburg Institute for Society and Security in Potsdam, Germany regularly organises so-called PizzaSeminars, which offer participants the opportunity to discuss an interesting presentation on a current issue while enjoying a slice of pizza. Esther Kern and Alexander Szanto used the first in-person seminar of the year to present their research from the Cyberfactory#1 project: Cyberattacks on supply chains and their financial impact. The PizzaSeminar took place on the 19th of August 2021 in Berlin.

Click here to access the slides (in German).

Podcast:

The discussion from the presentation has been turned into a podcast moderated by Dr. Tim Stuchtey to be made available to those who were unable to attend the PizzaSeminar. The episode is part of the series “Sicher das? – Der BIGS-Podcast zur Sicherheitsforschung” published by the Brandenburg Institute for Society and Security.

Click here to access the podcast (in German).

Topic:

Despite the fact that there are still some serious security gaps, many companies perceive IT and cyber security now as part of their risk management. However, the quality of the technical and organizational measures and the available budget vary considerably. This is partly due to a lack of awareness of certain security issues at the decision-making levels and an assessment of the cost-benefit calculation. IT and cyber security is often not recognized in everyday work, and if it is, then only as an additional workload. What companies do perceive, however, is the damage that occurs when their own company is affected.

Dealing with supply chain attacks is not a new issue, but one that is still often underestimated. Supply chain attacks are often not taken into account in risk assessments and thus the opportunity to identify dependencies, build up suitable redundancies and better protect both interfaces and vulnerabilities of suppliers is missed.

In cyber supply chain attacks, attackers target vulnerabilities in supply chains for their malicious purposes. On December 13, 2020, FireEye reported the discovery of a widespread supply chain attack in which SolarWind’s Orion business software updates were trojanized to spread malware. ORION is an IT monitoring and management software used by the vast majority of Fortune 500 companies, as well as many government agencies. Affected entities include government agencies as well as organizations in the consulting, technology, telecommunications, healthcare and oil and gas industries on four continents. According to SolarWinds, the vulnerability is likely the result of a sophisticated, targeted and manual supply chain attack by an unknown nation-state.

Symantec reported a 78% increase in supply chain attacks in 2018 in its 2019 Internet Security Threat Report, with the top 20 observed groups being particularly active. Well-known groups such as Dragonfly have been using targeted suppliers to gain access to specific companies since 2011, with the targets in this case primarily located in the energy sector.

Against this background, BIGS, in cooperation with VTT Finland, has taken a closer look at the ecosystem of supply chains and considered the financial impact of attacks on them.