Background on supply chain attacks featuring SolarWinds and Colonial Pipeline
What is supply chain risk? What is a supply chain attack?
Over the past few decades, cyber attacks have been a constant reminder of the vulnerability many organizations face with their respective supply chain. Supply chain attacks come from exploited weaknesses throughout the interconnected acquisition lifecycle for Information Technology (IT) and Operations Technology (OT) communications, where there’s a gap between cybersecurity and Supply Chain Risk Management (SCRM). This gap is exacerbated by an under-developed shared and consistent knowledge platform for the supply chain, which limits insights into risks and prevents communication across key stakeholders.
Why are supply chain attacks difficult to prevent? Why do they keep happening?
Supply chain attacks are growing increasingly difficult to defend against. Organizations are not set up properly to understand, evaluate or act on supply chain risks. In particular, organizations suffer from:
Lack of understanding Neither the government nor industry fully understand the pedigree or provenance of the systems or components from third party vendors and do not have the ability to audit the trust boundary of these components or systems throughout their respective lifecycle (from design through de-commission).
Multiple system feeds Organizations can have hundreds or thousands of third party vendors with misaligned data feeds that quickly become overwhelming.
Limited transparent monthly reporting Third party assessments are often done at procurement, with no ongoing monitoring or real-time alerts. Without 24/7 supplier risk monitoring, attacks can easily go undetected for months.
No common knowledge base, information silos Even with the most insightful third party data feeds, information often remains siloed and is rarely communicated to stakeholders across the organization.
The combined lack of expertise and capabilities makes it difficult for organizations to proactively defend against supply chain attacks. Adversaries continue to exploit these vulnerabilities with increasingly sophisticated attacks like the SolarWinds and Colonial Pipeline breaches.
The impact of the SolarWinds and Colonial Pipeline breaches
The Colonial Pipeline and SolarWinds attacks demonstrate a persistent nation-state or organized-crime threat that is poised at exploiting cyber weaknesses and vulnerabilities in the software, hardware, and firmware of various components or systems used by key governmental and commercial organizations. These attacks place a financial burden on organizations and threaten national security and national infrastructure.
In June 2020, SolarWinds, an IT monitoring and management solutions company, experienced a sophisticated supply chain attack from a simple software update that compromised its software build and code signing infrastructure. The damage to SolarWinds and its thousands of enterprise and U.S. government agency customers is estimated to be more than $100 billion.
Colonial Pipeline, a major U.S, gas pipeline that supplies nearly 50% of fuel for the east coast, was the target of a ransomware attack in May 2021. The attackers exploited a legacy virtual private network (VPN) system that did not have multifactor authentication and shut down the fuel supply leading to panic buying, rising gas prices and local fuel shortages across the east coast. Colonial Pipeline paid $4.4 million in ransom to regain control, but the impact was felt immediately.