>

accenture

Understanding and mitigating the security risks

of modern enterprise supply networks

Copyright © 2020 Accenture. All rights reserved

 You’re only as secure
as the weakest link in
your supply chain
Supply chain security is a real and growing
issue for modern enterprises.

2 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
As traditional linear supply chains are transformed into
The NotPetya attack of June 2017
more flexible, digital and connected customer-centered amply demonstrated the destructive
networks, the number of external links an organization has and disruptive power of malware.

with others (and the volume and sources of data that flow Initially appearing to be a geopolitical
attack aimed at paralyzing government
through those connections) grows exponentially. and business operations in Ukraine,
NotPetya spread rapidly.
But so too does the number of potential risks doubling down on digitization to increase
and vulnerabilities. This applies to both physical their agility and responsiveness and be In fact, within a matter of hours,
and cyber supply chain security. Larger, better prepared to deal with the impacts the malware had infected countless
more flexible supply chain networks provide of the pandemic and its aftermath. As machines around the world, irreversibly
malicious and criminal actors with a bigger they accelerate their creation of cloud- encrypting master boot records, and
cyber-attack surface to target. But they also based open architectures, with cognitive crippling numerous multinational
create more points of potential vulnerability in engines powering acute sense and response corporations in the process (including
the flow of physical products and components capabilities, enterprises are exposing shipping giant Maersk, global pharma
through the value chain. The organization has themselves to an exponential increase Merck, and food producer Mondelēz).1
to work that much harder to ensure the physical in vulnerabilities. Additionally, some
and digital security of its products and services. organizations are also reverting to alternative
suppliers which have not been thoroughly
The COVID-19 pandemic is pushing these vetting their cybersecurity posture, thus
trends into overdrive. Organizations are exposing them to new avenues of attack.

3 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
 Supply chain
complexity
in the New
In recent years, to meet customer
and market expectations, supply chains
have been reconfigured for agility,
transparency and speed.

4 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
That’s happened because consumers want new and
AVIVORE is a sophisticated nation state
better products faster than ever. They also demand adversary responsible for a series of
unprecedented real-time visibility into supply chains, linked intrusions against multinational

whether that’s because they want to validate a product’s organizations in aerospace, defense,
and related industries (including
authenticity or sustainability credentials, or simply automotive, consulting, engineering,

understand exactly when it will be delivered. civil nuclear and space and satellites).

Despite the target companies having

To meet these elevated needs, enterprises The result: enterprise supply chain significant cybersecurity capabilities,
have expanded their supply chains, made networks have many more nodes—and many AVIVORE was able to steal data by
them more flexible, and integrated their more potential points of failure—to consider. gaining access through smaller high-
suppliers more closely. In many cases, And the cybersecurity attack surface tech engineering businesses that
they’ve allowed suppliers to plug directly now extends far beyond the four walls sat within those companies’ supply
into enterprise systems to speed up data of the enterprise. chains (including by hijacking web
sharing. And of course, each of those suppliers browser information and related
may have its own equally integrated and Any weaknesses in supplier authentication information).2
complex supply chain to manage as well. systems become weaknesses
in enterprise systems.

5 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
 The greater the complexity,
the greater the risks
Consider the range of different nodes within
modern supply networks. It’s about much more
than simply manufacturing plants, warehouses
and transportation.

6 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
You now also have numerous These networks are far more complex than COVID-19 is adding to the challenge.
Businesses are managing unpredictable
third-party relationships, the linear supply chains that preceded them.
And, as each new node is connected or as workforce availability, restricted supply
including cloud providers, each individual supplier is given access to core routes, supply shocks, and highly
volatile demand for some products.
facilities vendors, benefits systems, the security risks and vulnerabilities
increase. In fact, as these networks become
providers, IT service almost boundaryless, traditional “four walls” They’re having to react quickly to shore up

providers, legal counsel, security is becoming near impossible to

enforce. Consider that more than 40% of
supply chains, explore alternative suppliers
and expand the use of digital collaboration
office suppliers, and many cyberattacks are now thought to originate technologies. Changes that might have taken

more. And each of these is in entities within the extended supply chain
or by external parties exploiting security
years to implement are being compressed into
a matter of weeks: just look at the huge and
now more likely than not vulnerabilities within that supply chain.3 sudden worldwide uptake of video meeting

to have digital as well as solutions like Zoom. This rapid diversification

and digitalization of supply chains is a
physical connections. necessary response to the pandemic. But it
also massively increases the security risk.

7 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
 Supply chain traceability can be a
critical capability for enterprises looking
to secure supply chain networks which
have vastly increased connectivity and
flexibility – and thus have many new
points of potential vulnerability. An end-
to-end traceability capability can
massively help enhance the organization’s
ability to identify the position and
provenance of individual units within the
supply chain. That could bring all kinds of
benefits to manufacturers, ranging from
better regulatory compliance, to
improved anti-counterfeiting, to near-
real-time inventory tracking and
management, to support for new
consumer-facing provenance and
authenticity solutions.

8 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
Understanding
the global
cyber-threat
Just as modern supply chains are global,
so are the threats, particularly when it comes
to cybersecurity. Threat actors are not bound
by geography and can target any point
in the supply chain.

9 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
Five key factors
Accenture Cyber Threat Intelligence’s 2019 Report identifies the
five key factors that are influencing this dynamic security landscape:

#1
Compromising geopolitics.
#2
Cybercriminals adapt,
#3
Expanding motives for ransomware.
Cyberthreat actors are taking advantage hustle, and diversify. The rationale for ransomware attacks on
of geopolitical crises to launch phishing Conventional cybercrime and financially corporations is increasingly more than just
lures, malware targeting, and disinformation motivated attacks will continue to pose a financial. Ideological and political factors
campaigns. The global disruption caused significant threat. But criminal networks are are also in play. Organizations must maintain
by COVID-19 will present significant growing in maturity and resilience. Threat their abilities to prepare, prevent, detect,
openings for these activities, but it is just groups are finding weak points, bypassing and contain these attacks, accepting that,
one (albeit extreme) example of many network defenses and then selling this if the motives are not financial, ransom
such opportunities that already exist. access to other threat groups. This same payments may not rectify the situation.
access can be sold multiple times to multiple
adversaries. They’re also shifting their tactics
to reduce the risk of detection, working in
close-knit syndicates, increasing the precision
of targeting, and taking advantage of their
familiarity with local environments.
10 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
#4 #5 LockerGoga is a ransomware variant
that hit numerous companies in the
engineering, chemicals, and metals
Improved ecosystem hygiene is Vulnerabilities in cloud infrastructure industries, possibly by opportunistically
pushing threats up the supply chain. demand costly solutions. exploiting RDP systems with weak or
As enterprises improve their own security, The multiple side-channel vulnerabilities already-compromised credentials to
malicious actors are turning their attention recently discovered in modern CPUs serve as access points for a site-wide
to their suppliers. Organizations must look are a significant risk for organizations ransomware campaign. Interestingly,
to expand their visibility over this increased running their compute infrastructure in the the true goals of LockerGoga may have
threat profile, integrating cyberthreat public cloud. Adversaries can use these been destructive rather than financial.
intelligence into mergers & acquisitions vulnerabilities to read sensitive data from Later versions of the malware made
and incorporating vendor and factory other hosts on the same physical server. it difficult to log back into infected
testing into their processes. Mitigations are available, but most come systems, meaning victims struggled to
at a cost of reduced performance. actually pay the ransom demanded.4
Conducting security testing of products
and services from supply chain should
be prioritized based on risk analysis from
cyber threat intelligence and correlation
with internal vulnerability analysis.

11 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
 The solution? Make
security a core part of the
intelligent supply chain

12 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
To manage these growing threats, organizations need Or what about the regulatory implications?

to embed security principles all the way across the supply For sectors like telecommunications,
critical infrastructure, aerospace, and
chain network. That includes making cybersecurity defense, ensuring supply chain security and

a priority not just within the enterprise, but also with transparency is becoming an existential
question. Regulatory requirements
all connected partner organizations. like the Cybersecurity Maturity Model
Certification (CMMC) and NIST SP 800-
It also includes developing traceability This is likely to be an increasingly salient 171 are put in place to combat the growing
solutions for improved visibility factor in purchasing decisions as awareness cyber threats across the supply chain,
across the network. These should be of the security risks increases. making cybersecurity a foundational
central considerations in the design requirement for government acquisition
of any intelligent supply chain. No industry is exempt. While obvious target of commercial products and services.5
candidates are likely to be product-focused
The result will be a more secure enterprise (such as consumer goods, pharmaceuticals This kind of certification may well
and more secure supply chain. But consider and industrial products), other sectors also face be extended to other sectors (such as
also the potential for brand perception if considerably increased risks. Take automotive, financial services) either as direct legal
a business can provide assurance to its for example. Connected vehicles could requirements or de facto standards
customers about the security of products become lethal weapons if successfully hacked as businesses look for systematic
across its entire supply network. Or consider and misdirected. The implications for sectors ways to validate their suppliers.
the negative perception if it can’t. like aerospace and defense are equally grave.

13 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
 Accenture is helping a global food
company improve its supply chain
transparency—and build more trust
with consumers in the process. With
a central database collecting and
checking valid product serial numbers,
a blockchain platform integrating
logistics events on the downstream
supply chain, plus unique QR codes
printed on packaging, the company
is able to offer customers a new
level of assurance about product
authenticity. They simply have to
scan the code and get access to a
dedicated website where they can
check authenticity and get some
insights into a product’s route through
the supply chain. This website can also
act as a means of alerting customers
in the case of product quality issues.

14 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
Five practical
steps to get
started

15 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
Here are some practical recommendations
for embedding security across the supply chain:

01 02 03
STEP STEP STEP

Create a “center of gravity” with Get visibility into the whole Understand the threats and
a dedicated program office. supply chain. weaknesses holistically.
A key challenge for many enterprises is the Look to improve the organization’s visibility of Effective supply chain security must be
complex, multifaceted, often fragmented all nodes in the supply chain, including their holistic in nature. Moreover, to address risks,
nature of supply chain security. It can feel security posture. The program office should they first have to be identified. By centralizing
too big, too unwieldy, too overwhelming be the place to do this, creating a central the data and analysis in the program office,
for any one part of the organization to get team able to coordinate all the interested the enterprise is better able to put all the
a handle on properly. By creating a single enterprise functions (supply chain pieces together and see threats developing
coordinating program office for supply management, IT, human capital, legal, etc.) that were previously hidden in fragmented
chain security, organizations can help and bring together all relevant data data. It can also help identify security gaps,
overcome these difficulties. This may (including from external parties) for a more weak points and vulnerabilities far more
include the need for a dedicated supply comprehensive analysis. effectively.
chain security risk officer.

16 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
04 05
STEP STEP

FIN7 is a highly organized cybercriminal

group specializing in targeted attacks
against organizations in retail,
Create a toolbox of solutions – and Maintain and monitor. hospitality and financial services.
use it. Resist the temptation to think that reaching The group, which operates under
Build a toolbox of security solutions to a level of compliance and security means the front of a legitimate penetration
cover potential supply chain vulnerabilities. the hard work is done. Enterprises must testing company, typically conducts
For most enterprises, this should comprise establish the capabilities and commit the spear-phishing attacks using malicious
some combination of asset management, resources needed to sustain that security document attachments against selected
security monitoring, legal contract review posture over time, remembering that both individuals in targeted organizations.
and management, vendor/supplier security the threats and the organization’s attack The malware delivered in these attacks
posture assessment, and authentication surface are constantly evolving. The effect has included the Carbanak implant
for system access. Remember these tools of new M&A, new operating models and and bespoke script-based implants
are only effective if they are applied with other changes – within the enterprise itself such as HALFBAKED, Bateleur and
the right approach, data correlation, and and within suppliers – must be continuously DNSMessenger. FIN7 has also used
target product and services—for example, analyzed and accounted for. a wide range of penetration testing
conducting hardware security testing tools such as Meterpreter, Cobalt
on specific components from high risk Strike and Mimikatz for initial access
suppliers or products prior to deployment and post-exploitation activities. 6
based on risk score from cyber threat
analysis and intelligence.

17 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
 Time to think
holistically about
supply chain security

18 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
Historically, supply chain security considerations
Black Ghost Knifefish (also known
have not been at the top of the C-suite agenda. as Dragonfly) is thought to be a state-
That needs to change. sponsored threat group which has
previously conducted supply chain
In today’s hyper-connected world, An enterprise is only as secure as the weakest compromises. The group gained
and especially given the increased point in its supply chain network. Accordingly, significant notoriety in 2017 by
fluidity needed to manage the leaders must now look to expand their security targeting organizations operating in
COVID-19 pandemic, the number strategies and processes, working with their energy and manufacturing verticals
of points of security vulnerability suppliers to increase visibility, understanding based in North America and Western
for connected enterprises are the threats and potential applicability and Europe. Its actors successfully
increasing exponentially. impact to their organization and supply chain compromised software produced by
holistically, and develop a range of flexible three ICS equipment providers located
tools and best practices to mitigate the risks in Central and Western Europe.7

19 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
About the authors

Erik Olson Royal Hu

Managing Director, Managing Director,
Strategy & Consulting, Accenture Security,
Supply Chain & Operations, Supply Chain Security Lead,
North America Lead North America

Lilian Ngobi
Functional Strategy Manager,
Accenture Strategy,
Supply Chain & Operations,
North America

20 Securing the supply chain Copyright © 2020 Accenture. All rights reserved
Notes & References About Accenture About Accenture Research

1. Greenberg, Andy, August 22, 2018, The Untold Story of Accenture is a leading global professional services Accenture Research shapes trends and creates data
NotPetya, the Most Devastating Cyberattack in History, company that provides a broad range of services at driven insights about the most pressing issues global
Wired, https://www.wired.com/story/notpetya-cyberattack- scale with strategy, digital, technology, and security organizations face. Combining the power of innovative
ukraine-russia-code-crashed-the-world/ research techniques with a deep understanding of
services at our core. Accenture’s Security Services
2. Context Information Security, AVIVORE – An overview of Practice has been serving and partnering with our clients’ industries, our team of 300 researchers
tools, techniques and procedures, 22 October 2019, and analysts spans 20 countries and publishes
clients for more than 20 years. We have successfully
https://www.contextis.com/media/downloads/AVIVORE_ hundreds of reports, articles and points of view every
An_overview.pdf
delivered some of the world’s largest and most
year. Our thoughtprovoking research—supported
complex security solutions across multiple industries.
3. Accenture Strategy, Chief Supply Chain Officers: Do you by proprietary data and partnerships with leading
know where your weakest link is? Providing cybersecurity services is a standard part
organizations, such as MIT and Harvard—guides our
of what we do to help clients, to identify potential
4. Biasini, Nick, March 20, 2019, Ransomware or Wiper? innovations and allows us to transform theories and
LockerGoga Straddles the Line, Talos, https://blog. threats or critical issues requiring immediate fresh ideas into real-world solutions for our clients.
talosintelligence.com/2019/03/lockergoga.html response and areas for improvement and actionable
5. https://www.cmmcab.org, https://www.acq.osd.mil/cmmc recommendations to achieve desired outcomes. Visit accenture.com/research
and https://csrc.nist.gov/publications/detail/sp/800-171
/rev-2/final Accenture has more than 7,000 security professionals
6. Accenture Security, 2019 Cyber Threatscape Report
spanning 67 countries, where we deliver cybersecurity Disclaimer: This document is intended for general informational
purposes only and does not take into account the reader's specific
services at speed, scale, and on demand that are circumstances, and may not reflect the most current developments.
7. Accenture Security, 2019 Cyber Threatscape Report
aligned specifically to each of our clients’ industries and Accenture disclaims, to the fullest extent permitted by applicable law,
any and all liability for the accuracy and completeness of the
unique business goals. Our cybersecurity consulting information in this presentation and for any acts or omissions made
and delivery capabilities consist of highly trained based on such information. Accenture does not provide legal,
regulatory, audit, or tax advice. Readers are responsible for obtaining
This research makes descriptive reference to security professionals, proven methodologies, cutting such advice from their own legal counsel or other licensed
trademarks that may be owned by others. The use of professionals. This document may contain descriptive references to
edge Research and Development (R&D) centers and
such trademarks herein is not an assertion of ownership trademarks that may be owned by others. The use of such trademarks
of such trademarks by Accenture and is not intended to partnerships with market leading technology vendors. herein is not an assertion of ownership of such trademarks by
Accenture and is not intended to represent or imply the existence of an
represent or imply the existence of an association between association between Accenture and the lawful owners of such
Accenture and the lawful owners of such trademarks. Visit us at accenture.com/us-en/services/security-index trademarks.

Copyright © 2020 Accenture. All rights reserved