Cybersecurity and the Supply Chain

Supply Chain

You’ve undoubtedly heard the term “supply chain disruption” more times than you can count lately. The past few years have been fraught with disruptions—labor shortages caused by COVID-19, warfare, tropical storms and wildfires, factory fires, railroad transportation disruptions, and the six-day blockage of the Suez Canal. We’ve endured incredible upheavals, and many of these ultimately affect the supply chain, adding a personal and material dimension to even distant tragedies and troubles.

The effects of supply chain disruptions in the production and distribution of material goods are evident to consumers—you can’t get what you need, and if you can, it probably costs more than you thought it would.  Less evident for most of us is the cybersecurity supply chain. Just as a barge lodged in the Suez Canal can rock the entire marketplace, an incident affecting a single supplier can compromise a network of providers and countless customers in the world of cybersecurity.  Indeed, the Forbes Technology Council names the supply chain as the most significant risk in cybersecurity today.

The cybersecurity supply chain involves various resources including hardware and software, cloud and local storage, web applications, online stores, and management software. Suppliers depend on multiple assets to produce goods and services for the customer (i.e., individuals, groups, or organizations); the customer consumes products and services and owns or controls their own set of valuable assets (i.e., hardware, software, data, money, etc.). As customers, organizations, and individuals adopt more robust security practices, attackers respond by infiltrating targeted suppliers as an entry point (ENISA 2021). These attacks are sophisticated and often take months to “succeed.”

Data is the most valuable asset of all and is the intended “score” of most cybersecurity supply chain attacks. Customer data, Personally Identifiable Information (PII), and intellectual property are of particular interest to attackers because this information is valuable to the owner and can therefore be held ransom by the attacker.

The SolarWinds attack of 2020 reveals how attackers move through supply chains, often going undetected for months or even years.  SolarWinds supplies network management and IT performance-monitoring software to governments, large corporations, and organizations. The attack specifically targeted their network management system (NMS) product, Orion, a product adopted by many organizations. The suspected nation-state attackers, identified as a group called “Nobelium” (also known as APT29 or Cozy Bear), gained access to Orion through social engineering, a brute-force attack, or a zero-day vulnerability in a third-party application or device, and inserted malicious code known as “Sunburst” into the Orion system (Oladimeji and Kerner 2021).

Once the attackers were in, they collected information over an extended period. The attackers gained unauthorized access in September 2019 and went unedited for more than a year. By late March 2020, SolarWinds was unknowingly sending out Orion software updates that contained malicious code. More than 18,0000 SolarWinds customers installed these malicious updates before the company could stop the spread.

Supply chain cybersecurity attacks are frightening because they have far-reaching effects as they work their way through a not-so-transparent network to land in your organization or on your device. WashU’s Information Security Governance, Risk, and Compliance (GRC) team helps protect our organization and community from attacks such as these by working with suppliers and service providers to understand how our data, intellectual property, and patient information move through the supply chain. The team also works with vendors and third-party suppliers to conduct business impact analyses and develop business continuity plans so that if an attack does happen, we’ll know how to respond swiftly.

GRC can’t do this important work without the cooperation of our community. Before you download new software or adopt a new device for your work at WashU, please engage the InfoSec team to ensure it’s safe to use in our environment. As the saying goes, “an ounce of prevention is worth a pound of cure,” and it could mean saving you, the university, and everyone who counts on us the pain of enduring a breach.