Supply Chain Blast Radius

A Supply Chain Blast Radius refers to the total scope of systems, organizations, and users that can be compromised when a single supplier or vendor in a software supply chain is attacked.

This concept measures the potential impact and reach of supply chain attacks, where threat actors target upstream vendors to gain access to multiple downstream victims simultaneously.

The blast radius encompasses all organizations that use the compromised supplier's software, services, or components, creating a multiplier effect where a single breach can cascade across hundreds or thousands of victims. Notable examples include the SolarWinds attack, where compromising one network management platform affected over 18,000 organizations, and the Kaseya incident, which impacted thousands of managed service provider clients.

Understanding blast radius helps organizations assess third-party risks and prioritize security measures for critical suppliers. Factors that increase blast radius include the supplier's market penetration, the criticality of their services, automatic update mechanisms, and shared infrastructure. Organizations can limit their exposure by diversifying suppliers, implementing zero-trust architectures, monitoring third-party access, and maintaining updated inventories of all software dependencies and vendor relationships throughout their technology stack.