Keeping the IT supply chain secure—a considerable challenge for 2024

Author: Arnaud DUFOURNET, Chief Marketing Officer

Supply-chain attacks are rocketing. According to the 2022 Cyber Security Report, published annually by Check Point, such attacks saw a spectacular increase of 650% in 2021 compared to the previous year. Pessimistically, Gartner predicted in 2021 that “by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains.”
In response to this widespread intensification of cyber threats, the European Union has built up a whole arsenal of legislation in recent months, with a veritable bundle of new regulations and directives, including the NIS 1 and NIS 2 Directives, the Critical Entities Resilience Directive (CER), the DORA regulation for the financial sector, Part-IS for aviation, and the proposed Cyber Resilience Act (CRA). Maintaining the security of third-party service providers, and thus of the supply chain, has become a recurring theme within the new requirements created in these regulations and directives, with far-reaching practical implications on the relationship between regulated entities and IT service providers.

What is a supply-chain attack?

Over recent years, the large corporations that make use of outsourcing have upped their cyber-resilience game considerably, forcing cybercriminals to find other ways into their networks. Consequently their subcontractors, often being less well protected, are increasingly now the attack targets. The connections that exist between systems and the high level of IT subcontracting in certain sectors such as banking explain the huge growth in this type of attack.

The principle is quite straightforward—a supply-chain attack is an indirect attack via IT service providers, i.e. the suppliers of software, applications or services. Cyber attackers use these subcontractors to gain access to their real target. The most common methods used are to compromise the source code of open-source software or components used by such service providers (e.g. the NotPetya malware), or the theft of credentials giving access to the subcontractor’s software. Exploiting zero-day vulnerabilities (such as Log4J) and downloading malware-infected updates to open-source components are typically the starting point for these attacks.

The aim is to steal confidential data, gain access to highly sensitive environments, or to take control remotely over specific systems, with the ultimate objective being industrial espionage, extortion, or causing some kind of instability. Often complex and sophisticated, these attacks are generally the work of state-backed organizations or powerful criminal organizations.

The targets most exposed to this type of attack are Managed Service Providers (MSPs), major software vendors, and IT hardware suppliers. They have their clients’ trust, and all the more so when they are supplying cybersecurity solutions.

New regulatory requirements

One key feature shared by the latest regulations (NIS 2 and DORA) adopted by the European Union is that they both address the issue of IT supply chain resilience. When these regulations talk about data security and resilience, one imperative aspect that comes up time and again is the ability to guarantee the availability, authenticity, integrity, and confidentiality of data stored, transmitted, or processed.

As you might know, NIS 2 will apply in EU Member States from October 17, 2024, and will affect around 100,000 organizations across the European Union, while DORA comes into force on January 18, 2025, and will apply to 22,000 financial entities.

Conformité NIS2

These figures do not include subcontractors, but they too will have to match the security levels imposed on those of their clients falling within the remit of these regulations. In practical terms, the subcontractors stipulated are “providers of data storage and processing services or managed security service providers and software editors” according to the terms of the NIS 2 Directive. Essential or important entities are “encouraged to incorporate cybersecurity risk-managementmeasures into contractual arrangements with their direct suppliers and service providers.”

Regulated entities are evidently expected to organize the resilience of their IT supply chains by means of contract provisions. In France, the French National Cybersecurity Agency (ANSSI) is responsible for transposing the Directive and its new head, Vincent Strubel, announced at the Assises de la cybersécurité, a French industry event for cybersecurity experts, that a bill would be presented in the spring of 2024, which will shed more light on the cybersecurity measures that regulated entities and their IT service providers will need to implement if they are to comply with NIS 2.

What are the impacts for IT service providers?

IT service providers currently working with regulated entities (or those soon to become regulated) are obviously not all starting from the same level as regards managing cyber risks. For example, IT services and consulting firms that handle the information systems of critical market operators are already a long way down this road. The EU Regulations will, however, add additional contractual pressure, and increase the need to work together with their clients.

The HR impact should not be overlooked, because lasting resilience has to entail perpetual maintenance of skills and knowledge, and that means regular training. In a sector suffering from a talent shortage and high staff turnover, this is undoubtedly a considerable challenge to meet. As regards software vendors, those who are already involved in regular certification/assessment processes with cybersecurity agencies are suitably prepared to meet these regulatory requirements. This applies to TheGreenBow, for example. Having first obtained ANSSI’s standard qualification and NATO Restricted approval for its Windows VPN Client back in 2013, TheGreenBow is accustomed to being regularly audited and tested on its ability to put trustworthy software on the market.

Efforts will have to be redoubled, however, in terms of vulnerability intelligence gathering, and indeed communication and transparency. On this topic, France’s new Military Spending Bill (LPM) for 2024–2030 published in the country’s official gazette on August 2, 2023, goes further by imposing a duty of transparency on software vendors when vulnerabilities are found, including in embedded open-source libraries and components. Article 66 stipulates that “in the event of an IT incident compromising the security of their information systems and likely to have a significant impact on one of their products,” vendors are required to inform ANSSI and all of their clients. The Log4Shell vulnerability (affecting the Log4J logging utility) discovered in December 2021 is a textbook case. Although not affected, TheGreenBow published a security notice to keep its clients informed.

What are the new requirements for compliance of security of remote communications?

The NIS Directive once again reiterates the need to protect communications by using encryption. ANSSI’s Guideline for a Healthy IS, which is highly likely to be used once again as a baseline for the security measures to be implemented, recommends using IPsec VPN tunnels to protect remote connections to information systems. What does this mean in terms of requirements from service providers? Given that communications have to continue in the event of an incident, their wisest course of action is to turn to the most robust and reliable cybersecurity solutions, i.e. those holding security certifications and labels from authorities around the world.

As regards the use of VPN tunnels to access the information systems of regulated entities, IT service providers must become more agile and flexible when it comes to tunnel management, and especially how they are configured. Jumping from one client’s information system to the next, allowing for various employees and hardware components to access those systems, and still providing a high level of security will most certainly require some dexterity.

To meet this challenge, TheGreenBow has made its VPN clients compatible with the IPsec DR framework published by ANSSI in the spring of 2023 (only available in French), and submitted a fresh certification/assessment request for its Windows client. Also with a view to further enhance the level of trust, last year, TheGreenBow started developing features based on the ZTNA approach that work in conjunction with IPSec tunnels. For example, the Windows Enterprise VPN Client’s filtering mode allows for DNS filtering that can block command-and-control attacks, which may be concealed in software updates.

Lastly, to meet clients’ and users’ needs for flexibility and segmentation, TheGreenBow has launched the Connection Management Center. This console is specifically designed to create, centralize, and quickly distribute VPN configurations. It also aims to manage security rules based on the zero trust principle that determine how and when to open a tunnel, such as checking endpoint compliance when a remote connection is requested. IT supply chain security and ensuring compliance with the new regulations give rise to a number of questions. We were able to gauge just how many during our workshop at the Assises 23 cybersecurity industry event on this very subject. Moreover, a day of presentations will be devoted to this topic during the European Cyber Week, at which the TheGreenBow will have a stand to answer attendees’ questions and discuss their plans.

Subscribe to our newsletter