© iStock/Just_Super
Ein abstraktes Bild, das die Konzepte von Cyber-Sicherheit, Ransomware und E-Mail-Phishing darstellt. Es zeigt verschlüsselte digitale Daten und Technologien, die zum Schutz vor Cyber-Bedrohungen eingesetzt werden.

Hidden risks: Computer security also encompasses the supply chain

Be it software updates, cloud services or external analysis platforms - modern IT systems rely on a large number of digital service providers. What brings efficiency also harbours new risks: This is because attackers can penetrate deep into well-protected systems unnoticed via an inadequately protected supply chain - even in safety-critical areas such as nuclear engineering. A new GRS research project looks at how such attacks unfold, which systems are particularly at risk, and how operators can protect themselves better.

Digitally networked - and therefore vulnerable

In today's digital world, hardly any company or organisation works completely in isolation. Many IT systems - i.e. the technical basis for communication, control and data processing - rely on components or services from external providers. This results in dependencies that could potentially be exploited and misused by attackers.

What used to play a role primarily for hardware products is now also crucial for software, data and digital services - especially in safety-critical areas such as nuclear engineering.

„Specialised external IT services are also used in nuclear installations - for example for remote monitoring or analysing operating data. These connections make the systems more efficient on the one hand, but on the other hand can also make them more vulnerable.“

Dr. Oliver Rest,

project manager

When the service provider becomes the weak point

Modern digital services - for example ‘Software-as-a-Service (SaaS)’, ‘Platform-as-a-Service (PaaS)’ or ‘Security Operation Centres (SOC)’ - are deeply integrated into the IT infrastructure. They often have far-reaching access rights. This makes them particularly attractive to attackers: Anyone who starts here may be able to circumvent protective measures and cause damage by first attacking targets within the supply chain that are often less well-protected and then either exploiting legitimate access options from there to the actual target of the attack or introducing malware into products that could then reach the actual target of the attack via legitimate paths.

Supply chain attacks can take many different forms: from manipulated software updates and compromised service providers to targeted attacks on components before delivery.

„An attack on one single central service provider could affect several systems at the same time - even those that are not directly linked with each other.“

Dr. Oliver Rest,

project manager

Long-term risks over the entire life cycle

And what is particularly treacherous is that the danger does not end when a system goes live. This is because software is regularly updated and services are used over the long term - meaning that the attack surface continues to exist over the entire life cycle of an IT system. Even the smallest vulnerabilities in the supply chain can become a gateway in the long run.

For operators of safety-critical systems, this means that they must also keep an eye on their external service providers and the entire supply chain in order to ensure safety on their own premises.

Detecting an attack before it hits - GRS project on computer security in the supply chain

As early as in 2023, GRS completed a project on computer security in the supply chain on behalf of the German Federal Environment Ministry. The current project builds on this - with a new focus on digital service systems.

„We want to better understand how attacks via external IT services could work - and how to effectively protect against them. It's about analysing the real threat situation, not just theoretical scenarios.“

Dr. Oliver Rest,

project manager

To this end, the researchers are investigating current computer security incidents, analysing known attack methods and taking international guidelines and standards into account. The aim is to obtain as complete a picture as possible of the threat situation and the protective measures available.

Recognising patterns, eliminating weak points

An important element of the project is the investigation of attack patterns: What methods do attackers use? Which vulnerabilities are exploited? How can such attacks be detected at an early stage, made more difficult, or even prevented?

The findings are to be integrated in the well-known ‘MITRE ATT&CK Framework’ - an international standard for categorising cyber-attacks. To do so, GRS is adapting the framework to the special features of service systems in order to make it even more relevant for practical use in critical infrastructures.

„We contribute expertise from the nuclear sector to international security research - this also strengthens the protection of other critical infrastructures.“

Dr. Oliver Rest,

project manager

Knowledge that continues to have an impact

The results of the project will not only be incorporated into expert assessments and safety evaluations, but also into committee work at national and international level. This way, knowledge from research is directly transferred into practice - a central building block for the long-term computer security of nuclear installations.