A brief overview into NIS2 supply chain requirements.
Introduction
Supply chain attacks exploit vulnerabilities within an organisation's supply chain, including third-party suppliers or software updates, to compromise the primary target by often targeting the weakest link. These attacks exploit system weaknesses, posing a significant cybersecurity threat as they can affect multiple entities through a single compromised link. To combat such attacks, the EU has introduced mandatory coordinated risk assessments under the NIS2 Directive for companies in selected industries. Supply chain attacks are increasingly common in today's threat landscape. Notable instances include the attack on the Orion Platform from SolarWinds and the Log4j vulnerability.
What Are Supply Chain Attacks?
Supply chain attacks can be categorized into different types:
- Software Supply Chain Attacks
- Hardware Supply Chain Attacks
- Service Providers
Each category exploits different aspects of the supply chain, making comprehensive risk management crucial.
Software Supply Chain
Software supply chain attacks involve injecting malicious code into software products or updates. This can occur by compromising the development environment, as seen in the SolarWinds Orion platform attack, or by inserting malicious code into a project, exemplified by the Log4j vulnerability. Once the compromised software is distributed, all users who install or update it become vulnerable. Attackers can also compromise the update mechanism to distribute malicious updates to users. With many software projects relying on third-party libraries and dependencies, often hidden from users, the threat becomes increasingly dangerous.
Hardware Supply Chain
Hardware supply chain attacks involve altering physical components during manufacturing or distribution. Generally, it's easier to modify hardware during distribution compared to alterations made in the factory. Attackers might insert malicious hardware or firmware into devices, which can be activated once the device is in use. For instance, a compromised network card could allow attackers to intercept and manipulate data passing through it. These attacks are challenging to detect because malicious components often look identical to legitimate ones. Depending on the attack, the security vulnerability might be unpatchable.
Service Providers
Service providers, including IT suppliers and managed service providers, can also be targets for gaining access to a system. IT service providers often have extensive administrative rights to their customers' infrastructure and software. Like SolarWinds, they serve diverse and interesting customer bases, all of which can be targeted simultaneously with minimal additional effort. Sometimes, companies are inadvertently affected by such attacks. In the Orion attack, the majority of SolarWinds Orion customers were vulnerable but were not exploited as the attacker only proceeded to the next step with selected customers.
All types of supply chain attacks are difficult to detect but pose significant threats to organizations, especially those involving critical infrastructure. Gaining visibility into one's supply chain is a tedious and resource-consuming task. Comparing attack vectors, it's often more convenient for attackers to target software than hardware. While hardware supply chain attacks are rare, they do occur, such as the Operation Grim Beeper which led to the explosion of thousands of pagers in Lebanon in 2024. Attacks on managed service providers can sometimes be indistinguishable from software supply chain attacks and should be taken seriously by both the service provider and its customers.
NIS2 Requirements for Supply Chain Security
The NIS2 Directive underscores the importance of robust supply chain security in protecting critical infrastructure. A key component of the NIS2 requirements is a coordinated risk assessment to understand potential vulnerabilities and threats affecting cybersecurity.
Historically, companies may not have had visibility into their supply chains, hindering effective risk assessment. This was evident with Log4j, where many companies initially struggled to determine if they were using the compromised software, losing valuable time in mitigating the attack. The process of gaining visibility involves the Cooperation Group, comprising representatives from EU member states, the European Commission, and the European Union Agency for Cybersecurity (ENISA). Together, they identify and evaluate risks associated with critical ICT services, systems, and products within supply chains. The assessment considers both technical and non-technical factors, such as software vulnerabilities and geopolitical risks. The goal is to identify critical elements requiring attention and to develop strategies to mitigate these risks. The outcomes of these assessments help improve security practices, enhance supply chain transparency, and build resilience against cyber threats, ensuring a more secure digital environment across the EU.
Conclusion
Supply chain attacks present a significant cybersecurity threat by exploiting vulnerabilities within an organisation's supply chain, such as third-party suppliers or software updates. These attacks can target the weakest link and affect multiple entities through a single compromised link. The EU's NIS2 Directive addresses this threat by mandating coordinated risk assessments for companies in selected industries. These assessments help identify and evaluate risks associated with critical ICT services, systems, and products, considering both technical and non-technical factors. By fostering cooperation between EU Member States, the European Commission, and ENISA, the NIS2 Directive aims to improve security practices, increase supply chain transparency, and build resilience to cyber threats. This comprehensive approach ensures a more secure digital environment across the EU, protecting critical infrastructure and reducing the impact of supply chain attacks.
