The Rise of Supply Chain Attacks

The Importance of Safeguarding Your Company’s Critical Partners

woman in warehouse keeping track of inventory
Christopher Walcutt's portrait

Christopher Walcutt
Chief Security Officer

Dec. 30, 2024

A number of major data breaches, including the Target breach in 2013, the SolarWinds breach in 2020, and the Kaseya breach in 2021, point to a singular security issue that continues to plague businesses relying on third-party vendors, suppliers, or service providers:

Supply chain attacks.

Attackers compromise vulnerable third-parties to access corporate networks, as vendors often have largely unfettered access based on a lack of security built into procurement agreements.

These supply chain attacks not only exploit the interconnectedness of modern business operations, but can disrupt essential business functions and damage customer trust.

The Primary Point of Entry: Procurement

Anytime your company purchases a new piece of equipment, it’s typical for the equipment manufacturer to include some type of remote access in the contract for software updates and routine management. While this ongoing work is necessary, your company now has a point of entry for attackers through that third-party access.

Inventory team at work

Target was breached in 2013 through a vulnerability with its HVAC vendor, which had remote access to the company’s chiller systems. This attack happened more than a decade ago, and companies are still experiencing breaches through their third-party relationships.

And again, in 2024, remote monitoring and management platform Kaseya suffered a ransomware attack that affected 1,500 companies it serviced.

It’s typical for companies to be either unaware of the access built into their vendor procurement agreements, or to assume that their vendors are monitoring software activity.

However, if you don’t control it, you can’t monitor it. Third-party vendor security and the prevention of supply chain attacks starts with reviewing and adjusting procurement contacts.

Training Procurement to Fine-Tune and Secure Vendor Agreements

Ideally, companies should review existing vendor contracts and establish new rules around access controls going forward.

Companies leveraging third-party vendors can provide access to those vendors, but need to be able to turn that access on and off. We recommend training and educating procurement teams to establish security protocols up front for every vendor contract – but if existing contracts have access permissions, here are a few steps you can take to close gaps and move forward with more secure supply chain management.

  • Identify all the vendors your company is currently partnered with or receiving services from.
  • Look into your company’s firewalls and view the traffic to identify which vendors are able to get through onto your network.
  • Contact these vendors and make arrangements to secure their remote access.

You don’t have to change the software you’re using or search for a new vendor, but you should amend existing contracts to establish a verified account into your company’s remote access solution that you can control. Vendors should be required to complete multi-factor authentication and a security posture assessment, and only then can they get into your network to view the software and make any necessary updates.

Documenting a procurement process around security protocols and creating a checklist to follow will ensure procurement teams not only understand the importance of establishing access guidelines in every vendor contract, but how to do so for long-term security protection.

Aerial view of river port
Patch Management and Supply Chain Attacks

Patch management is another critical component of preventing supply chain attacks. In the 2020 breach of SolarWinds, a software company that provides system management tools to hundreds of thousands of corporations globally, attackers exploited a vulnerability in SolarWinds Orion, an IT performance monitoring system, launching one of the biggest cybersecurity breaches of the 21st century and triggering a supply chain incident that affected thousands of organizations, including the U.S. government.

In the case of SolarWinds, like so many others, poor patch management left open a vulnerability attackers used to infiltrate the system.

Similarly, IT management software company Ivanti has faced multiple breaches in 2024 alone as attackers exploited vulnerabilities in the software that could have been mitigated by applying the appropriate security patches.

Even as Ivanti released patches to address the known vulnerabilities, many companies didn’t apply them, and were subsequently either breached or still at risk of a breach since attackers were well aware of these vulnerabilities and were continuing to exploit them.

Companies release patches when they uncover security vulnerabilities in their products, and it’s up to organizations using those products to get those patches installed. Known weaknesses are easily exploitable, and unpatched systems are an open invitation to attackers.

Furthermore, organizations – especially utilities in the energy, oil and gas, and wastewater and water treatment industries – often operate using legacy assets that haven’t been patched in a long time or are no longer supported by the vendor.

In these cases, attackers can exploit vulnerabilities no one even knows about, or that cannot be patched. The larger directive then becomes applying any patches that have been released or replacing end-of-life software with newer, supported assets.

Companies release patches when they uncover security vulnerabilities in their products, and it’s up to organizations using those products to get those patches installed. Known weaknesses are easily exploitable, and unpatched systems are an open invitation to attackers.

Combat Cyber-Anxiety With More Powerful Security

The Small Business Security Challenge

Many organizations work with third-party vendors that are small businesses; in fact, organizations in the defense industrial base, which handles mountains of sensitive information and is highly regulated under CMMC and NIST CSF, gets grants to contract with small businesses for third-party vendor services. We absolutely encourage giving business to smaller companies, but these relationships do need to be treated like a security risk.

It can be cost-prohibitive for small businesses to procure cybersecurity software like Crowdstrike or Palo Alto, so they often have more vulnerabilities and don’t do 24/7 monitoring of their software.

If you’re an attacker, the easiest way to break into, for example, a manufacturing company’s network isn’t through their on-premise defenses. It’s through their SCADA integrator, who perhaps manages multiple plants and started out as an electrician, therefore having less experience with security and monitoring protocols.

Smaller operations, while able to manage software integrations for large companies, pose security risks you may not even consider – perhaps their child uses their work laptop to play Minecraft, accidentally downloads a virus, and now they’re connecting that laptop to your infrastructure.

To be clear, the issue is not partnering with small businesses but rather doing so without proper awareness of and precautions against inherent security risks unique to small businesses. Attackers can strike at any company of any size; your procurement agreements should be mindful of the risks and prioritize your company’s security.

It’s your ecosystem – treat it that way! Procurement is your friend – and one of the most important things you can do is establish clear security guidelines for your vendors to make sure your network stays safe.

cybersecurity expert monitoring supply chain info
Stay Updated with Cybersecurity Insights

 

Protect Your Supply Chain With an MSSP

During a risk assessment, a security architecture review, or a compliance framework review for CMMC or NIST CSF, an MSSP will ask about your company’s vendor relationships and dig into the contracts to see how much access they have and how it can be remediated.

A penetration test, web app test, or other vulnerability scan would seek to identify third-party vendor risks by exploiting the vulnerability in a test environment. It’s not ideal to have gaps in your endpoint security, but if they’re discovered by an MSSP during a routine security assessment, it’s far better than if an attacker uncovers them first.

Restricting third-party access via contractual agreements has been best practice for many years, but we continue to see clients who have these issues with their vendor agreements.

Talk to us about establishing a vendor review and process for third-party access for any new or existing supplier, partner, or vendor relationships.