Threat Landscape for Supply Chain Attacks, ENISA (2021)
The report Threat Landscape for Supply Chain Attacks by the European Union Agency for Cybersecurity (ENISA) maps out the main supply chain attacks between January 2020 and July 2021. The study examines 24 recent examples of supply chain attacks to illustrate cybersecurity vulnerability.
The term 'supply chain' is used to denote the ecosystem of processes, people, organisations and distributors, involved in the different stages of product development. Supply chain attacks are cyber-attacks that seeks to damage an organisation by targeting less-secure elements in the supply chain.
The evolution of supply chain attacks
Supply chain attacks are not a new security concern; however the international community has been plagued by much more organised and sophisticated attacks since early 2020. This adverse trend, noted in 2020 is expected to continue throughout 2021 posing an event larger impact on organisations. In fact, ENISA estimates that there will be 4 times more supply chain attacks in 2021, compared to the year before. The better protected against cyber-attacks organisations become, the more the attention shifts to suppliers, who are fast becoming the weakest link on the chain. This is particularly the case for cloud service providers and managed service providers, where recent attacks highlight the increased need for cybersecurity controls in these sectors. The report looks at different incidents to offer recommendations for new methods and cybersecurity approaches that incorporate suppliers in managing cybersecurity risks in the supply chain.
Types of supply chain attacks
A supply chain attack can happen in any industry - from the financial sector, oil industry, to a government sector. Particularly in software, supply chain attacks undermine trust in the software ecosystem. Supply chain attacks can be complex, require careful planning and often take months or years to execute. The figure below shows the main attack techniques that can have consequences for all organisations within a supply chain.
Around 58% of the supply chain attacks aimed at gaining access to data (predominantly customer data, including personal data and intellectual property) and around 16% at gaining access to people. In 62% of the cases, malware was the attack technique employed.
The full conclusions and highlights of the report are available on ENISA's website in PDF format.
© European Union Agency for Cybersecurity (ENISA), 2021