Supply Chain Cybersecurity: Ensuring End-to-End Protection
Brett Gallant
Founder, Technology Leader & Cyber Security Expert| Best Selling-Author | Join me on my next Cyber Security Webinar - Secure your spot today!
In an increasingly interconnected world, the integrity of supply chains is paramount for the smooth functioning of various industries. Cybersecurity threats targeting these supply chains can have devastating consequences, from financial losses to compromised sensitive information. This article explores the critical need for supply chain cybersecurity across several major industries: Energy, healthcare, finance, manufacturing, and more. We will delve into the unique challenges each sector faces and outline best practices to ensure end-to-end protection.
Supply chains are the backbone of global commerce, enabling the production and delivery of goods and services. However, they also present numerous points of vulnerability that cybercriminals can exploit. The complexity and interconnectedness of modern supply chains mean that a breach in one link can have far-reaching impacts. As industries rely more on digital technologies, the need for robust cybersecurity measures to protect supply chains from cyber threats has never been more critical.
Energy: Safeguarding National Security
The energy sector is critical to national security and economic stability. Cyber attacks on the energy sector can have far-reaching consequences, including disruptions to power supply and threats to public safety. Protecting the supply chains of energy companies is, therefore, of paramount importance.
The Ramifications Of Cyber Attacks On Canadian Energy Grids
In excerpts from an article by NATO, they wrote, “In the current digital era, cyberattacks on Canadian energy networks raise serious geopolitical security concerns. These attacks have a significant impact on the geopolitical environment in addition to endangering the energy infrastructure. Cyberattacks on Canadian energy networks have far-reaching geopolitical repercussions that touch on many important industries. affecting national security, public safety, and the economy.?
Such assaults can interfere with vital infrastructure and compromise the country’s ability to function as a whole. If disruptions in energy supplies emerge, the economic consequences are significant across various sectors, resulting in reduced productivity, job losses, and higher company expenses. Potential repercussions of targeting the oil and gas industry as a key target include dangers to public health, financial losses for enterprises, and interruptions in essential services.?
Given how strongly both consumers and businesses depend on a steady and consistent supply of energy, this will negatively impact the economy. Canadian energy grids play a vital role in ensuring the reliable supply of electricity to homes, businesses, and essential services. Power outages have the potential to endanger lives by interfering with transportation, industry, and healthcare institutions.?
The main cyber threats facing Canada’s oil and gas industry are ransomware and financially motivated cybercrime, particularly business email hacking. The oil and gas industry are considered a critical infrastructure given that it serves an imperative role in providing energy for numerous economic sectors. Attacks on this sector will affect other vital operations like transportation and manufacturing, in addition to the financial consequences it presents; unlike the nuclear industry, it employs a broader workforce, resulting in greater fiscal fallout if targeted.”?
Securing supervisory control and data acquisition (SCADA) systems is a key priority for the energy sector. These systems control critical infrastructure components and are often targeted by cybercriminals. Implementing advanced threat detection and response solutions helps identify and mitigate cyber threats in real-time. Collaboration on cybersecurity standards with industry partners and regulatory bodies ensures that best practices are consistently applied across the sector.
Public Infrastructure: Protecting Critical Systems
Thinking beyond the Energy Sector, public infrastructure, including utilities and transportation systems, is a critical sector that faces significant cybersecurity threats. Ensuring the security of critical infrastructure components such as power grids, water supply systems, and transportation networks is of utmost importance. The use of legacy systems in public infrastructure poses additional challenges, as these systems are often outdated and lack modern cybersecurity protections.
Nation-state actors pose a significant threat to public infrastructure, as they may seek to disrupt essential services for political or strategic gains. The potential consequences of cyber attacks on public infrastructure are severe, making cybersecurity a top priority.
Cyber attacks continue to hit critical infrastructure
In excerpts from an article by Industrial Cyber, they wrote, “Recent cyber attacks targeting critical infrastructure facilities have resulted in significant data breaches, impacting operations at a Canadian oil pipeline company, a U.K.- based water company, emergency management services, telecommunications, satellite services, and the defense industrial base. These incidents reveal how sophisticated cybercriminals exploit weaknesses in security systems to disrupt services, steal sensitive information, or demand ransom.
Trans-Northern operates regulated pipelines to transport refined petroleum products such as gasoline, diesel, aviation, and heating fuel, used by Canadian businesses and consumers every day. These pipelines connect refineries in Edmonton to Calgary, including the Calgary International Airport; and refineries in Nanticoke, Ontario, and Montreal to the Greater Toronto Area (GTA), with lateral pipelines to Ottawa as well as to Pearson International Airport and Pierre-Elliot Trudeau International Airport.
The attack on the oil pipeline company serves as a reminder to the critical infrastructure sector of the May 2021 ransomware cyber attack on Colonial Pipeline, which impacted computerized equipment managing the pipeline. At the time, Colonial Pipeline halted all pipeline operations to contain the attack.
In another breach, Southern Water announced Monday that “data from a limited part of Southern Water’s server estate had been stolen and was at risk following an illegal intrusion into our IT systems. This arose from our ongoing investigation into suspicious activity, as detailed in our statement on 23 January 2024.”
On Tuesday, industrial cybersecurity company Dragos disclosed that it has been performing reconnaissance and enumeration of multiple U.S.-based electric companies since early 2023, and since then has targeted emergency management services, telecommunications, satellite services, and the defense industrial base.”
To protect public infrastructure supply chains, organizations should implement robust security measures, such as deploying advanced security technologies like intrusion detection systems (IDS) and firewalls. Conducting vulnerability assessments regularly helps identify and address security weaknesses. Developing resilience strategies to enhance the ability of public infrastructure to withstand and recover from cyber attacks is essential. Engaging in public-private partnerships allows for information sharing and collaboration on best practices, further strengthening cybersecurity efforts.
Healthcare: Protecting Sensitive Information
The healthcare industry is particularly vulnerable to cyber attacks due to the high value of medical data and the critical nature of healthcare services. One of the main challenges is the fragmented nature of healthcare supply chains, which often involve multiple vendors and service providers, each with varying levels of cybersecurity maturity. This fragmentation can create gaps in security, making it easier for cybercriminals to find entry points.
Additionally, healthcare organizations handle a vast amount of sensitive data, including patient records and clinical research data, which are prime targets for cybercriminals. The regulatory environment adds another layer of complexity. Healthcare organizations must comply with strict regulations such as HIPAA, which mandates the protection of patient information.
Healthcare sector “stretched thin” in the fight against cyber attacks
In excerpts from an article by IT World Canada, they wrote, “Organizations are stretched thin, they just don’t have the people, budget to support the basic types of [cybersecurity] programs,” Errol Weiss, CSO of the Health-ISAC said in a recent interview.
Hospitals and clinics hold sensitive data of patients, which may put pressure on them to cave to ransom demands. And for-profit hospitals might seem to be logical targets in particular, because they would be seen as able to pay to get access back to encrypted and stolen data.
However, Weiss believes most ransomware attacks are opportunistic: Attackers exploit any opening at any organization they find. “I call it a shotgun method: They’re not aiming at anyone, they’re just casting a wide net. They don’t even realize, when they obtain access to a victim’s network, what they have a foothold in,” he said.
However, once inside and when they realize what the victim organization is, gangs don’t hold back on their pressure tactics. “We have seen threats to release information including psychiatric care notes, even images of cancer patients, before and after pictures of surgeries — really horrific stuff,” Weiss said. The biggest mistakes organizations make are: not backing up data regularly, not patching vulnerabilities fast enough, and not implementing multifactor authentication to protect logins.
Asked why healthcare organizations aren’t doing those basics, he said it comes back to a lack of financial and human resources. To move in the right direction, organizations sometimes have to decide between buying medical or IT equipment, he said. But they also have to realize that cybersecurity risks are “huge.”
If things continue as they are, “we’ll continue to read about organizations becoming victims of the next cybercriminal organization,” he said. “The malware we’re getting is getting more sophisticated. Bad guys are constantly evolving their tactics to beat the system, and if organizations aren’t addressing that, there will be an impact.”
To enhance supply chain cybersecurity in healthcare, organizations should conduct thorough vendor assessments to evaluate the cybersecurity practices of all suppliers and partners. Encrypting sensitive data, both at rest and in transit, is crucial to protect it from unauthorized access. Regularly updating and patching systems can prevent the exploitation of known vulnerabilities. Finally, providing cybersecurity training to employees and partners can help create a culture of security awareness, reducing the risk of human error.
Finance: Guarding Against Sophisticated Threats
The financial sector is a prime target for cyber attacks due to the high value of financial data and assets. Financial institutions often rely on a complex network of third-party vendors for various services, from IT support to payment processing. This reliance on external partners increases the risk of supply chain cyber-attacks.
Moreover, financial institutions must navigate a stringent regulatory environment, with regulations such as GDPR and PCI DSS requiring robust measures to protect customer data. The threat landscape is also constantly evolving, with advanced persistent threats (APTs) and other sophisticated cyber attacks designed to steal data and disrupt operations.
Cyber attacks at Canadian banks nearly tripled in one year
In excerpts from an article by the National Post, they wrote, “Canada’s banking watchdog says it’s worried about the increasing number of “high impact” cyberattacks against banks that lead to service disruptions or data leaks, which have nearly tripled in the last year.
On Tuesday, Office of the Superintendent of Financial Institutions (OSFI) assistant superintendent Tolga Yalkin told the House Public Safety Committee that banks reported 28 “priority one” cyber incidents to the watchdog in 2023. That’s nearly triple the 10 incidents reported in 2022, he said. “Priority ones are basically high-impact incidents that cause disruption of service or leakage of data.”
In its 2023-2024 annual risk outlook, OSFI noted that cyberattacks against Canadian financial institutions are increasing in both frequency and sophistication, echoing similar statements by the Communications Security Establishment.
“As new regional or global conflicts emerge, the risks from either targeted cyber-attacks and/or their fallout could become more prevalent,” reads the report. “A successful cyber-attack could result in impacts to the confidentiality, integrity, and availability of data and computer systems, which could result in loss of public trust, reputational damage, and financial loss.”
Speaking to MPs, Yalkin said OSFI fully expects cyberattack attempts to continue and even become more frequent. He noted that successful cyberattacks can have dire consequences on both banks and Canadians.
“There is little question that cyberattacks will continue to increase in frequency and sophistication. This is a risk environment that … changes rapidly and for which failure to protect against can have serious consequences,” he said. “A successful cyberattack could affect the confidentiality, integrity and availably of data in systems which could, in turn, result in loss of public trust, reputational damage, and financial loss,” he added.”
To protect their supply chains, financial institutions should adopt a zero-trust architecture. This security model assumes that no entity, whether inside or outside the network, is inherently trustworthy. Conducting regular security audits of all suppliers and partners can help identify and address vulnerabilities. Implementing strong access controls, such as multi-factor authentication, can restrict access to sensitive data and systems. Continuous monitoring of suspicious activity is essential to detect and respond to potential security breaches in real-time.
Manufacturing: Securing Interconnected Systems
Manufacturers face unique cybersecurity challenges due to their reliance on interconnected systems and the increasing use of IoT devices. Industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are often outdated and lack robust cybersecurity measures, making them vulnerable to cyber-attacks.
Intellectual property theft is another significant concern for manufacturers. Cybercriminals may target proprietary designs, manufacturing processes, and other valuable information. Operational disruptions resulting from cyber attacks can lead to production delays and financial losses, further highlighting the need for strong cybersecurity measures.
In excerpts from an article by The Register, they wrote, “ANALYSIS Cybercriminals follow the money, and increasingly last year that led them to ransomware attacks against the manufacturing industry.
Operational technology security firm Dragos, in its 2023 year-in-review report [PDF], found 70 percent of all industrial org ransomware infections hit manufacturing companies.?
Specifically: 638 entities across 33 unique manufacturing subsectors fell victim to ransomware last year.
"Sure, we're seeing [attacks against] oil and gas and electric, but manufacturing is an order of magnitude larger," said Dragos CEO Robert Lee on a call with reporters, adding that the explanation for this is twofold.
First, manufacturing organizations bought into the whole idea of "digital transformation" earlier than their counterparts in, say, water and wastewater, Lee explained. But while manufacturing was investing in IoT and connected machines, the spending on security didn't keep pace with that, and as a result these insecure systems make for easier targets.
Manufacturing "is a richer target" for criminals, Lee said. "And we will see oil and gas, electric, water, mining follow that trend… as those industries become more digitally connected."
"Manufacturing and ICS-related entities still need standard networks and these are almost universally where cyberattacks take place," Stone said. "Where impacts are noted, it is typically within controls leveraging standard technology instead of specific manufacturing or ICS equipment."
If exploited, CVE-2023-21554 could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service condition on the products.?
"It's basically a maliciously malformed message that can cause remote code execution, which is as bad as it gets," Contrast Security co-founder and CTO Jeff Williams told The Register.
Exploiting this bug for a ransomware infection "is like breaking into your office and locking the file cabinets, instead of stealing your IP, taking control of your bank accounts, and killing your employees," Williams said.”
To enhance supply chain cybersecurity in manufacturing, organizations should implement network segmentation to isolate critical systems and limit the spread of cyber attacks. Securing IoT devices is essential, as these devices can serve as entry points for cybercriminals. Regularly updating and patching IoT devices, as well as using strong authentication mechanisms, can help mitigate risks.?
Developing and regularly testing incident response plans ensures that manufacturers are prepared to quickly address and mitigate cyber incidents. Collaboration with industry partners to share threat intelligence and best practices is also vital to stay informed about emerging cyber threats.
Retail: Securing Customer Transactions
Retailers face significant cybersecurity challenges due to the high volume of transactions and the need to protect customer data. The retail industry is particularly attractive to cybercriminals seeking to steal payment card information and other sensitive data. Implementing strong cybersecurity measures is essential to safeguard customer information and maintain trust.
Cyberattacks Disrupt Car Sales by Dealers in the U.S. and Canada
In excerpts from an article by The New York Times, they wrote, “Thousands of auto dealers across the United States and Canada are suffering disruptions to their operations as a result of cyberattacks on a provider of critical software and data services used in auto retailing.
The provider, CDK Global, said it was targeted in two attacks on June 19th, prompting the company to shut down its systems to prevent the loss of customer data and to allow testing and other measures to restore its services.
CDK provides services to more than 15,000 retail locations. Its dealer management systems store customer records and automate much of the paperwork and data involved in selling and servicing cars and trucks.
Dealers said the outage had slowed sales and forced them to find alternative methods to produce the titles, contracts, leases, registration cards and other forms that must be delivered to customers, banks and state motor vehicle authorities.
Dealers said that, in some cases, they were reverting to writing contracts by hand or asking customers to wait a few days to take delivery of their vehicles. They have less leeway in servicing or repairing vehicles when customers often expect their cars back within a few hours.”
To secure retail supply chains, organizations should ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS), which sets requirements for protecting payment card information. Securing e-commerce platforms from cyber attacks is crucial, as online storefronts are often targeted by cybercriminals. Continuous monitoring of supply chain transactions for signs of fraud and other cyber threats helps detect and respond to security incidents promptly.
Higher Education: Safeguarding Academic Integrity
Higher education institutions are increasingly recognizing the critical importance of cybersecurity within their supply chains. These institutions manage vast amounts of sensitive data, including student records, research data, and financial information, making them attractive targets for cybercriminals. The supply chain in higher education is complex, involving numerous vendors and service providers who support everything from campus facilities to IT infrastructure.
One of the primary challenges for higher education institutions is ensuring that all third-party vendors adhere to robust cybersecurity standards. This can be particularly difficult given the diversity of services and the varying levels of cybersecurity maturity among vendors. Institutions must conduct thorough assessments of their suppliers' cybersecurity practices, ensuring that any vulnerabilities are identified and addressed.
Another significant concern is the protection of intellectual property. Universities and colleges are often at the forefront of cutting-edge research, and the theft of intellectual property can have severe financial and reputational consequences. Cybercriminals may target research data through compromised supply chains, making it essential for institutions to implement stringent security measures.
Cyberattacks on universities highlight how Canada lags in response to threats
In excerpts from an article by CBC, they wrote, “A cyberattack that forced the University of Winnipeg to take down its network this week appears to be yet another example of how Canada has been far too slow to respond to cyber threats posed by foreign adversaries, one expert in cyber and national security says.
Christian Leuprecht, a professor at the Royal Military College of Canada and Queen's University, said while it's just as possible that the attack at the U of W was done by someone looking to extort a ransom from the school, universities are disproportionately targeted by adversarial states to steal research and intellectual property.
He added the size of the school, which is not as large or well-known as some other Canadian universities, demonstrates that "everybody's a target." "It's not just the large institutions — and it means that everybody needs to be paying attention, and much better attention," Leuprecht said.
"There's also still a certain ignorance, I would say, in Canadian society about the extent to which Canada is being targeted." The expert called it "puzzling" and "tragic" that the federal government "pours billions of dollars into research but is not willing to do what is ultimately required to keep that research safe from adversarial actors."
Leuprecht said the university caught the issue and responded quickly, which shows institutions are learning more about how to respond to cyberattacks. But he said the fact that it used the "draconian" measure of shutting down the entire network — and some university services were still not available days later — suggests the vulnerability was fairly deep inside the network.
For students at the U of W, the cyberattack was a source of extra stress, just as final exams were about to happen. Arman Afridi, a criminal justice student, said he hopes to see the school tighten its security system to prevent similar attacks from happening again. "If this happened one time, in the future, it may happen one more time," Afridi said.
Meanwhile, education student Marnie Bloom said she and her classmates feel left in the dark, including about whether any of their personal information was compromised. "We're panicking," Bloom said. "We don't know what's going to happen to it."
Cyberattacks on universities always remind us that the institutions are high-value targets with somewhat limited ability to defend themselves because of limited funding for cybersecurity and legislation that hasn't kept pace with the level of threat—something he said adversaries know and take advantage of.”?
To enhance supply chain cybersecurity, higher education institutions should adopt a multi-layered security approach. This includes encrypting sensitive data, regularly updating and patching systems, and conducting continuous monitoring for potential security threats.?
Furthermore, institutions should foster a culture of cybersecurity awareness among faculty, staff, and students, emphasizing the importance of protecting sensitive information. Engaging in regular security audits and penetration testing can help identify and mitigate vulnerabilities within the supply chain, ensuring the integrity and security of academic operations.
Conclusion
In conclusion, the importance of robust supply chain cybersecurity cannot be overstated in today's interconnected world. As industries such as energy, healthcare, finance, manufacturing, and more increasingly rely on digital technologies, the risk of cyber threats grows exponentially. These threats can lead to severe consequences, including financial losses, operational disruptions, and compromised sensitive information.
The unique challenges faced by each sector underline the need for tailored cybersecurity strategies. For instance, the energy sector must protect critical infrastructure to maintain national security, while healthcare organizations must safeguard patient data against sophisticated cyber attacks. The financial industry requires rigorous security measures to protect valuable financial assets and customer information. Similarly, manufacturers must secure interconnected systems and intellectual property, and retailers must protect customer transactions and comply with stringent regulations.
Addressing these challenges necessitates a multi-faceted approach. Implementing advanced threat detection and response solutions, conducting regular security audits, and fostering collaboration with industry partners are critical steps. Additionally, educating employees and stakeholders about cybersecurity best practices and staying informed about evolving threats can significantly enhance the resilience of supply chains.
Ultimately, ensuring end-to-end protection of supply chains is vital for maintaining the integrity and functionality of various industries. By adopting comprehensive cybersecurity measures, organizations can mitigate risks, protect valuable assets, and ensure the continued delivery of essential goods and services in an increasingly digital world.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By investing in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and tools fills the gaps in your business's IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.
To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at [email protected]