The report of the European Union Agency for Cybersecurity (ENISA) maps the main attacks in the supply chain between January 2020 and July 2021. The study explores 24 recent examples of attacks in the supply chain to illustrate cybersecurity vulnerabilities.
The term ‘supply chain’ is used to refer to an ecosystem of processes, people, organisations and distributors involved in the various stages of product development. Attacks in the supply chain are cyber-attacks that seek to harm an organisation by targeting less secure elements in the supply chain.
Evolution of supply chain attacks
Attacks in the supply chain are not a new security issue; however, since the beginning of 2020, the international community has been marked by much more organised and sophisticated attacks. The negative trend observed in 2020 is expected to continue throughout 2021, with a greater impact on organisations. In fact, ENISA estimates that there will be a fourfold increase in supply chain attacks in 2021 compared to the previous year. The better organisations are protected from cyber-attacks, the more attention is shifted to suppliers that quickly become the weakest link in the chain. This is particularly true for cloud service providers and managed service providers, where recent attacks point to an increased need for cybersecurity controls in these sectors. The report addresses various incidents and offers recommendations for new cybersecurity methods and approaches that involve suppliers in the management of cybersecurity risks in the supply chain.
Types of attacks in the supply chain
An attack in the supply chain can occur in any sector – from the financial sector, the oil industry to the government sector. In the area of software in particular, attacks in the supply chain undermine trust in the software ecosystem. Attacks in the supply chain can be complex, require careful planning and often take several months or years to carry out. The figure below illustrates the main attack techniques that may have consequences for all organisations in the supply chain.
Around 58 % of attacks in the supply chain were aimed at gaining access to data (mainly customer data, including personal data and intellectual property) and around 16 % on gaining access to people. In 62 % of cases, the method used was malware.
The full conclusions and main points of the report are available on ENISA’s website in PDF format.
© European Union Agency for Cybersecurity (ENISA), 2021
⚠ disclaimer: The text has been automatically translated from the European platform Digital Skills and Jobs. If you have found errors in the text, please contact digikoalice@npi.cz