Nobody wants to be known as the weak link in the chain—any chain. But too many organizations are at risk of being just that in the digital supply chain because they haven’t made the cyber security of their products a priority.
The most recent evidence of that is the SolarWinds/Orion cyber attack.
SolarWinds, which provides system management tools for network and infrastructure monitoring, has an IT performance monitoring system called Orion. Hackers were able to inject malware into an Orion update, and it spread to tens of thousands of SolarWinds customers when they did what experts tell them to do—keep your software up to date.
Instead of having to hack into those individual customers, the attackers just compromised one vendor and let the supply chain take care of the rest, giving them access to the data and networks of its customers.
While the company’s original estimate of those that could have been affected by the corrupted update was around 18,000, SolarWinds CEO Sudhakar Ramakrishna more recently said on an earnings call that the estimate had dropped drastically, to about 100 private sector companies and nine federal agencies.
The federal agencies include the departments of Homeland Security, State, Justice, Commerce and Treasury, plus NASA, the FAA, National Institutes of Health and National Nuclear Security Administration.
It even affected FireEye, a company that helps organizations defend against and respond to breaches. The company announced in a Dec. 13, 2020 blog post that it had discovered the “global intrusion campaign,” allegedly by Russia, that had been going on at least since March 2020. The company also acknowledged it had been a victim itself. Indeed, if FireEye had not gone public, those other thousands of victims might still be unaware that they had been compromised.
This isn’t a new problem—security experts have been warning for years that supply chain vulnerabilities can exponentially increase the damage hackers can cause. But even with ongoing headlines confirming the validity of those warnings, there hasn’t been much substantive improvement in supply chain security over the past decade.
Senate Intelligence Committee Chairman Mark Warner (D-VA) acknowledged as much at a hearing on the SolarWinds hack in February 2021. The attack “highlighted a number of lingering issues that we’ve ignored for too long,” he said.
The good news is that improvement is possible, even without Congress getting involved. The ways to harden supply chain security are well-established. They also work, if organizations implement them.
So how to avoid being that weak link? Read on.
In today’s interconnected world, most organizations are both supply chain consumers and producers. As in, they consume materials, products, and services from various third parties like SolarWinds, and they also produce products and services for other organizations or for the public.
But the security emphasis is a bit different for each role. An earlier post on this blog site focused on security recommendations for consumers in the supply chain. This one will focus on producers.
The best way to start is with the fundamentals. For producers, the fundamental priority is to build security into the software that powers your products through every stage of the software development life cycle (SDLC).
Those security testing measures include:
Michael Fabian, principal consultant at Black Duck, said producers should also “investigate individual codebases to ensure that no unintended functionality has been included in current builds or deployments.”
That makes sense for a couple of reasons. First, it’s impossible to secure or protect something if you don’t know you have it or what it’s made of. Also, if you’re a producer, your customers are or should be demanding this level of scrutiny from you. If you can demonstrate that you’ve already done it, you’ve probably created a long-term customer.
Then, as Fabian put it, a “risk management and framing exercise should occur in accordance with standard frameworks, outlined by international standards bodies and industry leaders.”
Those activities can include:
Among other resources that help organizations improve their risk management is the Building Security In Maturity Model (BSIMM), an annual report that helps organizations grow and improve their software security initiatives by documenting what organizations in their industry are doing, and what works.
The authors of that report also provide the BSIMMsc (formerly called vBSIMM), focused on software supplied by third parties.
Other frameworks for supply chain security practices include NIST SP 800-161, ISO 20243, SAFECode third party risk practices, and the East-West Institute IT buyer’s guide.
As should be obvious, measures like these require staff and technology, which means time and money. But that investment can help an organization avoid damages that go well beyond headaches: Brand tarnish, legal liability, loss of market share, compliance sanctions, and more.
Beyond that, any business that wants to prosper knows it has to deliver products and services that function as intended and are safe. And in an almost universally connected world, to be safe they have to be secure as well.