Report reveals cybersecurity weaknesses within Defence supply chain

Homeland June 25, 2021

BlueVoyant, a cybersecurity services company, has released the findings from its Defense Industry Supply Chain & Security 2021 report, which highlights critical vulnerabilities within the defence supply chain ecosystem.

The report includes evidence of the exploitable cyber weaknesses of small-to-medium businesses (SMBs) within the Defense Industrial Base (DIB) and demonstrates how cybercriminals are becoming increasingly adept at locating and exploiting the weakest link within the supply chain.

As part of its assessment of the scale of the problem for SMB defence companies, BlueVoyant examined the security of 300 subcontractor firms within the DIB using its third-party datasets and proprietary research.

BlueVoyant identified the cybersecurity gaps in the subcontractors’ security practices to garner a better understanding of the security posture of less visible members of the complex defence supply chain.

Key report findings include:

Over half of the 300 SMB defence contractors had unsecured ports that are critically vulnerable to ransomware attack[2].
More than a quarter (28%) of companies analysed showed evidence indicating they would fail to meet the most basic, tier-1 CMMC requirement.
Manufacturing and R&D companies had the highest risk profiles when assessing email security, IT hygiene, malicious activity and vulnerabilities. Industry type was a stronger predictor of risk than company size alone.
48% of the companies had ports vulnerable to ransomware as well as other severe vulnerabilities, including unsecured data storage ports, out-of-date software and OS, and other vulnerabilities rated severe according to NIST frameworks.
Almost one-tenth of the companies analyzed showed critical vulnerabilities, evidence of targeted threat activity, and evidence of compromise.
100% of the large R&D companies assessed displayed network vulnerabilities, with 66% of these companies also showing evidence of targeting.
More than six months after the F5 and Microsoft Exchange vulnerabilities were announced, nine companies still had the vulnerabilities on their networks.

In the US, securing the DIB is one of the most critical national security objectives and policymakers are acutely aware of the high stakes with cyberattacks. Businesses within this sector form the backbone of the US defence industry and are high-value targets for nation state adversaries and other cybercriminals. Although defence contractors face the same opportunistic threats as any business, the DIB’s biggest problem is the complexity of securing such an enormous ecosystem, spanning thousands of companies.

The introduction of new US government regulations and compliance standards, such as the Cybersecurity Maturity Model Certification (CMMC), are set to improve the baseline of cybersecurity requirements. Yet, despite the discipline reflected in the new regulations, many challenges remain for smaller firms, which do not have the resources and budgets to deal with increasing, targeted cyberattacks.

Through its analysis, BlueVoyant identified addressable concerns for DIB companies with low organisational cybersecurity capabilities and provided key recommendations for improving the defence industry’s overall security efforts.

Key insights can help the US Department of Defense (DoD) and defence prime contractors focus their attention and can be used to support and extend recommendations that are present in the 2017 DSB Task Force report and in the 2020 Cyberspace Solarium Commission Report and include:

Continuous cybersecurity monitoring is a key component of a secure supply chain.
Prime contractors can reduce their risk exposure by focusing on the most high-risk segments of their supply chain. Findings align with prior reports that R&D companies are particularly vulnerable targets for malicious insertion in the supply chain and focusing on them can reduce risk to all segments.
Predictive analysis is possible based on quantitative measures and can provide the DoD and prime contractors with findings to help them identify and more effectively manage risk. However, more research with a larger sample size and wider variables is needed to truly measure the risk of an industry with this scale.

Commenting on the research, Austin Berglas, Global Head of Professional Services, BlueVoyant, said: “As prime contractors and other larger DIB members develop more robust and sophisticated security defences, it’s no surprise threat actors have pivoted towards targeting SMBs within the same supply chain. In particular, manufacturers and R&D companies are lagging in terms of their own cyber posture, leaving the entire defence industry wide open to the threat of ransomware and other third-party attacks.

“For an industry with such an expansive, interconnected digital ecosystem, supply chain security should be a fundamental consideration. Prime contractors are under enormous pressure to reduce the attack surface of the entire supply chain but are partly blind to the vulnerabilities that exist. For smaller companies, identifying ongoing risks and understanding overall supply chain health is a daunting but vital process, and more attention and resources should be dedicated to combating the growing threat.”

Jim Rosenthal, founder and CEO, BlueVoyant, concluded: “The US defence supply chain is a vital national security asset, but the DIB is currently in an inefficiently secure state. In the face of relentless and successful cyber espionage, the nation’s primary focus should be on creating a secure and resilient supply chain. The two Executive Orders: one on American Supply Chains, and the other on Improving the Nation’s Cybersecurity, direct much-needed attention and funding to cybersecurity in the defence supply chain, but they are only the start. Closer co-operation between the DoD and the private sector is required to support a more vibrant, diverse and secure defence sector.”

If you would like to join our community and read more articles like this then please click here

BlueVoyant cyber security UD DOD