Cybersecurity Investments in the EU: Is the Money Enough to Meet the New Cybersecurity Standards?

The European Union Agency for Cybersecurity publishes the latest report on Network and Information Security Investments in the EU providing an insight on how the NIS Directive has impacted the cybersecurity budget of operators over the past year with deep-dives into the Energy and Health sectors.

The report analyses data collected from Operators of Essential Services (OES) and from Digital Service Providers (DSP) identified in the European Union's Directive on Network and Information Security Systems (NIS Directive). The analysis seeks to understand whether those operators have invested their budgets differently over the past year in order to meet the new requirements set by the legislative text.

EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, declared: “The resilience of our EU critical infrastructures and technologies will highly depend on our ability to make strategic investments. I am confident that we have the competence and skills driving us to achieve our goal, which is to ensure we will have the adequate resources at hand to further develop our cybersecurity capacities across all economic sectors of the EU."

Contextual parameters framing the analysis

The report includes an analysis reaching more than 1000 operators across the 27 EU Member States. Related results show that the proportion of Information Technology (IT) budget dedicated to Information Security (IS) appears to be lower, compared to last year's findings, dropping from 7.7% to 6.7%.

These numbers should be conceived as a general overview of information security spending across a varied typology of strategic sectors. Accordingly, specific macroeconomic contingencies such as COVID19 may have influenced the average results.

What are the key findings?

  • The NIS Directive, other regulatory obligations and the threat landscape are the main factors impacting information security budgets;
  • Large operators invest EUR 120 000 on Cyber Threat Intelligence (CTI) compared to EUR 5 500 for SMEs, while operators with fully internal or insourced SOCs spend around EUR 350 000 on CTI, which is 72% more than the spending of operators with a hybrid SOC;
  • The health and banking sectors bear the heaviest cost among the critical sectors in case of major cybersecurity incidents with the median direct cost of an incident in these sectors amounting to EUR 300 000;
  • 37% of Operators of Essential Services and Digital Service Providers do not operate a SOC; 
  • For 69% the majority of their information security incidents are caused by vulnerabilities in software or hardware products with the health sector declaring the higher number of such incidents;
  • Cyber insurance has dropped to 13% in 2021 reaching a low 30% compared to 2020;
  • Only 5% of SMEs subscribe to cyber insurance;
  • 86% have implemented third-party risks management policies.

Key findings of Health and Energy sectors

  • Health

From a global perspective, investments in ICT for the health sector seem to be greatly impacted by COVID-19 with many hospitals looking for technologies to expand healthcare services to be delivered beyond the geographical boundaries of hospitals. Still, cybersecurity controls remain a top priority for spending with 55% of health operators seeking increased funding for cybersecurity tools.

64% of health operators already resort to connected medical devices and 62% already deployed a security solution specifically for medical devices. Only 27% of surveyed OES in the sector have a dedicated ransomware defence programme and 40% of them have no security awareness programme for non-IT staff.

  • Energy

Oil and gas operators seem to prioritise cybersecurity with investments increasing at a rate of 74%.  Energy sector shows a trend in investments shifting from legacy infrastructure and data centres to cloud services.

However, 32% of operators in this sector do not have a single critical Operation Technology (OT) process monitored by a SOC. OT and IT are covered by a single SOC for 52% of OES in the energy sector.

Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape

With the geopolitical context giving rise to cyberwarfare and hacktivism, alarming cyber operations and malignant cyberattacks have altered the trends of the 10th edition of the Threat Landscape report released by the European Union Agency for Cybersecurity (ENISA).

The ENISA Threat Landscape 2022 (ETL) report is the annual report of the EU Agency for Cybersecurity on the state of the cybersecurity threat landscape. The 10th edition covers a period of reporting starting from July 2021 up to July 2022.

With more than 10 terabytes of data stolen monthly, ransomware still fares as one of the prime threats in the new report with phishing now identified as the most common initial vector of such attacks. The other threats to rank highest along ransomware are attacks against availability also called Distributed Denial of Service (DDoS) attacks.

However, the geopolitical situations particularly the Russian invasion of Ukraine have acted as a game changer over the reporting period for the global cyber domain. While we still observe an increase of the number of threats, we also see a wider range of vectors emerge such as zero-day exploits and AI-enabled disinformation and deepfakes. As a result, more malicious and widespread attacks emerge having more damaging impact.

EU Agency for Cybersecurity Executive Director, Juhan Lepassaar stated that “Today's global context is inevitably driving major changes in the cybersecurity threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens."

Prominent threat actors remain the same

State sponsored, cybercrime, hacker-for-hire actors and hacktivists remain the prominent threat actors during the reporting period of July 2021 to July 2022.

Based on the analysis of the proximity of cyber threats in relation to the European Union (EU), the number of incidents remains high over the reporting period in the NEAR category. This category includes affected networks, systems, controlled and assured within EU borders. It also covers the affected population within the borders of the EU.

Threat analysis across sectors

Added last year, the threat distribution across sectors is an important aspect of the report as it gives context to the threats identified. This analysis shows that no sector is spared. It also reveals nearly 50% of threats target the following categories; public administration and governments (24%), digital service providers (13%) and the general public (12%) while the other half is shared by all other sectors of the economy.

Top threats still standing their grounds

ENISA sorted threats into 8 groups. Frequency and impact determine how prominent all of these threats still are.

Ransomware:
- 60% of affected organisations may have paid ransom demands
Malware:
- 66 disclosures of zero-day vulnerabilities observed in 2021
Social engineering:
- Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing
Threats against data:
- Increasing in proportionally to the total of data produced
Threats against availability:
- Largest Denial of Service (DDoS) attack ever was launched in Europe in July 2022;
- Internet: destruction of infrastructure, outages and rerouting of internet traffic.
Disinformation – misinformation:
- Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service
Supply chain targeting:
- Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020

Contextual trends emerging

- Zero-day exploits are the new resource used by cunning threat actors to achieve their goals;
- A new wave of hacktivism has been observed since the Russia-Ukraine war.
- DDoS attacks are getting larger and more complex moving towards mobile networks and Internet of Things (IoT) which are now being used in cyberwarfare.
- AI-enabled disinformation and deepfakes. The proliferation of bots modelling personas can easily disrupt the “notice-and-comment” rulemaking process, as well as the community interaction, by flooding government agencies with fake contents and comments.

Shifting motivation and digital impact are driving new trends

An impact assessment of threats reveals 5 types of impact; damages of reputational, digital, economical, physical or social nature. Although for most incidents the impact really remains unknown because victims fail to disclose information or the information remains incomplete.

Prime threats were analysed in terms of motivation. The study reveals that ransomware is purely motivated by financial gains. However, motivation for state sponsored groups can be drawn from geopolitics with threats such as espionage and disruptions. Ideology may also be the motor behind cyber operations by hacktivists.

How to map the Cybersecurity Threat Landscape? Follow the ENISA 6-step Methodology

The cybersecurity threat landscape methodology developed by the European Union Agency for Cybersecurity (ENISA) aims at promoting consistent and transparent threat intelligence sharing across the European Union.

With a cyber threat landscape in constant evolution, the need for updated and accurate information on the current situation is growing and this a key element for assessing relevant risks.

This is why ENISA releases today an open and transparent framework to support the development of threat landscapes.

The ENISA methodology aims to provide a baseline for the transparent and systematic delivery of horizontal, thematic and sectorial cybersecurity threat landscapes (CTL) thanks to a systematic and transparent process for data collection and analysis.

Who can benefit from this new methodology?

This new methodology is made available to ENISA’s stakeholders and to other interested parties who wish to generate their own cyber threat landscapes. Adopting and/or adapting the proposed new CTL framework will enhance their ability to build situational awareness, to monitor and to tackle existing and potential threats.

ENISA will also be using this new methodology to deliver an enhanced annual ENISA Threat Landscape (ETL). It will also be used to generate technical or sectorial threat landscapes.

How does the methodology work?

The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, methods and tools used as well as the stakeholders involved.

Building on the existing modus operandi, this methodology provides directions on the following:

- defining components and contents of each of the different types of CTL;
- assessing the target audience for each type of CTL to be performed;
- how data sources are collected;
- how data is analysed;
- how data is to be disseminated;
- how feedback is to be collected and analysed.

The ENISA methodology consists of six main steps with feedback foreseen and associated to each of these steps:

1. Direction;
2. Collection;
3. Processing;
4. Analysis and production;
5. Dissemination;
6. Feedback

This CTL methodology has been validated by the ENISA ad-hoc working group on the Cybersecurity Threat Landscape (CTL WG). The group consists of European and international experts from both public and private sector entities.

Tackling Security Challenges in 5G Networks

The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.

Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.

The report released today supports national authorities with the implementation of the 5G toolbox, and in particular the recommendation for EU Member States to ensure that Mobile Network Operators follow security good practices for NFV. It explores the relevant challenges, vulnerabilities and attacks pertaining to NFV within the 5G network. It analyses the relevant security controls and recommends best practices to address these challenges and solutions, taking into account the particularities of this highly complex, heterogeneous and volatile environment.

How does it work?

Traditionally, mobile network functions have been implemented using dedicated hardware and networking equipment, built especially for telecom operators and their networks. Network Function Virtualisation is a new technology used in 5G networks to implement networking functions using software, therefore running virtually on top of standard server hardware or standard cloud platforms.

Applying network function virtualisation will therefore reduce the number of operations and maintenance costs.

60 security challenges were identified in the report and classified under 7 categories:

- Virtualisation or containerisation;
- Orchestration and management;
- Administration and access control;
- New and legacy technologies;
- Adoption of open source or COTS;
- Supply chain;
- Lawful interception (LI).

How do we address the security challenges

The report explores vulnerabilities, attack scenarios and their impact on the 5G NFV assets. The work includes a total of 55 best practices classified under Technical, Policy and Organisational categories.

Some of the key findings the report include:

- Resource virtualisation:
The virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software. If the virtualisation layer is breached, all network functions come under direct attack with disastrous consequences.

- Resource sharing:
A single physical server may run several different tenants' virtual resources (e.g. virtual machines (VMs) or containers), and a single tenant's virtual resource might be distributed across several physical servers. Multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks, data residue and attacks.

- Use of open source:
There will be increasing use of open-source software. This introduces a new set of security challenges in terms of keeping a consistent and coherent approach to security-by-design and prevention of deliberate security flaws.

- Multi-vendor environment:
In such environment, it remains difficult to coordinate security policies and determine responsibility for security problems and more effective network security monitoring capabilities are required.

NFV is an important technology in 5G and its security is critical for the overall security of the 5G networks, especially because 5G networks are underpinning critical infrastructures.

Building cyber secure Railway Infrastructure

The European Union Agency for Cybersecurity (ENISA) delivers a joint report with the European Rail Information Sharing and Analysis Center (ISAC) to support the sectorial implementation of the NIS Directive.

The report released is designed to give guidance on building cybersecurity zones and conduits for a railway system.

The approach taken is based on the recently published CENELEC Technical Specification 50701 and is complemented with a guidance to help railway operators with the practical implementation of the zoning process.

The work gathers the experience of the European Rail ISAC and of their members such as European infrastructure managers and railway undertakings, which are Operators of Essential Services (OES) as defined in the Security of Network and Information Systems (NIS) directive and is designed to help them implement the cybersecurity measures needed in the zoning and conduits processes.

A number of requirements are set, such as:

- Identification of all assets and of basic process demands;
- Identification of global corporate risks;
- Performing zoning;
- Checking threats.

A risk assessment process is developed based on standards for the identification of assets and the system considered, and for the partitioning of zones and conduits. The report also addresses the cybersecurity requirements in terms of documentation and suggests a step-by-step approach to follow.

The report is released on the occasion of the General Assembly meeting of the European Rail ISAC which is taking place today.

The EU Agency for Cybersecurity engages closely with the European Rail Agency (ERA) to support the railway sector and is to host a joint event with ERA later this year.

Recommendations for the Implementation of an EU Strategy on Technology Infrastructures

As technology infrastructures (TIs) are critical enablers for the European research, development and innovation ecosystems, the European Commission’s Joint Research Centre (JRC) and the European Association of Research and Technology Organisations (EARTO) recommend a pan-European, agile and sustainable environment for their development, accessibility and governance, within the framework of a dedicated EU strategy.

The key role of TIs in RD&I Ecosystems

TIs are (physical or virtual) facilities and equipment, such as demonstrators, testbeds, piloting facilities and living labs, capable of building bridges between science and the market.

They are mostly created, managed, maintained and upgraded by not-for-profit Research Performing Organisations (mainly Research and Technology Organisations – RTOs, and Technical Universities – TUs), which require dedicated and significant resources and competences.

TIs are open to a wide range of public and private users, large and small, collaborating with TI managers to jointly develop and integrate innovative technologies into new products, processes, and services.

Examples  of  technology  infrastructures  include  facilities  to  develop  electrolyser stacks,  biogas  plants,  clean-room  facilities  for  chip  production,  test  areas  for automated shipping or road traffic safety solutions, wind tunnels, testbeds for multi-functional nano-composites, multi-material 3D printing, thermo-plastics and industrial robotics.

Technology Infrastructures are major building blocks for Europe to deliver on its ambitions of making successful transitions to a sustainable, digital and resilient industry and society.

Industry’s innovation capacity, productivity and international competitiveness heavily depend on possibilities to develop, test, validate and upscale new technological solutions at an ever-faster pace.

Towards an EU strategy for technology infrastructures

A European Commission Staff Working Document on TIs published in 2019 recommended the development of an EU Strategy for Technology Infrastructures building on the experience and the framework of the European Strategy for Research Infrastructures (ESFRI) with its own specificities.

In this context, the JRC and EARTO launched a joint project on TIs to gather evidence and highlight the common specificities of TIs across Europe, assess the challenges they face over their whole lifecycle, and identify how their capacity could be further leveraged.

The JRC and EARTO have just published an analysis of the main strategic elements that would ensure an effective and sustainable management of an integrated landscape for TIs at the European level:

  • Combining and completing the existing repositories and mappings of TIs at EU level, covering both TIs’ locations and the services and facilities they offer, could be used to enable a better understanding of the TIs’ landscape by policymakers and users, foster accessibility to TIs, and create connections between complementary TIs.
  • Roadmapping of future needs for capital expenditure (CAPEX) investments in TIs should be organised with a sectorial value-chain and bottom-up approach, with the involvement of TIs’ stakeholders, by identifying the future needs for TIs in existing roadmaps linked to current EU instruments and actions (e.g. European Partnerships, European Research Area (ERA) Industrial Technology Roadmaps).
  • Setting up a mechanism to draw from sectorial roadmaps and prioritise investments in TIs at European level and/or to coordinate and synchronise national/regional TIs’ roadmaps in strategic sectors would be valuable to maximise the use of public funds.
  • Creating an agile Advisory Board will be necessary to operationalise the prioritisation of investments and the coordination of national/regional TIs’ roadmaps. The board should be composed of Member States experts responsible for TIs within national ministries, as well as relevant stakeholders including RTOs, technical universities, and industry (large and small).
  • TIs need to be developed and upgraded at the same fast pace as the technologies and the products that are developed and tested. A strengthened and clearer pathway of grant-based public support for CAPEX investments for the creation and upgrade of TIs, as well as creating synergies for more structural support at European, national, and regional levels would be essential, as the current funding landscape is very scattered. The support for the creation of new TIs should be designed in complementarity with the support for the upgrade of existing ones, taking a balanced approach between the two.
  • Pan-European accessibility to TIs should be facilitated by fostering the use of TIs in competitively funded projects at EU level, defining harmonised principles for access to TIs, and adopting a one-stop-shop approach in specific value-chains.
  • Creating thematic networks of TIs with a value-chain approach would enable to better integrate and structure the European landscape for TIs, foster capacity building across regions, and spread excellence and expertise to overcome the European innovation divide. Dedicated support and funding for network orchestration activities is needed to explore the full potential of TIs’ networks.

Artificial Intelligence: How to make Machine Learning Cyber Secure

Machine learning (ML) is currently the most developed and the most promising subfield of artificial intelligence for industrial and government infrastructures. By providing new opportunities to solve decision-making problems intelligently and automatically, artificial intelligence (AI) is applied in almost all sectors of our economy.

While the benefits of AI are significant and undeniable, the development of AI also induces new threats and challenges, identified in the ENISA AI Threat Landscape.

How to prevent machine learning cyberattacks? How to deploy controls without hampering performance? The European Union Agency for Cybersecurity answers the cybersecurity questions of machine learning in a new report recently published.

Machine learning algorithms are used to give machines the ability to learn from data in order to solve tasks without being explicitly programmed to do so. However, such algorithms need extremely large volumes of data to learn. And because they do, they can also be subjected to specific cyber threats.

The Securing Machine Learning Algorithms report presents a taxonomy of ML techniques and core functionalities. The report also includes a mapping of the threats targeting ML techniques and the vulnerabilities of ML algorithms. It provides a list of relevant security controls recommended to enhance cybersecurity in systems relying on ML techniques. One of the challenges highlighted is how to select the security controls to apply without jeopardising the expected level of performance.

The mitigation controls for ML specific attacks outlined in the report should in general be deployed during the entire lifecycle of systems and applications making use of ML.

Machine Learning Algorithms Taxonomy

Based on desk research and interviews with the experts of the ENISA AI ad-hoc working group, a total of 40 most commonly used ML algorithms were identified. The taxonomy developed is based on the analysis of such algorithms.

The non-exhaustive taxonomy devised is to support the process of identifying which specific threats target ML algorithms, what are the associated vulnerabilities and the security controls needed to address those vulnerabilities.

The EU Agency for Cybersecurity continues to play a bigger role in the assessment of Artificial Intelligence (AI) by providing key input for future policies. The Agency takes part in the open dialogue with the European Commission and EU institutions on AI cybersecurity and regulatory initiatives to this end.

Risk Management: Helping the EU Railways Catch the Cybersecurity Train

European railway undertakings (RUs) and infrastructure managers (IMs) need to address cyber risks in a systematic way as part of their risk management processes. This need has become even more urgent since the Network and Information Security (NIS) Directive came into force in 2016.

Objectives of the Railway Cybersecurity report

The purpose of the report is to provide European RUs and IMs with applicable methods and practical examples on how to assess and mitigate cyber risks.

The good practices presented are based on feedback from railway stakeholders. They include tools, such as assets and services list, cyber threat scenarios and applicable cybersecurity measures, based on the standards and good practices used in the sector. These resources can be used as a basis for cyber risk management for railway companies. They are therefore intended to be a reference point and to promote collaboration between railway stakeholders across the EU while raising awareness on relevant threats.

The main takeaways

  • Existing risk management approaches vary for railway IT and OT systems

For the risk management of railway Information Technology (IT) systems, the most cited approaches were the requirements of NIS Directive at a national level, the ISO 2700x family of standards, and the NIST cybersecurity framework.

For Operational Technology (OT) systems, the frameworks cited were ISA/IEC 62443, CLC/TS 50701, and the recommendations of the Shift2Rail project X2Rail-3, or the ones from the CYRail Project.

Those standards or approaches are often used in a complementary way to adequately address both IT and OT systems. While IT systems are normally evaluated with broader and more generic methods (such as ISO 2700x or NIS Directive), OT systems need specific methods and frameworks that have been designed for industrial train systems.

There is no unified approach available to railway cyber risk management yet. Stakeholders who participated in this study indicated that they use a combination of the abovementioned international and European approaches to tackle risk management, which they then complement with national frameworks and methodologies.

  • Asset taxonomies

For RUs and IMs to manage cyber risks, identifying what needs protection is essential. In this report, a comprehensive list is broken down to 5 areas; the services that stakeholders provide, the devices (technological systems) that support these services, the physical equipment used to provide these services, the people that maintain or use them, and the data used.

  • Threats taxonomies and risk scenarios

RUs and IMs need to identify which cyber threats are applicable to their assets and services. The report reviews available threat taxonomies, and provides a list of threats that can be used as the basis.

Examples of cyber risk scenarios are also analysed, which can assist railway stakeholders when performing a risk analysis. They show how asset and threat taxonomies can be used together and are based on the known incidents of the sector and the feedback received during the workshops.

  • Applying cybersecurity measures

Each scenario is associated with a list of relevant security measures. The report includes cybersecurity measures derived from the NIS Directive, current standards (ISO/IEC 27002, IEC 62443) and good practises (NIST’s cybersecurity framework).

Risky business or a leap of faith? A risk based approach to optimise cybersecurity certification

The European Union Agency for Cybersecurity (ENISA) has launched a cybersecurity assessment methodology for cybersecurity certification of sectoral multistakeholder ICT systems.

The Methodology for a Sectoral Cybersecurity Assessment - (SCSA Methodology) was developed to enable the preparation of EU cybersecurity certification schemes for sectoral ICT infrastructures and ecosystems. SCSA aims at market acceptance of cybersecurity certification deployments and supports the requirements of market stakeholders and the EU Cybersecurity Act (CSA). In particular, SCSA endorses the identification of security and certification requirements based on risks associated with the “intended use” of the specific ICT products, services and processes.

The SCSA Methodology makes available to the ENISA stakeholders a comprehensive ICT security assessment instrument that includes all aspects pertinent to sectoral ICT systems and provides thorough content for the implementation of ICT security and cybersecurity certification.

While SCSA draws from widely accepted standards, in particular ISO/IEC 27000-series and ISO/IEC 15408-series, the proposed enhancements tackle multi-stakeholder systems and the specific security and assurance level requirements concerning ICT products, processes and cybersecurity certification schemes.

This is achieved by introducing the following features and capabilities:

- Business processes, roles of sectoral stakeholders and business objectives are documented at ecosystem level, overarching the ICT subsystems of the individual stakeholders. Stakeholders are invited to actively contribute to the identification and rating of ICT security risks that could affect their business objectives.
- A dedicated method associates the stakeholders’ ratings of risks with the security and assurance level requirements to dedicated ICT subsystems, components or processes of the sectoral ICT system.
- SCSA specifies a consistent approach to implement security and assurance levels across all parts of the sectoral ICT system and provides all information required by the sectoral cybersecurity certification schemes.

Benefits of the SCSA Methodology for stakeholders

The sectoral cybersecurity security assessment provides a comprehensive approach of the multi-faceted aspects presented by complex multi-stakeholder ICT systems and it features the following benefits:

- The security of a sectoral system requires synchronisation across all participating stakeholders. SCSA introduces comparability of security and assurance levels between different stakeholders’ systems and system components. SCSA enables building open multi-stakeholder ecosystems even among competitors to the benefit of suppliers and customers.
- The risk-based approach supports transparency and a sound balance between the cost for security and certification and the benefit of mitigating ICT-security-related business risks for each concerned stakeholder.
- Security measures can focus on the critical components, optimising the security architecture of the sectoral system, hence minimising cost of security.
- SCSA generates accurate and consistent information on security and certification level requirements for all relevant ICT subsystems, components or processes. On this basis, suppliers can match their products to their customers’ requirements.
- SCSA supports the integration of existing risk management tools and information security management systems (ISMS).
- Due to a consistent definition of assurance levels, the re-use of certificates from other cybersecurity certification schemes is supported.

Understanding the increase in Supply Chain Security Attacks

The European Union Agency for Cybersecurity mapping on emerging supply chain attacks finds 66% of attacks focus on the supplier’s code.
Supply chain attacks have been a concern for cybersecurity experts for many years because the chain reaction triggered by one attack on a single supplier can compromise a network of providers. Malware is the attack technique that attackers resort to in 62% of attacks.
According to the new ENISA report - Threat Landscape for Supply Chain Attacks, which analysed 24 recent attacks, strong security protection is no longer enough for organisations when attackers have already shifted their attention to suppliers.
This is evidenced by the increasing impact of these attacks such as downtime of systems, monetary loss and reputational damage.
Supply chain attacks are now expected to multiply by 4 in 2021 compared to last year. Such new trend stresses the need for policymakers and the cybersecurity community to act now. This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently.
Why is a good level of cybersecurity not good enough?
Composed of an attack on one or more suppliers with a later attack on the final target, namely the customer, supply chain attacks may take months to succeed. In many instances, such an attack may even go undetected for a long time. Similarly to Advanced Persistence Threat (APT) attacks, supply chain attacks are usually targeted, quite complex and costly with attackers probably planning them well in advance. All such aspects reveal the degree of sophistication of the adversaries and the persistence in seeking to succeed.
The report reveals that an organisation could be vulnerable to a supply chain attack even when its own defences are quite good. The attackers explore new potential highways to infiltrate organisations by targeting their suppliers. Moreover, with the almost limitless potential of the impact of supply chain attacks on numerous customers, these types of attacks are becoming increasingly common.
In order to compromise the targeted customers, attackers focused on the suppliers’ code in about 66% of the reported incidents. This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated.
For about 58% of the supply chain incidents analysed, the customer assets targeted were predominantly customer data, including Personally Identifiable Information (PII) data and intellectual property.
For 66% of the supply chain attacks analysed, suppliers did not know, or failed to report on how they were compromised. However, less than 9% of the customers compromised through supply chain attacks did not know how the attacks occurred. This highlights the gap in terms of maturity in cybersecurity incident reporting between suppliers and end-users.
1 2 3