The Anatomy of a Zero Trust Supply Chain - Image by Tumisu from PixabayA supply chain attack is a type of cyber-attack against a supplier or trusted partner of the ultimate target company. Rather than directly attack a well-protected ‘primary’ target, the supply chain attack looks for weak links with the network of vendors who offer services or software that enables that primary company to function.

The scale of the supply chain problem

Statista reports that 2022 saw approximately 11 million customers affected by supply chain cyber-attacks across the globe. The good news is that was a drastic reduction from the 2019 peak of 263 million impacted customers of 2019. The bad news is that in the first quarter of 2023 alone, over 60 thousand customers reported supply chain attacks.

Gartner has predicted that by 2025, 45 percent of organisations worldwide will have experienced attacks on their software supply chains. Researchers at Cybersecurity Ventures predict the global annual cost of these attacks to businesses will hit $138 billion by 2031. It is a 15 percent annual growth from $46 billion in 2023.

In the UK, the acuteness of the problem has merited an especial focus from GCHQ’s National Cyber Security Centre (NCSC). 2022 research showed that just over 1 in 10 (13%) UK businesses review the risks posed by immediate suppliers. In late 2023, the NCSC published a full guide for SMEs to address cyber risk in the supply chain.

The reason behind such exposure is simple. Supply chain pressures have plagued businesses in recent years. One report cited that 77% of mid-sized businesses in the UK faced ‘persistent disruptions’ in their supply chains. The response has been to take on more suppliers to remain agile and able to deliver against increased customer demand. But a bigger supply chain means a bigger supply chain risk.

Consequently, many businesses now realise that the supply chain remains the weakest link of their cybersecurity. As these organisations have conducted stricter evaluations of their supply networks, there has been an inevitable shift towards “zero trust” models.

Defining zero trust

Zero trust is a modern security strategy based on a simple principle: never trust, always verify. The model assumes either malicious intent or breach and verifies each request to access systems as though it originates from an unprotected, open resource.

The zero-trust market is estimated to reach $126bn by 2031. That represents a CAGR of 18.5% from 2022 to 2031. Businesses have been quick to embrace this approach. It eliminates the assumed, implicit trust across entire supply chains and networks, including non-direct suppliers.

Using zero trust in a supply chain

The first step in creating a global chain of trust is to create a comprehensive inventory of all suppliers. It must span any system with access to infrastructure that may be a target. It can include accountants, time management platforms, vendor-managed inventory software, EDI, etc.

Once this list is established and verified, a business can impose zero trust by asking suppliers to meet a minimum number of prerequisites. Verifying this compliance can be complicated and requires technological maturity.

These requirements from suppliers typically revolve around guarantees that data will not be resold, good backups, compliance with laws such as GDPR, best practice processes for monitoring vulnerability, and security assurance plans.

However, it is worth noting that there is no standardised checklist. Companies can request independent evaluations – and these are on the increase – but there is no legal mandate or standard.

The efficacy of evaluations depends upon customer budgets and the sensitivity of the data being processed. The important thing is that companies must conduct these evaluations and offer customers a guarantee of the security of their data.

The changes of a zero-trust approach

One of the most common changes that then follows is the imposition of multi-factor authentication (MFA) for access to data. Many code repositories – including GitHub – now mandate MFA for the 100 million users that submit code. The use of security tokens is also increasing.

Elsewhere, detection systems such as NDR are being implemented to provide visibility into this extended network. It offers 360° visibility of what a business does not know has hit its systems because of actions within the supply chain.

Controlling all aspects and elements across the supply chain can be incredibly difficult. However, NDR sees everything as it enters the network of the primary target company. It can treat such behaviour with suspicion and act accordingly, In line with zero trust. NDR is zero-trust by definition.

The barriers to a zero-trust supply chain

It is worth noting that all this vigilance is not cheap. The growth in supply chain risk has increased the cost of cybersecurity, requiring substantial additional effort. Much of this effort arises from the various protocols and lack of interoperability between hardware and software within a cybersecurity profile.

At scale, there will be a need to automate authentication without impacting productivity. This is driving the development of single sign-on (SSO) models and encryption methods to ensure suppliers decrypt only relevant data. And, of course, the increased management burden of zero trust will see companies delegate the approach.

The evaluations and controls to ensure compliance across such networks will be costly and time-consuming. Some businesses will impose supply chain requirements on primary suppliers and hold them responsible for security regarding secondary and even tertiary suppliers. Successful models for this already exist within the banking and defence sectors.

Supply chain attacks have rapidly become a regular fixture of major news stories and expensive remediation. In a future of ever-expanding supply networks and increasingly sophisticated attacks, businesses need to adopt zero trust throughout global supply chains to remain protected and able to function.

GateWatcherLeader in the detection of cyber threats, Gatewatcher has been protecting the critical networks of worldwide large companies and public institutions since 2015. Our Network Detection and Response (NDR) and Cyber Threats Intelligence (CTI) solutions, quickly detect and respond to any cyber-attacks. Thanks to AI converging with dynamic analysis techniques, Gatewatcher delivers a real-time 360-degree view of threats, covering both cloud and on-premise infrastructures.


Please enter your comment!
Please enter your name here