Supply Chains

Supply Chain Cyber Attacks – from Governments to Rubber Ducks

Cyber-attacks on supply chains were considered a strategic weapon to be used against enemy nations to harm critical infrastructure. This type of weapon required advanced technical skills to develop—and massive logistical and tactical capabilities to deploy.

In early 2000, very few countries—USA, China and Israel—were thought to have the technical capability of executing such attacks.


The cyber-attack on the Iranian’s nuclear enrichment plant in Natanz is considered one of the first supply chain cyber-attacks known to the public.

Many assume the USA or Israel (and some say, both) installed a computer virus into the Siemens SCADA controllers before arriving at their target location in Iran. After installation, controllers falsely reported normal readout values while burning nuclear enrichment centrifuges. The Stuxnet attack was successful—it delayed Iran’s entire nuclear program by more than 3 years. Strategic advisers across the globe agree—the Stuxnet cyber-attack caused more damage than a conventional attack could have caused.

Governments Technology

Stuxnet and similar attacks could have been developed and deployed by the NSA, Israel’s 8200 and the cyber army of China. It required teams of expert engineers, computer hackers and logistics experts to find the black-hole along the supply chain. It required millions of dollars and months of planning. The technology was soon published and discussed in conferences. Once it became public, hackers were able to reverse-engineer and propagate the technology.

New Attack Vector

Most organizations are protected against common and trivial cyber-attacks. All have installed firewalls, anti-spam, anti-malware, anti-viruses, endpoint security and more. Every month, the market is introduced to new and better technologies to protect against cyber-attacks. There are effective solutions to protect against attacks from the Internet or data files. Protecting one door—many claim—sends criminals to another. Rather than breaking through a secured door, they look for the one that was left open. Since networks and IT are relatively secure—attackers view the supply chain as the open door. Attackers may reach their target through the supply chain—which is hardly secured against such attacks.

Rubber Ducky

In the last 2 years, the know-how of executing a simple supply chain cyber-attack has been discussed in various forums. With additional leaks—like the NSA leak—a family of products has been developed that enables novices to deploy attacks in a matter of hours—and for less than $50.

An easy-to-deploy hardware attack on human interface devices (HIDs), such as keyboards, can cause massive damage to critical infrastructure while being implemented by your neighbor’s teenager.

We invite our friends to share our blogs and to send comments, ideas and materials for future blogs. For more information, visit, and follow us on Twitter and LinkedIn.

Welcome to Sepio

Welcome to our first post on Sepio’s new website. 
Today, we celebrate our media presence and the end of stealth mode.

About Us

We are a group of serial entrepreneurs who have worked together for more than 25 years—beginning in the early 90’s in the technological division of the Israeli Army Intelligence (Unit 8200). We’ve since been involved directly and indirectly in the foundation of several startup companies. Some have been acquired by market leaders.

We’ve added a new team member with 30 years of sales leadership experience to create Sepio Systems. With strong support from our investors, we are prepared for the challenge.

We are excited to introduce our company—and our different approach.

What is SEPIO?

The Latin word “Sepio” means Protect and Seal.  It is the reason we’ve founded the company.

Sepio Systems’ mission is to protect critical infrastructure against threats on their supply chains.  Malicious groups poison the chain between vendors and end customers with infected components, modules and systems.

Why Focus on Supply Chains?

Because supply chains are not protected. Because we don’t have adequate visibility. Because by providing stronger and more resilient security to threats via internet connections, emails, and files, we are pushing criminals and our enemies to attack supply chains.

(and…because we thought it would be nice to start something new…)

Our Challenges

Since 2000, supply chain attack technology has moved from top classified government agencies to common hackers. While cost and time dramatically decreased, the spread of such attacks became a major threat to critical infrastructure and enterprises.

These criminals now have strategic weapons at almost no cost–we need to mitigate without changing the way we run our businesses, our infrastructure and our supply chains.


We chose these words as our (catchy) slogan for distinct reasons.  

Since attacks on supply chains started more than 40 years ago, security managers developed a common approach to “certify” vendors and suppliers and “clean” deliverables before installation. This is the approach adopted by governments and top-classified agencies around the world.

It’s not working!

Smart attackers easily penetrate supply chains and deliver infected equipment to end users. Our different approach is simple—attacks are in place; security has been compromised. Let’s isolate the attack and eliminate the poison.

We invite our friends to share our blogs and to send comments, ideas and materials for future blogs. For more information, visit, and follow us on Twitter and LinkedIn.

Enjoy and good luck to all,

Yossi Appleboum and the Sepio Team