Cyberattacks are on the rise across industries and the supply chain is certainly no exception. In fact, the threat appears to be growing. And when a cyberattack takes down just one link in this global, interdependent chain, the ripple effect could reach far and wide.
As one expert wrote in a recent Security Magazine post, “If one facility, port, software or database is interrupted due to an attack, countless companies and consumers can be impacted, resulting in great financial loss and compromised data.”
With the increasing sophistication of hackers, the need for cybersecurity vigilance has never been more acute. October’s celebration of Cybersecurity Awareness Month was a great reminder of the need for every organization across the supply chain to up its cybersecurity game.
To help address gaps in the approaches that orgs are taking to address cybersecurity risks, @NIST developed its National Initiative for Cybersecurity Education (NICE) Cybersecurity Framework.— U.S. Commerce Dept. (@CommerceGov) October 29, 2021
Learn more about the framework & its benefits: https://t.co/r5ldJQFqjh #BeCyberSmart pic.twitter.com/aldGdJY86x
A Growing Threat
The growing cybersecurity threat to the supply chain industry is demonstrated by some of the recent headlines and reports from various outlets.
Container News reported that CMA CGM was hit by another cyberattack—it’s second within the past year. Antonis Karamalegkos, Managing Editor for Container News, underscored the growing threat these occurrences pose: “Cyber-attacks are evolving into one of the most dangerous threats of the industry.”
Cyberscoop reported that “Hackers likely supporting Iranian national interests attempted to compromise U.S. and Israeli defense technology and global maritime companies, Microsoft researchers shared Monday.”
Cybersecurity company BlueVoyant released the findings of its second annual global survey into third-party cyber risk management: “The study reveals that 97% of firms surveyed have been negatively impacted by a cybersecurity breach that occurred in their supply chain. Ninety-three percent admitted that they have suffered a direct cybersecurity breach because of weaknesses in their supply chain and the average number of breaches experienced in the last 12 months grew from 2.7 in 2020 to 3.7 in 2021 – a 37% year-over-year increase.”
Quoted in the announcement, Adam Bixler, Global Head of Third-Party Cyber Risk Management, BlueVoyant, said: “Our research shows that there are large concentrations of unknown third-party cyber risk across vertical sectors, supply chains and vendors worldwide, and organizations are regularly experiencing vendor-originated breaches. …”
FreightWaves reported that “Marten Transport has confirmed it was the victim of a cyberattack earlier in October and warned that employee data could have been compromised, according to a Securities and Exchange Commission filing on Wednesday.”
Intel471 reported that “Over the past few months, Intel 471 has observed network access brokers selling credentials or other forms of access to shipping and logistics companies on the cybercrime underground. These companies operate air, ground and maritime cargo transport on several continents that are responsible for moving billions of dollars’ worth of goods around the world. The actors responsible for selling these credentials range from newcomers to the most prolific network access brokers that Intel 471 tracks.”
In the post, Intel471 listed related advertisements they found in July, August, September, and October and underscored the growing threat: “…the logistics industry is constantly targeted, and the ramifications of a cyberattack can have a crippling ripple effect on the global economy. At a time when this sector is struggling to keep things operating, a successful attack could bring this industry to a screeching halt, resulting in unforeseen dire consequences for every part of the consumer economy.”
After reading headlines like those, leaders of organizations engaging with the supply chain may identify with what David Kennedy, founder of cybersecurity companies Trusted Sec and Binary Defense, said in a recent CNBC interview: a cyberattack on the supply chain is “one of the things that keeps him up at night.”
While awareness of cybersecurity threats to the supply chain is growing, the question is, what can be done about them? There are many security experts and organizations that provide excellent resources and guidance to help supply chain stakeholders identify cybersecurity risks and improve cyber hygiene.
Here, we include information and resources from just two: the National Institute of Standards and Technology (NIST), housed within the U.S. Commerce Department of Commerce and the Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security.
NIST Supply Chain Cybersecurity Initiatives and Resources
NIST works across many technology sectors—including cybersecurity. Here’s the intro to NIST’s overview regarding its work in this area: “NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public. Our activities range from producing specific information that organizations can put into practice immediately to longer-term research that anticipates advances in technologies and future challenges. …”
NIST highlights two recent cybersecurity supply chain projects it has been working on: Executive Order 14028, Improving the Nation’s Cybersecurity and National Initiative for Improving Cybersecurity in Supply Chains.
Executive Order 14028, Improving the Nation’s Cybersecurity
According to NIST, “The President’s Executive Order (EO) on ‘Improving the Nation’s Cybersecurity (14028)’ issued on May 12, 2021, charges multiple agencies – including NIST– with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain. …Section 4 of the EO directs NIST to solicit input from the private sector, academia, government agencies, and others and to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. Those guidelines are to include:
criteria to evaluate software security,
criteria to evaluate the security practices of the developers and suppliers themselves, and
innovative tools or methods to demonstrate conformance with secure practices.”
On November 8th, NIST held a virtual workshop available to the public to discuss “the approach that NIST is taking to support Section 4e of Executive Order 14028” and noted that it has released the Draft Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities: “The SSDF is a set of fundamental, sound practices for secure software development based on established standards and guidelines produced by various organizations. The SSDF directly addresses several practices that were called out in Section 4e. The SSDF also provides a starting point for discussing other practices that Section 4e specifies.”
National Initiative for Improving Cybersecurity in Supply Chains
According to NIST, “NIST recently announced a new effort to work with the private sector and others in government to improve cybersecurity supply chains. This initiative will help organizations to build, evaluate, and assess the cybersecurity of products and services in their supply chains, an area of increasing concern.
“The effort, known as the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), will emphasize tools, technologies, and guidance focused on the developers and providers of technology. At the same time, there is a need among those acquiring products and services for cohesive, practical, performance-oriented guidance to address the broader cybersecurity risks to the security and resilience of all supply chains.
“NIST is discussing stakeholder cybersecurity-related supply chain needs with private sector and government organizations that are key to the security of the U.S. critical infrastructure sectors and the broader economy. This will include the private sector companies that participated in a White House summit with President Biden, Secretary of Commerce Raimondo, and other officials on August 25, 2021 – and many other organizations. NIST expects to issue a Request for Information (RFI) to help guide this partnership. NIST also is drawing on information provided as part of its cybersecurity-related supply chain activities to fulfill a May 12, 2021, Executive Order on Improving the Nation’s Cybersecurity.”
NIST notes that more information about this initiative will be “shared soon.”
In the meantime, NIST’s Cyber Supply Chain Risk Management (C-SCRM) Fact Sheet provides a concise overview of the organization’s scope and approach to C-SCRM, as well as a list of key NIST resources and activities.
The Atlantic Council’s Cyber Statecraft Initiative
On October 4th, the Atlantic Council’s Cyber Statecraft Initiative released a new report, Raising the colors: Signaling for cooperation on maritime cybersecurity.
The report underscores how critical the maritime transportation system (MTS) is to the global economy and its growing vulnerability to cyber threats. In fact, according to the report, in 2020 alone, cyberattacks aimed at the MTS “increased by 400 percent over the span of a few months.”
In spite of the jump, the report notes that “maritime cybersecurity risks remain underappreciated. The uptick in cyberattacks targeting the MTS includes varieties of attacks familiar to other industries, including ransomware, phishing, and malware such as data wipers, to name a few. In combination with traditional cyber threats targeting information technology (IT) systems, reports of attacks on operational technology (OT), on ships and in ports, increased a whopping 900 percent in a three-year period ending in 2020.”
To address the complex nature of the MTS and the growing threat of cyberattacks, the report examines what the authors refer to as “three key life cycles—the life of a ship, of a piece of cargo, and of the daily operations of a port—to reveal patterns of threats and vulnerabilities. These life cycles help shed light on a globe-spanning cast of characters. Each life cycle highlights areas of concentrated risk and points of leverage against which policy makers and practitioners can collaborate to take action. …Building on this analysis, the report offers twelve recommendations sequenced as first, next, and later. …”
To learn more about the specific recommendations, please access the full report.
Additionally, the Atlantic Council weighed in on President Biden’s EO on cybersecurity in its post, “MARKUP: Our experts annotate Biden’s new executive order on cybersecurity,” which contains expert commentary about the contents of the order.