Cyber-attacks on supply chains were considered a strategic weapon to be used against enemy nations to harm critical infrastructure. This type of weapon required advanced technical skills to develop—and massive logistical and tactical capabilities to deploy.
In early 2000, very few countries—USA, China and Israel—were thought to have the technical capability of executing such attacks.
The cyber-attack on the Iranian’s nuclear enrichment plant in Natanz is considered one of the first supply chain cyber-attacks known to the public.
Many assume the USA or Israel (and some say, both) installed a computer virus into the Siemens SCADA controllers before arriving at their target location in Iran. After installation, controllers falsely reported normal readout values while burning nuclear enrichment centrifuges. The Stuxnet attack was successful—it delayed Iran’s entire nuclear program by more than 3 years. Strategic advisers across the globe agree—the Stuxnet cyber-attack caused more damage than a conventional attack could have caused.
Stuxnet and similar attacks could have been developed and deployed by the NSA, Israel’s 8200 and the cyber army of China. It required teams of expert engineers, computer hackers and logistics experts to find the black-hole along the supply chain. It required millions of dollars and months of planning. The technology was soon published and discussed in conferences. Once it became public, hackers were able to reverse-engineer and propagate the technology.
New Attack Vector
Most organizations are protected against common and trivial cyber-attacks. All have installed firewalls, anti-spam, anti-malware, anti-viruses, endpoint security and more. Every month, the market is introduced to new and better technologies to protect against cyber-attacks. There are effective solutions to protect against attacks from the Internet or data files. Protecting one door—many claim—sends criminals to another. Rather than breaking through a secured door, they look for the one that was left open. Since networks and IT are relatively secure—attackers view the supply chain as the open door. Attackers may reach their target through the supply chain—which is hardly secured against such attacks.
In the last 2 years, the know-how of executing a simple supply chain cyber-attack has been discussed in various forums. With additional leaks—like the NSA leak—a family of products has been developed that enables novices to deploy attacks in a matter of hours—and for less than $50.
An easy-to-deploy hardware attack on human interface devices (HIDs), such as keyboards, can cause massive damage to critical infrastructure while being implemented by your neighbor’s teenager.
We invite our friends to share our blogs and to send comments, ideas and materials for future blogs. For more information, visit www.sepio.systems, and follow us on Twitter and LinkedIn.