The report of the European Union Agency for Cybersecurity (ENISA) maps the main attacks in the supply chain between January 2020 and July 2021. The study examines 24 recent examples of supply chain attacks to illustrate cybersecurity vulnerabilities.
The term “supply chain” refers to the ecosystem of processes, persons, organisations and distributors involved in the different stages of product development. Supply chain attacks are cyber-attacks that seek to affect an organisation by targeting less secure elements of the supply chain.
Evolution of supply chain attacks
Attacks in the supply chain do not constitute a new security issue; however, since the beginning of 2020, the international community has been marked by much more organised and sophisticated attacks. This negative trend observed in 2020 is expected to continue throughout 2021, with a greater impact on organisations. In fact, ENISA estimates that in 2021, the number of supply chain attacks will increase fourfold compared to the previous year. The better organisations are protected from cyber-attacks, the more attention is shifted to suppliers that quickly become the weakest link in the chain. This is particularly the case for cloud and managed service providers, where recent attacks point to an increased need for cybersecurity controls in these sectors. The report addresses various incidents and provides recommendations for new cybersecurity methods and approaches that involve suppliers in managing cybersecurity risks in the supply chain.
Types of attacks in the supply chain
An attack in the supply chain can take place in any sector – from the financial sector, the oil industry to the government sector. In the field of software in particular, attacks in the supply chain undermine trust in the software ecosystem. Attacks in the supply chain can be complex, require careful planning and often take several months or years to implement them. The figure below shows the main attack techniques that can have consequences for all organisations in the supply chain.
Around 58 % of the attacks in the supply chain focused on obtaining access to data (mainly customer data, including personal data and intellectual property) and around 16 % on obtaining access to individuals. Malware was used in 62 % of cases.
The full conclusions and main points of the report are available on ENISA’s website in PDF format.
© European Union Agency for Cybersecurity (ENISA), 2021