Are you the middle man or the target?

Cyber criminals will always opt for the path of least resistance – targeting the weakest link in a supply chain gives them an easy route in to much bigger prey. Relying on hardware, software, and services from third parties makes manufacturers particularly susceptible to supply chain compromise.

Manufacturers of all sizes are attractive targets for cyber attackers. Small manufacturers lower down the supply chain may not have the resource to fully protect their systems, giving adversaries an easy foothold to gain access to bigger fish further up the chain. Conversely, large global manufacturers may be the target at the top of the supply chain, and can be compromised by a weak link further down, allowing attackers to steal valuable data and intellectual property, disrupt operations, and damage the manufacturer’s reputation. Your supply chain is only as strong as its weakest link.

56% of organisations have experienced a breach that was caused by one of their vendors^[1]

The software threat

Once manual and labour-intensive, the manufacturing sector is becoming increasingly reliant on technology and automation, and must adapt to keep pace with the risks this poses. William Evanina, of the US NCSC, notes that “software supply chain infiltration is one of the key threats that corporations need to pay attention to, particularly how software vulnerabilities are exploited”^[2].

Large, global manufacturers are all too aware of the ramifications of a data breach, so system defences are much more robust than they were a decade ago. Traditional attempts to compromise a system are therefore more likely to be identified and stopped, so cyber criminals are turning to software providers in the supply chain to give them a back door. Adversaries exploit vulnerabilities in the software to gain a foothold – when the seemingly innocuous software is rolled out at the manufacturer, the malicious elements are rolled out with it. Manufacturers are unwittingly affording attackers free rein throughout their network. Evanina summarises that “the impacts to proprietary data, trade secrets, and national security are profound”.

In September, InfoSecurity Magazine reported that state-sponsored attackers had targeted the VPNs that connected suppliers (such as Rolls Royce and Expleo) to Airbus. The aviation giant had already reported unauthorised access to data from a breach back in January, but was unaware at that point that the scope of the attack was much bigger, and that their IP was at stake. “The hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems”^[3].

Yet manufacturers themselves are not always the end goal. Breaching their systems simply provides a gateway to gain access to their big name customers’ trade secrets. And they’re vulnerable – the continuation of production is often prioritised over keeping systems up-to-date, so manufacturers leave themselves open to disruptive ransomware attacks by exploitable weaknesses in unpatched software.

Working from the bottom up

The manufacturing supply chain isn’t all big engines and multi-million pound contracts. Without small manufacturers providing key products and services, such as microchips, software, and – quite literally – the nuts and bolts of the operation, the supply chain would collapse. These critical links may naively believe they are too small and unimportant to be a target for cyber attacks, but the reality is quite the opposite. Small manufacturers rarely have the resource and cyber skills in-house to adequately secure and protect their systems, making them an easy target for cyber attackers looking to weave their way in. Operations, IP, and customer details are all at risk – a low effort, high reward payday for adversaries.

Moving money

Supply chains are effectively long links of transactions, handling business, products, and finances. Financially-motivated groups will target anywhere large sums of money are changing hands – for manufacturers, this means big contracts and the large transactions that support them. Cyber criminals observe the supply chain at work, to identify when and how money moves, so they can tailor their attack accordingly to maximise their chances of success. A convincing spoofed email requesting payment details, sent precisely when a deal is due to be closed, has more chance of succeeding than an opportunistic phishing attack.

What can be done?

Manufacturers must balance their reliance on the supply chain against protecting their IP, operations, and reputation. The MoD has a keen eye focused on defence supply chain security, so it’s imperative that manufacturers are able to demonstrate they are not the weak link, and that they are taking steps to safeguard their information and systems against compromise from third parties.