Managing cybersecurity risks in supply chain management

The task of managing cybersecurity risks in supply chain management is an imperative for businesses. Supply chain processes involve a complex web of suppliers, manufacturers, distributors, retailers, and service providers, all interconnected through digital transactions. This web is open to cyber threats, which can potentially have a substantial impact on businesses.

Let’s take a step back and think about our supply chains. It’s easy to picture them as a sequence of interconnected entities involved in the production and distribution of goods and services. However, reality paints a much more complex picture. Supply chains span vast networks of suppliers, manufacturers, distributors, software developers, retailers, and service providers. All these entities are linked through a web of digital transactions, which can become susceptible to cyber threats.

Recently, I found myself examining the software supply chain from the viewpoint of a software developer and supplier to global organisations. Without doubt, software is a critical part of numerous businesses, and securing it is paramount for maintaining the integrity of the supply chain. Nevertheless, the software supply chain is not immune to cyber threats such as malware, code injection, and various other attacks. These threats can inflict considerable damage on businesses, leading to data loss, reputational harm, and financial losses.

I had the opportunity to delve into the world of Software Bills of Materials (SBOMs) while working with a client, the goal was to evaluate risks in packages provided by suppliers that they incorporate into their own product. In case you’re unfamiliar, an SBOM is a detailed inventory of software components used in a specific application or system. So if you use a piece of software it will most likely come with a whole lot of software from other developers. When a SBOM is included with software, this list includes the main software components as well as any third-party or open-source software used.

So, why is an SBOM crucial? It allows businesses to identify and manage potential vulnerabilities in the software supply chain. By knowing precisely which components a piece of software uses, businesses can monitor for any vulnerabilities in those components and take appropriate action to address them. This might involve applying security patches, implementing workarounds, or outright replacing the vulnerable components which opens up a whole world of are we still within support, does the software still work correctly.

The SolarWinds hack brought to the fore the importance of an SBOM in managing cybersecurity risks in the software supply chain. SolarWinds is a software company that provides IT management and monitoring tools for businesses and organisations.

In December 2020 a breach in SolarWinds’ software supply chain led to attackers inserting malicious code into the SolarWinds Orion software, which was then distributed to SolarWinds customers. This attack affected numerous organisations, including government agencies, highlighting the need for secure software supply chains.

The ultimate guide to SBOMs

One of the hurdles in responding to the SolarWinds attack was the lack of visibility into the software components used in the Orion software. Without a comprehensive inventory of software components, many organisations struggled to ascertain the scope of the attack and identify potential vulnerabilities. Here, an SBOM can play a pivotal role in managing cybersecurity risks in the software supply chain.

An SBOM offers businesses improved visibility into their systems’ software components, including third-party and open-source components. This can help identify potential vulnerabilities and enable more effective risk management. For example, in the SolarWinds attack, an SBOM would have allowed organisations to swiftly identify the affected components and take appropriate action to mitigate risks.

Post the SolarWinds attack, there’s a growing call for greater adoption of SBOMs as a standard practice in software supply chain management. The US government has issued an executive order mandating SBOMs use in federal agencies, and the National Institute of Standards and Technology (NIST) has issued guidelines for SBOM implementation.

SolarWinds hack explained: Everything you need to know

By offering a thorough inventory of the software components used in a given application or system, it helps pinpoint potential vulnerabilities and allows for more effective risk management. Consequently, I urge businesses to consider adopting SBOMs as a core practice in their software supply chain management.

However, let’s be clear: SBOMs are not a panacea. To effectively manage cybersecurity risks in the software supply chain, an additional, robust strategy is also required: the implementation of secure software development practices. This approach entails embedding security into every phase of the software development process, from the initial planning stage right through to deployment. This involves the use of secure coding practices, conducting thorough security testing, and performing detailed vulnerability assessments. By embracing these practices, businesses can significantly reduce the risk of cybersecurity threats in the software supply chain.

Another strategy that I’d like to emphasise is the implementation of a software assurance program. This comprehensive approach to software security consists of a blend of policies, procedures, and tools dedicated to managing software risk. This includes, but is not limited to, software testing, code analysis, and importantly threat modelling which I will talk about in a future post. By incorporating a software assurance program, businesses can assure that the software they employ is not only secure, but also reliable.

Beyond these strategies, businesses should also consider implementing supply chain risk management practices. This involves conducting meticulous due diligence checks on suppliers and verifying that these suppliers have sufficient cybersecurity measures in place. Additionally, it’s crucial that businesses establish contracts with suppliers that include explicit cybersecurity clauses, thereby outlining each party’s responsibilities pertaining to cybersecurity.

Businesses must also be prepared to respond swiftly and effectively to cybersecurity threats in the software supply chain. This necessitates a robust incident response plan that includes clear guidelines on responding to a cyber attack on the supply chain. This plan should detail communication protocols, containment strategies, and recovery plans.

It’s clear that managing cybersecurity risks in supply chain management is an absolute necessity for businesses in the digital age. This involves the adoption of secure software development practices, software assurance programs, and supply chain risk management practices. By taking these steps, businesses can enhance the security and integrity of their supply chains, respond more promptly to vulnerabilities, and ultimately mitigate business risk.

Over the next few weeks I will dive into more detail in each of these areas and if you haven’t already started, here is where to begin; I highly recommend starting by watching Eric Byres’ insightful video from the SANS ICS Security Summit in 2022, titled ‘Making Use of All Those SBOMs’.

Making Use of All Those SBOMs by Eric Byres at SANS ICS Security Summit in 2022