Betrusted

Cybersecurity: A Challenge for Supply Chains

The exponential increase in cyberattacks and ransomware has cost Italian companies millions of euros—€3.55 million in 2023, according to IBM’s latest Cost of a Data Breach Report 2023—threatening business stability and operational continuity across international supply chains.

Every company is part of a production and distribution chain, operating within a process that spans from raw material procurement to the delivery of the finished product to the end customer.

Cyber Risk in the Supply Chain

Supply chains are becoming increasingly complex in terms of speed, flexibility, accuracy, and efficiency required by all stakeholders.

And significant cybersecurity challenges persist.
Organizations are increasingly exposed to cross-business impacts resulting from relationships with customers, suppliers, and partners integrated into their ecosystem.

Consider the cyber risks associated with using software provided or delivered by IT service providers and partners. This type of risk includes:

  1. Security Vulnerabilities:
    • Insecure Software: software vendors may provide products with vulnerabilities that attackers can exploit to compromise corporate systems.
    • Updates and Patches: failure to apply updates and patches promptly by vendors can leave companies exposed to known threats.
  2. Unauthorized Access:
    • Compromised Credentials: if IT service providers do not properly manage credentials and access, attackers can gain unauthorized access to corporate systems.
    • Elevated Privileges: providers with high-level privileges can become targets for attackers who may exploit these accesses for large-scale attacks.
  3. Service Disruptions:
    • Critical Dependency: the interruption of services provided by third parties can significantly impact business operations, causing financial losses and reputational damage.
    • DDoS Attacks: IT service providers can be targeted by Distributed Denial of Service (DDoS) attacks, disrupting critical services for businesses.
  4. Compliance and Regulations:
    • Non-Compliance: using vendors that do not comply with security and privacy regulations can expose companies to legal and financial penalties.
    • Data Protection: inadequate data management by providers can lead to privacy violations and personal data breaches.
  5. Third-Party Risk:
    • Fourth Parties: IT service providers may themselves use subcontractors, increasing the number of potential entry points for attackers.
    • Concentration Risk: relying on a few key suppliers increases the risk that a single failure point could have a widespread impact on the business.
  6. Security Incident: any compromise of a provider’s security can directly impact corporate systems, including data theft, ransomware, and other threats.

Third-Party Risk in Regulations

The NIS2 and DORA regulations recognize third-party risks and define a series of measures and obligations to minimize risks associated with third-party management. Let’s look at the key points from this perspective.

NIS2

The EU NIS2 Directive, set to take effect on October 17, establishes new rules for securing the supply chains of infrastructures deemed critical or highly critical.

One of NIS2’s crucial aspects is the introduction of the concept of “chain of responsibility.”
This means that companies must manage cybersecurity risks throughout the entire supply chain, ensuring that every link—including digital solution providers and software companies—adheres to robust cybersecurity protocols.

Companies and their software vendors must work closely to ensure that applications are developed and maintained securely, contributing to the protection of the EU’s critical infrastructure.

Article 21, paragraph 3 of the NIS2 Directive states:
“Member States shall ensure that, in assessing which measures under paragraph 2(d) of this article are appropriate, entities take into account the specific vulnerabilities of each direct supplier and service provider and the overall quality of the cybersecurity products and practices of their suppliers and service providers, including their secure development procedures.”

Paragraph 2(d) lists supply chain security—including security aspects related to relationships between each entity and its direct suppliers or service providers—as one of the measures that must be included in the multi-risk approach.

DORA

The European Parliament introduced DORA (Digital Operational Resilience Act), also known as Regulation No. 2022/2554, an important legislative act set to take effect in January 2025, aimed at increasing the overall level of digital resilience in the financial sector.

DORA requires financial entities to implement a robust cyber risk management framework, including the assessment and mitigation of risks associated with third-party service providers.

The DORA regulation establishes specific requirements for ICT (Information and Communication Technology) service providers, including data analytics services, data centers, cloud service providers, and software vendors.

Article 24 states that, where relevant, ICT service providers must be included in testing programs to ensure that their systems and processes are tested and meet required security standards.

Chapter V outlines fundamental principles related to preliminary risk assessments, contractual provisions, designation of critical suppliers, and the supervisory framework.

Business Supply Chain vs. Software Supply Chain: Analogies and Dependencies

The relationship between business supply chains and software supply chains can be described in terms of similarities and differences, as both involve flows of materials or information across multiple stages or entities.

Below is a comparative table:

Business Supply Chain
Software Supply Chain
Processes InvolvedTraditional supply chain production involves physical transformation of raw materials.Software supply chain production involves coding and compilation processes.
DistributionTraditional supply chain distribution requires physical logistics.Software distribution occurs digitally, often instantly and without transportation costs.
Key ComponentsSuppliers: Provide raw materials or components.
Manufacturers: Transform raw materials into finished products.
Distribution: Includes warehouses, logistics, and transportation.
Retail: Physical or online stores selling products to end consumers.
Customers: End users of the products.
Developers: Create and maintain code.
Code Repositories: Platforms for storing code, such as GitHub.
Build Systems: Automated systems compiling and preparing software for release.
Distribution: Channels where software is made available, such as installable packages, app stores, etc.
End Users: People or businesses using the software.
SecurityTraditional supply chain security includes physical asset and data protection.Software supply chain security focuses on protecting code from vulnerabilities, cyberattacks, and compromises.

 

Ensuring the security of the software supply chain is critical to maintaining the stability of the business supply chain.
As software and physical processes become more interdependent, protecting the software supply chain is crucial to preventing disruptions, vulnerabilities, and attacks that could have devastating effects on the entire supply chain.

Securing the Software Supply Chain for Business Continuity

Software applications are fundamental to the efficient and secure functioning of the supply chain, and application security plays a crucial role in managing and mitigating third-party risks.

The Importance of Security Testing

Security tests, including penetration testing, mandated by NIS2 and DORA regulations, are crucial to ensuring software supply chain security.

These tests simulate real-world attacks to identify vulnerabilities before they can be exploited. Implementing them helps strengthen defenses and ensures all supply chain components remain secure.

Conclusion

A secure software supply chain is essential for ensuring that the software used by organizations is safe, reliable, and uncompromised.

Find out how we can help you test your software supply chain with our Offensive Security services.

Share the article

Discover how we can help you

Together, we’ll find the best solutions to tackle the challenges your business faces every day.