When a Cyber Attack Empties the Shelves: What to Do About Supply Chain Attacks
Table Of Contents:
Consumers often see most cyber attacks as something that happens to other people, until it affects them directly. The theft of email addresses and other personal information has become a regular and mundane event, but when a criminal presses a button halfway around the world and food disappears from the shelves, things suddenly get real.
That’s what happened in June, when an attack on wholesale grocery distributor United Natural Foods (UNFI) brought its online operations to a halt. The attack hindered the company’s ability to serve its 30,000 locations, leaving grocery stores warning customers about food shortages and causing significant disruptions at Amazon-owned Whole Foods, including the closure of sandwich stations.
Attacks like these highlight the damage that a cyber incident can have to operations beyond a single company. These disruptions can affect others who rely on it as part of their own supply chains, and it raises the question: what can organizations do to protect themselves?
Supply Chain Cyber Risk Reaches Crisis Proportions
This isn’t the first attack we’ve seen that has disrupted supply chains. Insurance company Cowbell published a report late last year showing a 431% surge in supply chain attacks since 2021.
Such attacks are becoming more common as business operations become increasingly connected and supply chains grow more complex, according to the report, because this makes them more difficult to secure.
One of the biggest challenges organizations face is the single point of failure issue; a single company upon which many others rely for products and services is a high-value target. Successfully compromising it amplifies the effects of a single attack.
Disruption from supply chain attacks can be purely digital. The compromise of SolarWinds software in 2020 rendered hundreds of systems at the company’s customers vulnerable to information theft. The exploitation of a vulnerability in the on-premises version of the MOVEit file sharing system in 2023 enabled attackers to pilfer files from hundreds of its customers. Both had the same underlying characteristic: toxins in a digital product (one intentionally introduced, one accidentally coded in) affected thousands of customers downstream.
Other cyberattacks, like the UNFI hack, lead to physical problems. They highlight the fragility in modern just-in-time supply chains, making it not just a threat to customer data but a societal risk.
Notable incidents in the past that have affected physical supply chains include the 2021 attack on the Colonial Pipeline. While that targeted the company’s administrative network, it closed its gasoline delivery operation out of caution, creating shortages that affected millions.
In the same year, a ransomware attack on remote management software vendor Kaseya affected customers who provided managed IT services. That trickled down to customers, including Swedish grocery chain Coop, which had to shut down 800 stores. These attacks were still digital, but the end results were kinetic; instead of having their data exposed, people were unable to drive or eat.
This Needs a Board-Level Response
Supply chain risks introduce new governance imperatives for boards, especially as regulators begin to push the issue. For example, the EU’s Digital Operational Resilience Act (DORA) imposes several requirements for financial services companies. It forces stringent due diligence requirements when working with technology and service providers, alongside minimum security requirements in contracts. Agreements with suppliers must also carry continuous assessment obligations that force periodic cybersecurity assessments of vendors.
The Network and Information Security Directive 2 (NIS2) directive also mandates stricter security requirements for supply chains.
Supply chain professionals will increasingly look to cybersecurity risk as a major factor when engaging third-party partners, according to Gartner. It expects 60% of them to do so this year.
These concerns make supplier risk management a crucial component of any supply chain resilience strategy. Effective due diligence means checking that suppliers have security measures in place. Companies that haven’t mandated due diligence would do well to review all their suppliers, ideally checking for accreditation with relevant cybersecurity frameworks or standards. Those might be industry-specific.
Even after all that, attacks may still occur. Keeping suppliers that pass muster on a preferred supplier list will help minimize the risk that your supply chain will be disrupted through compromise; however, it won’t completely eradicate that risk. That’s why planning for potential disruption is important.
Don’t Just Prevent, Adapt
Depending on the type of compromise, a playbook for dealing with supply chain attacks could focus purely on logistics and operations, or it might encompass digital recovery. If a grocery supplier goes down because their system is compromised, then their digital problem becomes their customers’ physical problem. Then, the focus for downstream suppliers is on continuing the flow of goods to their shelves.
Conversely, if your network management provider accidentally downloads malware onto one of your servers, then its digital problem becomes your digital problem. That requires a different response.
ISO standards cover preparation for these scenarios. For example, ISO 22301 addresses business continuity in the face of supply chain risks. ISO 27001 contains controls to help manage information risk that could affect you via supply chain compromise. ISO 28000 deals with enhancing supply chain security.
Managing this complex, multi-faceted supply chain risk means putting as many preventative checks in place as possible to protect yourself by choosing diligent suppliers. But it also means adapting to emerging problems rather than relying on their prevention.
