High-profile attacks on critical national infrastructure (CNI) have underscored the serious threat of sophisticated cyberattacks which can have a far-reaching, real-world impact on people's lives, disrupting critical services such as healthcare, emergency services and fuel supply.
In August alone two CNI operators in the UK were hit by cyberattacks, causing disruption to the NHS 111 service and compromising critical systems that control water chemical levels.
Over the past few years, supply chain cyber security has become a major risk for UK businesses with attacks increasing by 51% over the second half of 2021. However, only 13% of UK organisations are currently assessing the risk posed by their immediate suppliers.
For CNI, supply chain attacks are often utilised by sophisticated threat actors who can bypass an organisation’s cyber security controls by targeting the weakest link. This could be through:
Compromising a supplier’s email or website and then exploiting the trusted relationship by launching a targeted phishing campaign.
Inserting malware or vulnerabilities into a supplier’s software or firmware update, infecting their downstream users.
Inserting malicious code into open-source software which propagates downstream to its users.
After all, a business is only as secure as it’s least secure supplier.
The risk of a severe supply chain attack on CNI is further compounded by a relatively small pool of suppliers for specialist functions. A supplier servicing multiple CNI operators can quickly become a critical dependency for the entire sector, and therefore an attractive target for state-sponsored attackers.
It is not enough for an organisation to just assess their supply chain’s cyber security. They should also establish the level of risk each supplier poses and adjust security controls accordingly, employing a risk-based supplier assurance process. This information can also help inform business continuity and incident response plans in the event of a supply chain attack.
Whether you are a CNI operator or supplier to CNI, you will need to be aware of your obligations, as well as have the capacity to identify and address the cyber threats facing your organisation and supply chain.
