ENISA Declares Software Supply Chain Attacks top Cybersecurity Threat

The European Union agency for Cybersecurity (ENISA) has officially designated software supply chain attacks as the most pressing cybersecurity threat, necessitating immediate and comprehensive action, particularly within industrial IT and operational technology (OT) systems. this declaration, amplified by cybersecurity experts, underscores the escalating risks and vulnerabilities associated with interconnected software ecosystems.

Jan Wendenburg, CEO of ONEKEY, emphasized the urgency of the situation, noting a significant surge in software supply chain incidents across the EU sence 2020. According to a 2024 report by Sonatype, software supply chain attacks increased by 742% between 2019 and 2023, highlighting the exponential growth of this threat vector.

The Rising Threat to Embedded Systems

German industries are increasingly grappling with software supply chain cyberattacks targeting embedded systems. These attacks exploit vulnerabilities within external components, software libraries, or firmware updates, creating pathways for malicious actors to infiltrate critical infrastructure.

• Cybercriminals leverage security gaps in suppliers’ systems to compromise downstream companies and end-users.
• Industrial plants, machine controls, IoT devices, and other embedded systems with long operational lifecycles are particularly vulnerable.

Did You Know? The average lifespan of an industrial control system (ICS) is 10-20 years,making them attractive targets for long-term cyber espionage and sabotage.

Wendenburg stresses that effective cybersecurity must encompass the entire value chain. This proactive approach is essential to mitigate the cascading effects of supply chain compromises.

Economic Impact and Systemic Vulnerabilities

Cybersecurity Ventures estimates that supply chain attacks inflict approximately $80 billion in damages annually worldwide. The intricate nature of global supply chains exacerbates the problem,creating numerous entry points for malicious actors.

• A recent ENISA report revealed that two-thirds of EU companies have experienced compromise through their suppliers.

ENISA identifies supply chain attacks as a “Top 5” threat for industrial IT and OT systems, further emphasizing the critical need for robust security measures. The “Enisa Foresight 2023 Report” highlights this danger as a top cybersecurity concern.

Infection Vectors: Software Integration and Pre-Products

The German economy’s strong international ties make it particularly susceptible,with approximately $370 billion worth of intermediate goods imported annually for integration into domestic products. These imports are vital for German production, but also introduce potential vulnerabilities.

• Every software component and pre-product equipped with networked digital technology represents a potential security risk.

the risk is amplified by the potential for malware to propagate through product deliveries,infecting not only the initial target but also its customers. A compromised mechanical engineer,for example,could inadvertently deliver malware-infected industrial control systems.

Malicious code can infiltrate systems in two primary ways:

• Through software integrated during product assembly.
• As part of a pre-product installed in the final product.

Demand for Security Checks on Embedded Systems

Wendenburg emphasizes the interconnectedness of German industry supply chains, warning that a single attack can have widespread repercussions. He advocates for comprehensive cybersecurity examinations of embedded systems used in control technology, automation, and IoT devices, including both internally developed components and those sourced from suppliers.

• ONEKEY reports a surge in demand for security checks on devices, systems, and real-time operating systems (RTOS) commonly used in embedded systems.

ONEKEY recently enhanced its “Product Cybersecurity & Compliance Platform” (OCP) to assess RTOS firmware for vulnerabilities, a capability previously considered challenging, particularly with monolithic binary files used in real-time operating systems like “FreeRTOS,” “Zephyr OS,” and “threadx.”

Open Source Components: A Critical Gateway

Open-source components, present in approximately 80% of all firmware stacks for embedded systems, represent a critical gateway in the supply chain. Vulnerabilities in widely used libraries like “uClibc,” “Busybox,” or “OpenSSL” can together affect numerous systems.

• The “Log4Shell” vulnerability in 2021 demonstrated the potential devastation caused by a single insecure software component, impacting millions of Java applications, including tens of thousands of OT and IoT systems.

Pro Tip: Implement a Software Bill of materials (SBOM) to track and manage open-source components in your software supply chain.

Wendenburg warns that the increasing complexity of industrial systems, the proliferation of external providers, and the extended lifecycles of embedded systems are amplifying the threat of supply chain attacks. Gartner Group forecasts that over 45% of organizations will experience at least one cyber incident via the supply chain by 2026, according to their 2022 report on supply chain security.

Call to Action: Systematic Software Checks

Wendenburg concludes by emphasizing the vulnerability created by the integration of industrial IoT systems and autonomous production lines. He urges corporate leaders to systematically check software for embedded systems, regardless of origin, to protect their reputation and delivery capabilities.

• The “Radio Equipment Directive” EN18031 and the “EU Cyber Resilience Act” (CRA) mandate manufacturer duty for the cybersecurity of networked devices, machines, and systems.

ONEKEY’s “Product Cybersecurity & Compliance Platform” (OCP) includes a “Compliance Wizard” to automate conformity reviews for CRA and other cybersecurity standards, streamlining audit preparation and reducing bureaucratic burdens.

What steps are you taking to secure your software supply chain? How can organizations collaborate to mitigate these growing threats?

Share this article and join the conversation! Subscribe to our newsletter for the latest cybersecurity updates.