Skip links
securitatea cibernetica a furnizorilor

Supply chain cybersecurity, a pressing requirement for Romanian organizations

Supply chain cybersecurity, a pressing requirement for Romanian organizations

The steady increase in supply chain attacks makes the cybersecurity of suppliers and subcontractors a critical necessity. For organizations that do not have the necessary internal skills and have to balance risks with available resources, turning to a provider specialized in outsourcing security services is the most effective solution.

In February 2024, 26 Romanian hospitals were victims of a ransomware attack that led to the blocking of activity by the impossibility of making appointments and issuing prescriptions. Moreover, another 79 units were disconnected preventively, which further complicated the situation at national level.

Cause? A vulnerability within the eHealth platform used by all these medical institutions, which was successfully exploited by hackers and allowed data on production servers to be encrypted. The malware used in the attack was the Phobos ransomware Backmydata, known for propagating over Remote Desktop Protocol (RDP) connections. The attack was confirmed by both the National Directorate of Cyber Security (DNSC), and the Ministry of Health.

According to official data, the attacked eHealth platform is used by more than 100 medical units across the country to manage internal operations, but also to introduce the services performed in the settlement system of the Health Insurance Funds. Subsequently, the DNSC issued a series of security recommendations to all healthcare entities, regardless of whether they were affected by the Backmydata ransomware attack or not, for scanning the IT&C infrastructure and preventing/stopping the Backmydata ransomware threat.

The February cybersecurity incident is an example of an attack on suppliers and subcontractors for operators of essential services. Known in specialized language as “supply chain attack”, it exploits vulnerabilities existing at the level of a third-party provider, considered trustworthy, which delivers software services or applications to multiple beneficiaries.
The phenomenon has been on the rise in recent years. The European Union Agency for Cybersecurity (ENISA) considers such attacks as one of the main emerging risks by 2030. This is also confirmed by global statistics, which indicate for 2023 a 26% increase (compared to the previous year) in attacks on partners and suppliers.
The increase in frequency is generating growing concern among organizations, especially those with extended partner chains. According to Gartner, last year 60% of executives believed that attacks on suppliers and subcontractors were the most likely type of cyber threat that could affect their business.

A real concern at EU level

According to ENISA’s study „Good practices for supply chain cybersecurity”, published in June 2023, up to 62% of organizations had already been affected by a security incident generated by a supplier/subcontractor.
These are developments confirmed over time. For example, the EU agency’s analysis in 2021 showed that in 66% of attacks analysed, partners did not know or were not transparent about how they were compromised. At the same time, about 9% of organizations affected by partner chain attacks did not know how they occurred.

The results highlight, on one hand, existing problems in reporting cybersecurity incidents between suppliers/subcontractors and companies addressing end users. On the other hand, it highlights the inability of organizations to manage security risks at the partner level. Nearly two-thirds of attacks (about 62%) took advantage of organizations’ trust in third parties. (In 66% of incidents analyzed by ENISA, attackers focused on the source code of applications delivered by vendors – a pattern of action similar to that flagged by DNSC.)

A year later, in 2022, according to the European agency, 40% of IT security officials at companies said they had been affected by incidents generated by their supply chain. The increase in such events was a source of concern for 58% of executives, who felt that partners had a lower level of residence than their own organization.

What’s new in NIS 2

The European Union proactively addresses these issues through the NIS (Network and Information Systems) Directives. The NIS1 directive was transposed into national legislation by Law 362/2018 on ensuring a high common level of security of network and information systems. The normative act, which entered into force in January 2019 in Romania, addresses Essential Services Operators (ESOs) from seven sectors of economic activity and their digital service providers, including health services.

In fact, in the case of the February attack, the National Directorate of Cyber Security repeatedly mentioned that, in accordance with Law 362/2018, operators of essential services have the obligation to implement appropriate measures to prevent and minimize the impact of incidents affecting the security of networks and information systems used, as well as to immediately notify the DNSC, as national CSIRTs, on incidents that have a significant impact on the continuity of essential services. The same notification obligation applies to digital service providers if the security event affects the activity of an operator of essential services.

NIS 2 extends the scope of the Directive to include more areas of activity. It is also changing the way organizations approach and manage security at the supplier and subcontractor level. The EU Directive promotes the idea of securing each component of the partner chain, by introducing mandatory at the level of organizations regarding:
– assessment of relevant risks at the level of third-party partners,
– establishing relationships with high-risk suppliers/subcontractors for their awareness, and
– permanent updating of security measures.

What is the situation today

Although statistics show that organizations are aware of the security risks that may occur at the level of the supply chain, and the new European directive has clear provisions in this regard, not many companies have taken concrete steps.

Thus, according to the ENISA study, in 2022 86% of EU companies had adopted security policies for suppliers and subcontractors. But despite these measures, only 47% of them had allocated the necessary budgets to comply with cybersecurity requirements. The delay is mainly due to the fact that the implementation of security practices and controls for companies in the partner chain requires additional financial and human resources. This involves investments in skills, solutions and IT infrastructure, both by organizations and their suppliers/subcontractors. However, non-IT companies have limited human and financial resources. As such, they must carefully consider the potential costs, risks and benefits when making decisions about hiring resources for partner chain cybersecurity.

Call for skills is necessary

The EU agency’s survey revealed that less than a quarter (24%) of organizations have dedicated stakeholders. The research also showed that, despite the existence of policies, operators or digital service providers do not always have the necessary structures in place to manage risks related to the cybersecurity of the chain.

Regarding methods to mitigate cyber security risks that may occur at the level of suppliers / subcontractors, 61% of organizations opt for security certifications, followed by risk rating techniques (43%) and then security evaluations / tests (37%). However, security certifications are often expensive, especially for smaller vendors/subcontractors who are not specialized in cybersecurity. Furthermore, ENISA stresses that certification of partners and/or their products cannot replace the constant assessment of risks that may arise in the partner chain.

All this brings to the fore the need for specialized skills and maintaining the right balance between rationalizing resources and proactively addressing risks. For this reason, more and more companies choose to turn to outsourced security service providers with experience, solutions and competencies validated by internationally recognized certifications, such as Safetech Innovations.

How can Safetech contribute

Safetech specialists recommend companies that want to improve securing the access of suppliers and subcontractors they work with to take proactive measures:

  • Limiting the direct access of suppliers and subcontractors to the internal infrastructure by configuring intermediate jump host systems,
  • Installing and configuring solid security solutions at the level of jump host systems that offer the possibility of quick identification of various types of malware and isolation of those systems,
  • Careful monitoring of these systems by a team of IT security specialists for quick identification of various problems related to IT security, having as possible origin the infrastructure of collaborators or subcontractors,
  • Carrying out regular risk assessment activities to highlight possible security problems caused by interaction with external collaborators,
  • Establishing access policies between jump host and final systems that correspond to the “Least Privileges” principle,
  • Establishing procedures for periodically changing passwords related to collaborators’ access to the internal infrastructure.

Safetech delivers efficient solutions to organizations that want to outsource these tasks. The company owns and operates one of the first private CERT (Computer Emergency Response Team) structures in România. Called STI CERT, it has been active since 2015, is served by a team of 25 specialists with multiple cybersecurity certifications and holds the Trusted Introducer accreditation, granted in the EU to organisations performing such services.

STI CERT provides companies with extensive detection, response and advanced support services necessary to ensure IT security, both at the level of organizations and the supply chain and subcontractors. In addition, Safetech offers preventive services in the area of governance consulting, system integration, penetration testing, vulnerability management and security audit.

Safetech Innovations is one of the most experienced cyber security companies in Romania. We have 12 years of activity and over 600 completed projects in this field for clients from multiple economic sectors.

Currently, Safetech Innovations employs over 60 employees, of which 40 are members of the technical team.

For more information about Safetech Innovations services, practical demonstrations and commercial offers, we invite you to contact us by email at sales @ safetech.ro or by phone at +40 21 3160565.