Are you the middle man or the target?

Posted by Gemma Sirett on December 3, 2019

Cyber criminals will always opt for the path of least resistance – targeting the weakest link in a supply chain gives them an easy route in to much bigger prey. Relying on hardware, software, and services from third parties makes manufacturers particularly susceptible to supply chain compromise.

Manufacturers of all sizes are attractive targets for cyber attackers. Small manufacturers lower down the supply chain may not have the resource to fully protect their systems, giving adversaries an easy foothold to gain access to bigger fish further up the chain. Conversely, large global manufacturers may be the target at the top of the supply chain, and can be compromised by a weak link further down, allowing attackers to steal valuable data and intellectual property, disrupt operations, and damage the manufacturer’s reputation. Your supply chain is only as strong as its weakest link.

56% of organisations have experienced a breach that was caused by one of their vendors[1]

The software threat

Once manual and labour-intensive, the manufacturing sector is becoming increasingly reliant on technology and automation, and must adapt to keep pace with the risks this poses. William Evanina, of the US NCSC, notes that “software supply chain infiltration is one of the key threats that corporations need to pay attention to, particularly how software vulnerabilities are exploited”[2].

Large, global manufacturers are all too aware of the ramifications of a data breach, so system defences are much more robust than they were a decade ago. Traditional attempts to compromise a system are therefore more likely to be identified and stopped, so cyber criminals are turning to software providers in the supply chain to give them a back door. Adversaries exploit vulnerabilities in the software to gain a foothold – when the seemingly innocuous software is rolled out at the manufacturer, the malicious elements are rolled out with it. Manufacturers are unwittingly affording attackers free rein throughout their network. Evanina summarises that “the impacts to proprietary data, trade secrets, and national security are profound”.

In September, InfoSecurity Magazine reported that state-sponsored attackers had targeted the VPNs that connected suppliers (such as Rolls Royce and Expleo) to Airbus. The aviation giant had already reported unauthorised access to data from a breach back in January, but was unaware at that point that the scope of the attack was much bigger, and that their IP was at stake. “The hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems”[3].

Yet manufacturers themselves are not always the end goal. Breaching their systems simply provides a gateway to gain access to their big name customers’ trade secrets. And they’re vulnerable – the continuation of production is often prioritised over keeping systems up-to-date, so manufacturers leave themselves open to disruptive ransomware attacks by exploitable weaknesses in unpatched software.

Working from the bottom up

The manufacturing supply chain isn’t all big engines and multi-million pound contracts. Without small manufacturers providing key products and services, such as microchips, software, and – quite literally – the nuts and bolts of the operation, the supply chain would collapse. These critical links may naively believe they are too small and unimportant to be a target for cyber attacks, but the reality is quite the opposite. Small manufacturers rarely have the resource and cyber skills in-house to adequately secure and protect their systems, making them an easy target for cyber attackers looking to weave their way in. Operations, IP, and customer details are all at risk – a low effort, high reward payday for adversaries.

Moving money

Supply chains are effectively long links of transactions, handling business, products, and finances. Financially-motivated groups will target anywhere large sums of money are changing hands – for manufacturers, this means big contracts and the large transactions that support them. Cyber criminals observe the supply chain at work, to identify when and how money moves, so they can tailor their attack accordingly to maximise their chances of success. A convincing spoofed email requesting payment details, sent precisely when a deal is due to be closed, has more chance of succeeding than an opportunistic phishing attack.

What can be done?

Manufacturers must balance their reliance on the supply chain against protecting their IP, operations, and reputation. The MoD has a keen eye focused on defence supply chain security, so it’s imperative that manufacturers are able to demonstrate they are not the weak link, and that they are taking steps to safeguard their information and systems against compromise from third parties.

Download our free articleFive boring but really important security mistakes you need to stop making

Cyber security can be dull, but ignoring it won't make the problem go away. Turning a blind eye to your cyber defences leaves your business vulnerable to state-sponsored and ransomware attacks.

Download our free PDF guide to find out the top five critical security mistakes your manufacturing business is making, and what preventative measures can be put in place to solve them.

Download now

Find out more about how CORVID can benefit the manufacturing sector.

Footnotes
  1. CSO Online
  2. BBC News
  3. InfoSecurity Magazine

More CORVID blog posts

Three ways your website is making it easy for attackers

Cyber attackers are quietly appreciative of businesses across all sectors for making their job easier. With all the information they need to craft their attack laid out neatly in ...

Rockin' around the cyber security contract

Aside from the usual “strict diet and fitness regime starts on 1 January” resolution that everyone makes and forgets by February, now is the perfect time to take stock of your ...

It's nothing personal; cyber criminals just want your money

Disruptive ransomware attacks on manufacturing businesses regularly make headlines. You’ve seen the stories – multinational manufacturing companies are locked out of their IT systems, ...

Most popular posts

1. Law firms and cyber crime; the growing threat to the UK legal sector

2. Why cyber criminals target the manufacturing industry

3. Want an easy way to save yourself £35k? Delete emails from your CEO

4. How to effectively manage, detect and respond to a data breach

5. Four questions you need to answer after a cyber attack

View all blog posts

CORVID - Intelligent Cyber Defence

+44(0)1242 651251 | Arle Court, Hatherley Lane, Cheltenham, GL51 6PN

We’re an experienced team of cyber security experts, developers and analysts based in Cheltenham, UK, who are passionate about delivering innovative, robust and extensive cyber defence solutions and services to help protect businesses against cyber threats.

Get in touch

Copyright © 2020 CORVID | Privacy Policy | Cookie Policy
Visit the CORVID LinkedIn pageVisit the CORVID Twitter pageView the CORVID YouTube channel