Outside of leading-edge advances like Intel® Transparent Supply Chain  protecting globally linked sellers, buyers, and partners from these kind of threats is difficult. Leaders like GE are embracing new risk management approaches that provide component level traceability and authentication.

Yet many enterprises and vendors remain poorly prepared to prevent or detect growing supply chain cyber-risks. They cannot easily spot compromised parts or breaches that expose their organizations and partners to data loss and widespread disruption.

From not good to worse

Two years ago, Steve Durbin, Managing Director of the Information Security Forum (ISF), warned: “When I look for key areas where information security may be lacking, one place I always come back to is the supply chain.” A widely cited study found 16% of companies purchased counterfeit IT equipment.

Since then, things have gotten worse. A recent global survey of 1,300 companies found 90% were “unprepared” for supply chain cyber-attacks

False alarm or wake-up call?

So it’s no surprise that widespread anxiety followed a sensational report in late 2018 claiming China had hidden tiny spy chips on servers shipped to major companies.

The allegations were quickly denied and eventually debunked. But the incident raised troubling questions: “A lot of people asked: ‘What if that could happen?’” says Charlie Stark, an Intel Supply Chain specialist and engineer.

It’s a critical concern, and not just for industry manufacturers and procurement pros. Supply chains are lifelines for tech sellers and buyers alike. Over the last few years, they’ve increasingly become a battlefield, under incessant attack by nations and criminals. A small but tellingly grim sign of popularity: Presentations on hacking supply chains at Black Hat and Defcon.

Whether you are a technology buyer, seller, manufacturer, investor, or security professional, here are five reasons why supply chain cybersecurity belongs on your radar and action list.

1. Supply chain hacks are growing

Experts says threats are both skyrocketing and under-reported. They now make up as much as 50% of all cyberattacks, according to industry estimates, spiking 78% last year-over-year. As many as two-thirds of companies have experienced an incident. Average cost: $1.1 million. A 2018 study by the Ponemon Institute found 56% of organizations suffered a breach caused by one of their vendors. Federal watchdogs report widespread counterfeiting of ICs and other electronic parts in the DoD supply chain.

Several forces are feeding this troubling growth. Cloudification of supply chains, IoT, globalization, and shifts to vast, interlinked digital ecosystems are major factors. Geopolitics is another. Organized crime also is eager to exploit weak supply chain links. “Hack once-exploit many” is a lucrative business model, with low cost and high ROI, according to researcher Cybereason.

2. Everybody is seeking solutions

Predictably, public and private sector voices are raising alarms. Recent reports by Accenture and BSI, for example, identify supply chain cybersecurity as a top challenge. A leading public-private coalition recently called for rapid and rigorous cooperation on the issue. The most influential of these partnerships, the ICT Supply Chain Risk Management Task Force, includes more than 50 government bodies and businesses, led by the Department of Homeland Security.

The National Institute for Standards and Technology (NIST) issued new guidelines for supply chain risk management. So great is the concern that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has proclaimed a “National Supply Chain Integrity Month.” A major agency task force report issued in September outlined key threat scenarios, recommendations, and baselines.

3. Hack once, hurt many

Supply chain attacks are actually two kinds of threats. The first seeks to disrupt or cripple actual supply chains. Think of nation-state assaults on key infrastructure or energy systems.

But others use supply chains as a channel to attack dozens, hundreds, or potentially thousands of connected partners. By finding and exploiting weak links, attackers can hop between linked entities, stealing data, and spying or destroying as they go. This is what makes the attacks so dangerous — and attractive for hackers.

4. Hardware is a new target

Kingslayer, CloudHopper, CCleaner, ShadowPad, ShadowHammer, Black Ghost Knifefish, Heriplor. All these recent attacks on supply chains used or targeted software. Now, hackers have upped the ante. Thwarted by better software protection, they’re targeting hardware. Such nefarious burrowing into the hardware stack — down to firmware and BIOS and UEFI — is a big threat in any environment. But it is magnified many-fold in a supply chain.

5. Damage can be widespread

Harm from supply chain breaches is insidious. It sows doubt about product reliability and security. As the figure below shows, there’s a spectrum of potential harm in manufacturing, with supply chain attacks at the apex.

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)