Institutions operating in the logistics industry agree that critical infrastructure protection is related to the security of systems that directly follow the processes in the supply chain.
Companies working in the critical infrastructure sector are required to comply with regulations that demonstrate they meet cybersecurity standards. The fact that the sector operates in accordance with the relevant standards and regulations are a few of the operational and security challenges.
In terms of access and data security, methods such as privileged account login management, central password management, two-factor authentication, or data masking ensure that institutions comply with the necessary standards and regulations.
Another issue: With the development in the logistics sector, the number of users and applications accessing the data included in the procurement process from within the organization and remotely has also increased.
There is access to cloud data of many privileged and administrative accounts, from support personnel to maintenance personnel, from remote vendors to corporate and collective applications, in order to maintain its operation effectively and efficiently.
Consequently, the increasing number of privileged accounts makes these accounts difficult to manage and makes their control systems an open target for cyber-attackers.
Cyber criminals are especially fond of launching dependency confusion attacks.
Dependency confusion is a software supply chain exploit that takes advantage of a quirk in certain package managers to inject unwanted (and potentially malicious) code. These attacks are based on the fact that many package managers check public code registries for a package before private registries.
Subsequently, if a package exists in a private registry, an attacker could register a package of the same name with the public registry. Then, when a new install occurs, the malicious version on the public registry would be pulled in.
Companies can protect against dependency confusion exploits by reserving (i.e., squat) the package name or namespace on the default/public registry. This prevents configuration modifications from accidentally exposing a project to the vulnerability.
Want to learn more? Cybersecurity in Logistic and Supply Chain Management is a 2-day workshop training course where participants gain the knowledge and skills to apply cybersecurity principles in logistic and supply chain management.
For more information, questions, comments, contact us.