Even though supply chain attacks have been a cybersecurity concern for many years, there has been a big rise in their number and sophistication in 2020. This trend is continuing in 2021, posing an increasing risk for organizations. Due to the more robust security protection that high-value organizations have put in place, it is more effective for threat actors to move up the supply chain to exploit weak links outside their target’s cyber defences.
The presentation aims at highlighting the key observations and major findings described in the ENISA “Threat Landscape for Supply Chain Attacks” report that was published in July 2021. A mapping and analysis of 24 supply chain attacks is provided based on incidents identified and reported from January 2020 to early July 2021, along with their classification based on a proposed taxonomy of their key characteristics and techniques. The analysis answers the questions: what are the most common attack techniques being used in supply chain attacks, what are the main customer assets that attackers are after and which is the relationship between attacks and assets targeted. A set of recommendations aimed at policymakers and organizations is presented, the adoption of which may increase the overall security posture against supply chain attacks.