Top 7 Cybersecurity Threats: #3 Supply Chain Attacks

When trusted third parties pose a cybersecurity threat.

Top 7 Cybersecurity Threats: #3 Supply Chain Attacks

American manufacturers face myriad cybersecurity threats. But a few rank among the very worst.

In this series of articles, MxD is identifying the Top 7 cybersecurity threats and suggesting how manufacturers can mitigate them.

Making the Top 7 list: equipment sabotage, insider threats, supply chain attacks, data theft, malware, phishing attacks, and ransomware. MxD previously explored equipment sabotage and insider threats.

Third in the spotlight: Supply Chain Attacks

Supply chain attacks are a cybercriminal’s version of climbing the ladder: They get a foot in a company’s door and then aim straight for the top.

The “top” is often the largest partner in a company’s supply chain. Or it could be an organization’s most sensitive information.

Insidious and on the rise, these attacks are hard to prevent because the bad actors are getting in via an unlikely source: Trusted third parties.

Trusted third parties could be vendors, which is what happened to Target in 2013, an event still making headlines. Criminals were able to steal the financial and personal information of as many as 110 million customers by hacking a company that serviced Target’s HVAC systems and had access to the retailer’s network for things such as billing and contract submission, according to a U.S. Senate committee report. Using the stolen vendor credentials, cyber thieves moved throughout the network, getting to the most lucrative data and installing malware to steal it.

Trusted software vendors are another source. It was the path used for 2020’s SolarWinds hack, whose victims included U.S. government agencies.

Such software supply chain attacks increased by more than 300% last year, according to a study by security firm Argon. Helping to accelerate the growth is thinking that hasn’t caught up with the reality of today’s complex, global, and interconnected supply chains. The “if I get hacked, it’s just me getting hacked” mentality is way out of date.

In the SolarWinds attack, for example, hackers that the United States later linked to the Russian Foreign Intelligence Service (SVR), planted malicious code into the software firm’s internet technology management tool Orion, which was used by thousands of networks around the world. Via backdoor malware delivered as a software update, hackers got into the networks of about 100 companies and at least nine U.S. agencies.

Avoiding such attacks is not easy. SolarWinds, after all, was “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector,” according to the U.S. Government Accountability Office. But there are cyberdefense strategies that can help. Manufacturers should:

  • Identify all hardware and every piece of software that they run. Without that knowledge it’s impossible to know what could be attacked or whether any of those crucial assets have vulnerabilities that can be exploited.
  • Monitor those assets and take action when there’s a red flag. In a 2014 report, the U.S. Senate Committee on Commerce, Science, and Transportation said Target appeared “to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.”
  • Segment or partition networks. In another example from the Target breach, the part of the network that handled HVAC contracts should not have been linked to the section handling sales. Those should be separate systems, which can be done through network segmentation.
  • Adopt a Zero Trust model (meaning trust no one and verify everyone). A user ID and password should not be enough for network access. Everyone – vendors, employees, visitors, and contractors – should be required to confirm their identity with multifactor authentication steps, including response to a text to ensure they are who they say they are.
  • Vet all vendors and make sure they are doing the same with their vendors. Ask about the background checks they do and the level of cybersecurity they demand. Include required levels of cybersecurity in vendor contracts.

It’s never been more important to make certain that “trusted” vendors are able to prove they can be trusted.


MxD’s Playbook for CMMC 2.0 Level 1 includes tips to help provide protection from supply chain attacks, such as using subnetworks to mitigate security vulnerabilities. Download it for free.

What’s New in CMMC Series:

You can can explore our What’s New in CMMC Series for a breakdown on Questions to Ask When Identifying Assets and Shoring up Asset Protection for Manufacturing Cybersecurity.