ENISA Report: Good Practices for Supply Chain Cybersecurity

In an era marked by rapidly evolving digital technology, the interconnectedness of systems and networks can create unprecedented opportunities, but it also unveils significant cybersecurity challenges. These vulnerabilities are particularly prevalent in the realm of the Internet of Things (IoT), where the supply chain has become a focal point for potential attacks.

The European Union Agency for Cybersecurity (ENISA) recently published a report “Good Practices for Supply Chain Cybersecurity” offering insights into the current landscape of supply chain cybersecurity and the imminent risks.

The ENISA report presents an array of statistics, findings, and predictions that underscore the magnitude of supply chain cybersecurity threats. According to the report, between 39% and 62% of organizations had been impacted by a third-party cyber incident, showcasing the extensive reach of such threats. Supply chain compromises escalated from less than 1% in 2020 to a startling 17% of intrusions in 2021, landing it a spot as the second most common initial infection vector.

In an unsettling revelation, the report discloses that in 66% of analyzed supply chain attacks, suppliers either did not know how they were compromised, or they lacked transparency about it. This substantial gap underscores the need for more robust cybersecurity incident reporting protocols among suppliers. Compounding the problem is the fact that about 62% of attacks on customers exploited their trust in their suppliers, often through the deployment of malware.

Supply chain attacks not only target companies but also popular open-source repositories like NPM, Python, and RubyGems. These platforms, due to their widespread use and open nature, are susceptible to malicious activities, including malware injection, which often goes unnoticed for an extended period.

The ENISA report further points to an increasing interest of threat groups in supply chain attacks and attacks against managed service providers (MSPs), anticipating a surge of resources invested in vulnerability research in these supply chains. This increasing focus implies a rise in direct attacks on security researchers and a high chance of common open-source repositories being cloned or infected with malware.

These findings emphasize the need for comprehensive, proactive measures to protect the IoT supply chain. Almost 40% of surveyed CEOs reported adverse impacts due to a cybersecurity incident related to their third-party vendors or supply chain. More than half (58%) expressed concern that their partners and suppliers are less resilient than their own organization, predicting that this will substantially influence their approach to cybersecurity in the future.

Share this