Supply-Chain Cyber Attack

A supply-chain cyber attack compromises an organization through a trusted third party: a software vendor, an equipment maker, an IT service provider, or a managed connection. Rather than attacking the target directly, the adversary poisons an update or hardware component that the target installs, as in the SolarWinds Orion compromise disclosed December 2020. For shipping the exposure runs through ECDIS and bridge software vendors, satellite-communication providers, terminal operating systems, and shore IT contractors. The EU NIS2 Directive makes supply-chain risk management an explicit duty, and IMO MSC-FAL.1/Circ.3 lists third-party access among the threats to assess.