Software supply chain attacks have targeted virtually every sector of critical infrastructure. A wave of US regulatory effort to mitigate this risk includes the US Executive Order 14028 on Improving the Nation’s Cybersecurity, and the US Food and Drug Administration’s Software Bill of Materials (SBOM) requirements for medical devices. The area is also being reviewed by many other Governments. Julia Swales, FFSC Advisory Board Manager, asked Nick Wildgoose, CEO of Supplien Consulting and member of the FFSC Advisory Board, to share his knowledge on cyber-exposures in multi-tier software supply chains.
A lot of work has gone into understanding multi-tier supply chains from a product perspective. This is important for a variety of reasons, including driving resilience from a disruption perspective, and ensuring appropriate ESG compliance. An area which has perhaps received less focus is that related to the cyber exposures in multi-tier software supply chains. As without the necessary information flow supply chains simply cannot operate effectively.
Cyber-attacks and associated IT failures have featured consistently over the last 10 years, in the top 3 causes of disruption in the Business Continuity Institute Annual Supply Chain Resilience Survey. These cyber-attacks only seem to be increasing, cybersecurity is thus a critical part of supply chain risk management. Wide-ranging vulnerabilities such as has been seen with Log4j and other breaches such as SolarWinds and Accellion have demonstrated how software itself can become the Trojan horse, turning the products that protect us into an ecosystem-wide threat. Just to give another indication of the scale of the problem, in 2021 two cyber espionage groups, believed to be affiliated with the Chinese government, created over 16 different malware families just to target Pulse Secure VPN.
A key challenge in C-SCRM (Cyber Supply Chain Risk Management) is knowing where to start. With hundreds of types of software, thousands of suppliers, and tens of thousands of pieces of hardware, it is hard to identify where to make a meaningful, measurable reduction in cyber risk within the supply chain. It is also in many organisations unclear from a functional perspective who has responsibility for cyber risk within the supply chain, and this needs to be clarified initially.
An effective risk management program depends on initially knowing the cyber risk that a critical supplier presents to your organization’s systems. To assess supply chain risk, organizations need information from and about each link in the chain, including the relevant software.
Complex interdependencies make it nearly impossible to ensure the security of all components and contributors to the supply chain. It is not sufficient to only identify the hidden risks that lurk when you inherit, purchase, or outsource software capabilities. Another major source of unknown risks is open-source software, which, on average, accounts for 75% of these codebases.
The cyber hygiene and risk management practices of the third parties we rely on can help us assess how susceptible they are to external breaches that could change or modify code. This includes how they assess cyber risk in the following software related areas: –
- Supplier Risk
- Code Risk
- Ecosystem Risk
- Operational Risk
It is now possible to make use of near real-time cyber exploration tools to identify vendors in your ecosystem that could potentially be exposed to an issue like a Log4j breach. Having this data immediately available of several at-risk vendors for the cyber vulnerability identified, enables appropriate rapid risk-based mitigation, stopping the threat where it matters most. There are also solutions which provide time-based records of how long known vulnerabilities are allowed to persist in open-source software components and related supplier products. They can also provide insights into leading cyber risk indicators like end-of-life, maintenance risk, ecosystem risk.
It is important that many organisations look to improve the cyber supply chain resilience to reduce the number of disruptions that they face with the consequent significant financial costs. There are several software and data solutions which can help in this area, this must be done in the context of having clear responsibility matrix around cyber supply chain risk management.
Source: Foundation for Future Supply Chain
