Supply chain cybersecurity threats may rise in 2018, warns Booz Allen

One of the biggest cybersecurity stories of 2017 was the NotPetya attack, which memorably hit shipping giant A.P. Moller - Maersk, causing it to shut down operations at 76 port terminals in four countries around the world. The attack caused delays and disruptions that lasted weeks and ultimately cost the company more than US$2 million.

According to the consulting firm Booz Allen Hamilton, this type of cyberattack should not be viewed as a one-time fluke. In its "Foresights 2018" special report, Booz Allen predicts that companies will see more of these types of cyberthreats in the coming year.

What made NotPetya different from other cybersecurity attacks is that it originated not with Maersk but as an attack on the Ukrainian tax software M.E.Doc, which then spread through compromised networks. Booz Allen describes these types of cybersecurity risks as "indirect supply attacks," where cybercriminals infiltrate a small software provider or other supplier that operates within the supply chain of a much larger company. The ultimate target is not the original compromised company but larger Fortune 500 companies.

Another cybersecurity trend that supply chain managers should be aware of is extortion attacks on industrial control systems (ICS). In these cases, hackers gain access to a manufacturer's ICS and demand that the company pay a ransom to prevent or mitigate any disruptions to operations. Automakers Nissan and Renault and pharmaceutical company Merck all experienced such attacks in 2017. In addition, there have been incidents of Eastern European criminals who have used such techniques against chemical manufacturing facilities, according to the report.

However, the report suggests that these types of threats will not be widespread. To successfully carry out such attacks, criminals will need to know not only how to gain access to a control system but also how to target the process being controlled. "Attacks of this nature will likely be beyond the reach of most cybercriminals and be limited to a small, niche group of technically savvy actors," says the report.