Threat Landscape for Supply Chain Attacks, 2021 ENISA report

The report Threat Landscape for Supply Chain Attacks by the European Union Agency for Cybersecurity (ENISA) maps out the main supply chain attacks between January 2020 and July 2021. The study examines 24 recent examples of supply chain attacks to illustrate cybersecurity vulnerability.

The term 'supply chain' is used to denote the ecosystem of processes, people, organisations and distributors, involved in the different stages of product development. Supply chain attacks are cyber-attacks that seeks to damage an organisation by targeting less-secure elements in the supply chain.

The evolution of supply chain attacks

Supply chain attacks are not a new security concern; however the international community has been plagued by much more organised and sophisticated attacks since early 2020. This adverse trend, noted in 2020 is expected to continue throughout 2021 posing an event larger impact on organisations. In fact, ENISA estimates that there will be 4 times more supply chain attacks in 2021, compared to the year before. The better protected against cyber-attacks organisations become, the more the attention shifts to suppliers, who are fast becoming the weakest link on the chain. This is particularly the case for cloud service providers and managed service providers, where recent attacks highlight the increased need for cybersecurity controls in these sectors. The report looks at different incidents to offer recommendations for new methods and cybersecurity approaches that incorporate suppliers in managing cybersecurity risks in the supply chain.

Types of supply chain attacks

A supply chain attack can happen in any industry - from the financial sector, oil industry, to a government sector. Particularly in software, supply chain attacks undermine trust in the software ecosystem. Supply chain attacks can be complex, require careful planning and often take months or years to execute. The figure below shows the main attack techniques that can have consequences for all organisations within a supply chain.

Attack techniques used to compromise a supply chain. Source: ENISA, 2021.

Around 58% of the supply chain attacks aimed at gaining access to data (predominantly customer data, including personal data and intellectual property) and around 16% at gaining access to people. In 62% of the cases, malware was the attack technique employed.

The full conclusions and highlights of the report are available on ENISA's website in PDF format.

© European Union Agency for Cybersecurity (ENISA), 2021

Skills intelligence publication details

Website link

Threat Landscape for Supply Chain Attacks 2021 report

Target audience

Digital skills for ICT professionals and other digital experts.

Digital technology / specialisation

Cybersecurity

Digital skill level

Advanced

Digital Expert

Geographic scope - Country

Austria

Belgium

Bulgaria

Cyprus

Industry - field of education and training

Software and applications development and analysis

Geographical sphere

EU institutional initiative

Publication type

Report

Threat Landscape for Supply Chain Attacks, ENISA (2021)

The evolution of supply chain attacks

Types of supply chain attacks

Skills intelligence publication details

Tags

Threat Landscape for Supply Chain Attacks, ENISA (2021)

The evolution of supply chain attacks

Types of supply chain attacks

Skills intelligence publication details

Related Content

ICT Skills Demand and Supply Monitor Report (2021)

State of Cybersecurity (2021)

Monitoring Ireland’s Skills Supply 2021

EUROPOL Internet Organised Crime Threat Assessment (IOCTA) 2021

Tags