Beware of Blockchain and Supply Chain Cybersecurity Threats
According to a recent ENISA report, strong internal security is no longer enough for organisations, as attackers have already shifted their attention to suppliers.
With many recent cyberattacks on supply chains across Europe, organisations have begun to consider alternative enhancements to their existing security measures. One of these solutions is blockchain-based cybersecurity technology.
IBM defines blockchain cybersecurity as a “comprehensive risk management system for a blockchain network, using cybersecurity frameworks, assurance services and best practices to reduce risks against attacks and fraud.”
Although many solutions using blockchain have been announced, organisations have not rushed to adopt blockchain technology. I believe blockchain can complement efforts to provide an additional layer of security, but it’s important to be wary of the risks associated with cyber cyber supply chain blockchain technology.
Areas of highest risk for supply chains
Supply chains face a number of vulnerabilities — including economic instability, extreme weather events, supplier inconsistency and more. One of the top risks to supply chains are cyberattacks. The NotPetya attack in 2016 paralysed European and American supply chains and cost them nearly $10 billion worth of damage.
There is a reason why supply chains are especially vulnerable to attacks. The organisations making up supply chains aren’t technology companies. In fact, many supply chains still use aging and legacy infrastructure and rely on insufficient third-party software, which opens the door to risk.
Blockchain as a solution
The data structures of blockchain technology are based on consensus, cryptography, and decentralisation principles, which can enhance security.
But despite blockchain technology strongly improving since its inception, it still has several weaknesses in both security and structure that have prevented widespread adoption from organisations across the globe.
Risks associated with blockchain
Some of these shortcomings can make organizations more susceptible to attack. Security risks include:
- Privacy: All network nodes have access to data on a public blockchain, despite blockchain databases being anonymous and encrypted. This makes it harder to control who has access to specific information.
- Vulnerable to cyberattacks: Even though blockchain offers greater security than other platforms, it is not entirely safe. Cyberattacks and blockchain’s cryptographic algorithm make it possible to compromise the blockchain network.
- Private keys: Blockchain requires users to have private keys to access resources or data stored in the blockchain. If a user loses their private key, they can no longer access the wallet — but if a bad actor has taken the key, they potentially can.
- Data immutability: Once data is written, it cannot be erased. If someone uses a blockchain-based digital platform, they can’t erase its record. Those who have access to the platform can see the data history.
Structural issues associated with blockchain
Along with the security risks facing blockchain, several structural issues exist as well. Some of the structural issues preventing widespread blockchain adoption include:
- Scalability: Unlike their centralised counterparts, blockchains have limitations in how they can grow alongside a business.
- Storage: Blockchain databases are stored permanently on all network nodes. Computers can only store a limited amount of data, and blockchain ledgers can outgrow their storage space.
- Power use: Whenever a new node is created, it connects to all other existing nodes and builds a distributed, continuously updated ledger. This process can require an extraordinary amount of power.
- Cost and implementation: Even though most blockchain solutions are open source, implementing a blockchain solution can be a costly process. Enterprise blockchain projects can cost well over a million dollars to implement — and that figure does not include expected maintenance costs.
This is not to say blockchain cannot be used as a valid solution. However, organisations should not rely solely on blockchain technology to keep their supply chains safe.
How to keep supply chains safe
On 15 September 2022, the European Union announced it would be advancing legislation to strengthen security requirements for all digital hardware and software products.
Even with this new framework, ENISA continues to highlight its recommendations for customers and suppliers to minimise the risk of a supply chain attack, whether they use blockchain solutions or not.
Recommendations for customers include:
- Identifying and documenting service providers and suppliers.
- Defining risk criteria for different types of suppliers and services (for example, supplier and customer dependencies, critical software dependencies, and single points of failure).
- Continuous monitoring of supply chain risks and threats, this includes architecture and supported systems.
- Managing suppliers throughout the complete lifecycle of a product or service, including end-of-life products or components.
- Classifying assets and information that are shared with (or accessible) to suppliers, defining relevant procedures for accessing and handling them.
As for suppliers, ENISA recommends:
- Confirming that the infrastructure used to design, develop, manufacture, and deliver products, components and services follow proper cybersecurity practices.
- Implementing consistent product development, maintenance and support processes.
- Continuous monitoring of security vulnerabilities reported by internal and external sources, including used third-party components.
- Maintaining an inventory of assets that include patch-relevant information.
A-LIGN can help mitigate risk
No one security posture can keep you safe. Organisations should not rely on security processes or frameworks alone. For maximum protection, you must put your security controls to the test.
Penetration testing is designed to assess the cybersecurity of your organisational technologies and systems. A-LIGN’s OSEE, OSCE, and OSCP Certified Penetration Testers employ automated and manual techniques to find weaknesses in servers, end-user workstations, wireless networks and web-based applications. They also assess security awareness, and the human-layer and physical facility controls to provide a complete picture of an organisation’s level of protection.
If you would like to test your organisation’s systems, contact A-LIGN today.