Supply chain attack

Definition
A supply chain attack is an attack through subversion of hardware or software supply chain.

Overview
It can be viewed as another type of insider threat. Access through a hardware supply chain may require development and manufacturing of a subverted version of a microelectronic component and a complicated operation to insert the device into the targeted computer, possibly through use of insiders in the supply chain.

A software supply chain attack might involve, for example, a subversion embedded in lower-level system software not likely to be evaluated during testing. Another approach is to subvert the master copy of software used for broad distribution. Even if the software is tested, subversions may be difficult to detect since they would typically be revealed only under circumstances difficult for a defender to discover.

Source

 * Federal Plan for Cyber Security and Information Assurance Research and Development, at 8.