Part 1: Rethinking Supply Chain Risk: The Problem with Modern Supply Chains

Executive Summary

• On July 19th 2022, Bitsight announced it had discovered critical vulnerabilities in a popular vehicle GPS tracker (MiCODUS MV720) potentially allowing hackers to remotely disable entire fleets of corporate supply vehicles, thereby inducing supply chain disruptions.
   
• The discovered vulnerabilities could present significant threats to an organization’s supply chain. Organizations relying on third parties using this device could experience business disruption, significant financial loss, and reputational damage if a hacker successfully disables a supply chain partner’s vehicles.
   
• Billions of Internet of things (IoT) devices worldwide present a new cybersecurity era, creating unorthodox supply chain threats that are difficult to identify and manage. Given the opacity of IoT security, Bitsight suspects many other IoT devices to be vulnerable to exploitation.
   
• Organizations must rethink supply chain risk, prioritizing the formation of a modern cyber supply chain risk management program. Those with existing programs should promptly reassess the program’s priorities to better align with today’s expanding attack surface.

The modern attack surface is expanding, presenting new challenges to the status quo of cyber supply chain risk management. Let’s analyze the evolving landscape, and highlight key shifts important to your organization.

Organizations must rethink supply chain risk

Third parties can present risk to your organization in a multitude of ways. Whether that risk originates from a third party’s poor patching cadence, botnet infections, or via other areas of concern, the cybersecurity performance of your supply chain partners can significantly impact your organization.

Recent events suggest supply chain risk may be more complicated than once thought. Bitsight recently discovered critical vulnerabilities in a popular vehicle GPS tracker (MiCODUS MV720) potentially allowing hackers to remotely disable entire fleets of corporate supply vehicles, among other things. This means organizations relying on a third party using the MV720 could see deliveries abruptly come to a halt, presenting threats of financial loss, reputational damage, and of course supply chain disruption.

The news was yet another indication that Internet of things (IoT) devices are rapidly disrupting the status quo of supply chain risk management. IoT devices are proliferating worldwide, predicted to reach 31 billion units by 2025, up from 14 billion in 2021. This rapid growth coupled with subpar security standards across the IoT spectrum means it is likely that many more devices have vulnerabilities yet to be discovered. In this climate, organizations could be unknowingly exposed to one or more critical supply chain risks.

The risks do not stop at IoT devices – enterprise software solutions continue to be found vulnerable. Bitsight found that nearly 200,000 organizations were potentially vulnerable to the recent Atlassian zero-day vulnerability. SaaS products offered by your supply chain partners will continue to be found vulnerable, threatening the confidentiality, integrity, and availability of your sensitive data.

Security leaders must rethink cyber supply chain risk, forming a strategy appropriately considering the modern attack surface.

Supply chains face unorthodox threats

Organizations are dependent on a variety of partners, both foreign and domestic – cloud service providers to keep data safe, airlines and trucking companies to keep deliveries coming, IT contractors to keep technology working, and much more.

Many factors are contributing to an increasingly unorthodox supply chain threat, threatening the stability and reliability of these critical supply chain partners. Supply chain risk is being complicated in several ways:

IoT devices are rapidly growing in number

• The proliferation of IoT devices has presented security challenges – where Windows and Mac have had years to improve enterprise updates, it’s all too common for IoT manufacturers to launch products with little to no focus on security. Due to low price points, typically short product life cycles, and low barriers to market entry, IoT devices often offer either limited security updates, or none at all. To make things worse, much of IoT device traffic is unencrypted, allowing bad actors to openly read information.
   
• Add to these problems billions of devices, lacking device visibility, and a diverse spectrum of possible vulnerabilities and IoT devices become a serious supply chain threat.

Organizations are widely deploying IoT devices for diverse purposes

• The scope of IoT device use has broadened. The aviation industry uses IoT technology to report back real-time information about in-flight engine performance; vehicle fleet managers deploy vehicle GPS trackers with fuel cut-off functionality to reduce the risk of theft, thereby lowering insurance premiums; and so on. When IoT devices assume such important roles within an organization, they become prime targets for attackers seeking to disrupt business as usual. A third party’s well-intentioned IoT deployment could have the opposite desired effect, presenting risk to your organization’s supply chain.

Technological interconnectedness is accelerating

• Interconnectedness of technology is accelerating. This means a seemingly benign device can present organization-wide damage. Bad actors can surreptitiously leverage a seemingly harmless device connected to a third party’s network to engage in more traditional attacks like data exfiltration. For example, attackers leveraged a smart fish tank to steal data from a casino. Attacks like these could render your third party inoperable for sustained periods of time, focusing on post-attack damage control over normal business operations.
   
• Organizations are increasingly storing sensitive data on the cloud – patents, legal documents, business secrets, personally identifiable information (PII), and more. These digital supply chain partners are responsible for keeping your data safe but as with any technology these efforts can fail. The software with which your partners provide your organization could be vulnerable, providing hackers with a way to directly attack your organization.

How can organizations protect themselves?

Managing your supply chain can be a daunting responsibility. Without a sound supply chain strategy, your supply chain partners could be using technologies putting your organization at risk. The universe of IoT devices remains in a sort of Wild West security environment – many devices are likely vulnerable, and only time will tell which ones and how they will impact organizations. Additionally, your digital supply chain could present ways for attackers to gain access to sensitive information and further attack your organization. Organizations must diligently assess the security performance of their entire third-party ecosystem, or risk facing a myriad of consequences.

Visit the next blog in this mini series, covering the modernization of your supply chain strategy.