Information security risks in supply chain software are becoming increasingly prevalent, particularly as global companies have become more dependent on third-party vendors.
According to Symantec, more and more attackers are injecting malware into the supply chain to infiltrate organizations. In fact, there was a 200% increase in these attacks in 2017 -- one every month compared to four attacks annually in previous years.
Supply chain software offers a new arena to threat actors intent on penetrating enterprise networks, said Peter Nilsson, vice president of strategic initiatives at MP Objects, a provider of supply chain orchestration software in Boston.
"Previously, people had their ERPs behind their very tight firewalls, and no one from the outside could get in without being monitored by the hawk eyes of the IT department," he said. "Now, enterprises are saying, 'We need to collaborate with our partners and we have to open up our ERP and let them in.'"
But if those third parties don't have adequate security, attackers can infiltrate their systems to attack the enterprise.
Any time an enterprise introduces software into the mix of its supply chain, it runs the risk of cybersecurity issues, said Justin Bateh, supply chain expert and professor of business at Florida State College at Jacksonville. Most risks are caused by not having the proper controls in place for third-party vendors.
"There are many low-tier suppliers that will have weak information security practices, and not having clean and limited guidelines for these providers about security expectations will pose a significant threat," he said.
Causes of potential security risks
Poor internal security procedures and a lack of compliance protocols can also introduce potential threats, including marketing campaign schemes, privacy breaches and disruption of service attacks, according to Bateh.
In addition, smaller companies may use inadequate software coding practices. As such, larger enterprises can't be sure the software is being checked for quality as it goes through its development cycle, said Lisa Love, owner and president of LSquared, an information security consulting firm in Greenwood Village, Colo.
Consequently, something as unintentional as bad scripting can introduce vulnerabilities into the providers' supply chain software, as well as into the enterprise, which attackers could then exploit, she said.
Jason Rhoades, a principal at Schellman & Co., a provider of attestation and compliance services in Tampa, Fla., agreed that in recent years the enterprise's attack surface has increased along with the tremendous growth in the supply chain.
"Looking at the recent Equifax breach confirms that vendor and supply chain software poses a true security risk that the enterprise cannot ignore," he said.
Equifax blamed its 2017 breach on a flaw in the third-party software it was using. And the massive breach of Target's systems in 2013 was caused by attackers who stole the login credentials of its HVAC contractor and used them to infiltrate Target's network.
Jonathan Wilson, a partner at the law firm Taylor English Duma LLP in Atlanta, agreed that many security risks come from the data connections and handoffs in the supply chain moving from smaller to larger providers.
"A lot of these small companies and startups don't have robust data security systems," said Wilson, who has represented a Fortune 500 international supply chain logistics provider. "They get a breach or some sort of exploitation is involved, and by working their way up the chain, the attacker can utilize the permissions that the smaller vendors get to obtain access to the larger company's system."
Another way hackers could introduce risk into an enterprise is via the supply chain software itself, according to Michael O'Malley, vice president of strategy at Radware, a provider of cybersecurity services in Mahwah, N.J. Most supply chain applications have some type of web interface with a login page to ensure that only the right people are authenticated and allowed to access the application.
Attackers can also use credential stuffing to infiltrate an enterprise via an unprotected web interface, he said. The attackers can hack into the interface, enter a legitimate username and password, and pose as someone else.
"Or they do something else offline through a phishing email scam to get users of the software to click on a link or respond to an email and dupe them into sharing their credentials," O'Malley said. "They can then use those credentials to log in or break into the application."
Another way attackers can penetrate an enterprise's network via the supply chain is from the inside, according to O'Malley. This is where IoT devices come into play. More and more of these supply chain software applications -- particularly in high-tech manufacturing -- are part of an IoT network that provides different diagnostics and information about the machines on a factory floor.
These devices are providing all this real-time input back to the supply chain management software application. However, they can be easily compromised because they tend to be very inexpensive Linux-based devices that weren't designed with security in mind, and they don't have the necessary protections against hacking, he said.
"What we commonly see is that within minutes of these devices being connected to the internet, someone infiltrates them and puts a piece of malware or a bad bit of code on them," O'Malley said. "And those are then used later as an attack on something else or in an attack on the software application itself."