In 2019-2020, the Russian Foreign Intelligence Service successfully mounted what the U.S. General Accountability Office called “one of the most widespread and sophisticated hacking campaigns ever conducted against the federal government and private sector.” Since then, cybersecurity experts have repeatedly called attention to the risks of software supply chain attacks. Despite these warnings, companies have continued to fail to learn from the SolarWinds attack and fall victim to such attacks. In 2022, for example, supply chain cyber attacks in the United States alone reportedly affected 1,743 entities — the highest reported number since 2017.
The threat of software supply chain attacks, however, is by no means limited to the United States. A December 6 report by security resilience vendor SecurityScorecard stated that 90 percent of the world’s 48 largest energy companies have suffered a supply chain data breach in the past 12 months. For this report, SecurityScorecard analyzed the cybersecurity profiles of the 48 largest energy companies in the United States, United Kingdom, France, Germany, and Italy. The companies included the coal, oil, natural gas, and electricity sectors. In total, SecurityScorecard examined more than 21,000 domains, and its analysis included both their third-party and fourth-party vendors.
Specific findings in the report included the following:
- 100 percent of the top 10 U.S. energy companies experienced a third-party breach.
- 92 percent of the energy companies evaluated have been exposed to a fourth-party breach.
- 33 percent of energy companies had a C Security Rating or below, indicating a higher likelihood of breach.
- In the last 90 days, SecurityScorecard identified 264 breach incidents related to third-party compromises.
- MOVEit was the most prevalent third-party vulnerability in the last six months, with hundreds of companies affected around the world.
While this report examined only energy companies, it should serve to remind companies in all industries, including other aspects of critical infrastructure, that supply chain risk is a serious and continuing threat that requires immediate attention. Moreover, recent developments show that inadequate attention to software supply chain risks may pose not only operational and reputational risks, but legal risks as well. On October 31, the Securities and Exchange Commission (SEC) announced that it had charged both SolarWinds and its chief information security officer, Timothy G. Brown, with fraud and internal-control failures relating to allegedly known cybersecurity risks and vulnerabilities. Because the SEC’s jurisdiction extends not only to U.S. companies but to foreign companies whose shares are traded on U.S. securities exchanges, those companies need to make software supply chain risks a key priority in their cybersecurity programs.
Dipping Through Geometries 