
Hidden risks: Computer security also encompasses the supply chain
Digitally networked - and therefore vulnerable
In today's digital world, hardly any company or organisation works completely in isolation. Many IT systems - i.e. the technical basis for communication, control and data processing - rely on components or services from external providers. This results in dependencies that could potentially be exploited and misused by attackers.
What used to play a role primarily for hardware products is now also crucial for software, data and digital services - especially in safety-critical areas such as nuclear engineering.
„Specialised external IT services are also used in nuclear installations - for example for remote monitoring or analysing operating data. These connections make the systems more efficient on the one hand, but on the other hand can also make them more vulnerable.“
Dr. Oliver Rest,project manager
When the service provider becomes the weak point
Modern digital services - for example ‘Software-as-a-Service (SaaS)’, ‘Platform-as-a-Service (PaaS)’ or ‘Security Operation Centres (SOC)’ - are deeply integrated into the IT infrastructure. They often have far-reaching access rights. This makes them particularly attractive to attackers: Anyone who starts here may be able to circumvent protective measures and cause damage by first attacking targets within the supply chain that are often less well-protected and then either exploiting legitimate access options from there to the actual target of the attack or introducing malware into products that could then reach the actual target of the attack via legitimate paths.
Supply chain attacks can take many different forms: from manipulated software updates and compromised service providers to targeted attacks on components before delivery.
„An attack on one single central service provider could affect several systems at the same time - even those that are not directly linked with each other.“
Dr. Oliver Rest,project manager
Long-term risks over the entire life cycle
And what is particularly treacherous is that the danger does not end when a system goes live. This is because software is regularly updated and services are used over the long term - meaning that the attack surface continues to exist over the entire life cycle of an IT system. Even the smallest vulnerabilities in the supply chain can become a gateway in the long run.
For operators of safety-critical systems, this means that they must also keep an eye on their external service providers and the entire supply chain in order to ensure safety on their own premises.
Detecting an attack before it hits - GRS project on computer security in the supply chain
As early as in 2023, GRS completed a project on computer security in the supply chain on behalf of the German Federal Environment Ministry. The current project builds on this - with a new focus on digital service systems.
„We want to better understand how attacks via external IT services could work - and how to effectively protect against them. It's about analysing the real threat situation, not just theoretical scenarios.“
Dr. Oliver Rest,project manager
To this end, the researchers are investigating current computer security incidents, analysing known attack methods and taking international guidelines and standards into account. The aim is to obtain as complete a picture as possible of the threat situation and the protective measures available.
Recognising patterns, eliminating weak points
An important element of the project is the investigation of attack patterns: What methods do attackers use? Which vulnerabilities are exploited? How can such attacks be detected at an early stage, made more difficult, or even prevented?
The findings are to be integrated in the well-known ‘MITRE ATT&CK Framework’ - an international standard for categorising cyber-attacks. To do so, GRS is adapting the framework to the special features of service systems in order to make it even more relevant for practical use in critical infrastructures.
„We contribute expertise from the nuclear sector to international security research - this also strengthens the protection of other critical infrastructures.“
Dr. Oliver Rest,project manager
Knowledge that continues to have an impact
The results of the project will not only be incorporated into expert assessments and safety evaluations, but also into committee work at national and international level. This way, knowledge from research is directly transferred into practice - a central building block for the long-term computer security of nuclear installations.