The pager attack in Lebanon shows how vulnerable a lack of control over suppliers can make businesses. The new NIS2 directive can help to solve this and allow you to better protect your organisation, says Erik Lervaag, Senior Engineer IT/OT Convergence, Sopra Steria Norway.
Thousands became victims of the targeted pager attack in Lebanon in September. Regardless of who is behind it, the incident highlights the need for supply chain security for all of us, especially for critical businesses that may be targets for espionage or sabotage.
Supply chain failures have happened before
The incident in Lebanon is brutal, but it’s not the first time a supply chain failure has had consequences. When American IT technician Edward Snowden leaked classified documents from US intelligence agencies through WikiLeaks in 2013-2014, the book "No Place to Hide" by Glenn Greenwald revealed that the US public security agency NSA (National Security Agency) had installed what they called “beacon implants” in the firmware of Cisco networking equipment.
These implants were intended to either serve as a backdoor or to send copies of traffic passing through the network equipment to the NSA. In this case, the leak detailed that shipments were intercepted, taken to NSA facilities for modification, and then repackaged and sent to the recipient as if nothing had happened.
Do we have sufficient control over security?
The supply chain is generally vulnerable and difficult to secure. Unfortunately, we must accept that some degree of risk is inevitable. If you run a business, there’s a high chance that you either have trade secrets, sensitive stock market information, or personal data that someone might be interested in spying on. Or the business may have a function someone might want to sabotage.
For a long time, equipment from the Chinese industrial giant Huawei was installed in the base stations providing 4G cellular networks to the population in Norway. In 2019, the Norwegian government’s new security law prevented Huawei from becoming the sole supplier of cellular networks in Norway.
Most civilian communications depend on the mobile network, and this is critical infrastructure. There’s no reason to believe that telecom companies, as serious and critical service providers, didn’t take precautions against the risks associated with their supply chain. However, it’s not necessarily the case that all businesses have shown the same level of caution.
So, do you blindly trust your supply chain?
New requirements for European businesses
The so-called NIS2 directive came into effect in the EU on the 16th of October 2024. The security directive sets a number of requirements for businesses that are defined as essential or critical to assess risks and ensure security in their supply chains.
Although several European countries are a little behind in integrating this into their legislation, with only a few such as Belgium, Hungary, Latvia and Croatia having completely transposed NIS2 into national law, European businesses should start working according to the new directive today. The legal text states, among other things, that:
Member states must ensure that all essential and critical businesses implement technical, operational, and organisational risk-reducing measures, including supply chain security.
This applies to the relationship between the business and each supplier, the vulnerabilities of each supplier, the quality of the product, and the cybersecurity regime of the supplier and their subcontractors.
Countries must also take into consideration risk assessments of suppliers coordinated by the EU.
The law does not specify what measures are appropriate for each business. Each business must assess the scope of the measures that need to be taken. Therefore, it is crucial to have a thorough and complete risk assessment that includes supply chain security.