Stop me if you have heard this before: as companies increasingly rely on third-party software applications, many are losing control over their software supply chain. As globalisation continues to scale and geographic constraints loosen, a strong supply chain is all but necessary to compete in the worldwide marketplace. This in spite of the persistent challenges associated with identifying and understanding the security vulnerabilities inherent to third-party software development and adoption.
As supply chain attacks continue to escalate in frequency and sophistication, a very common misconception has taken hold among product managers - full control over the entire supply chain is the only way to minimise risk. As such, personnel in charge of product are going to extraordinary lengths to try and dictate price and requirements, leaving lucrative opportunities on the table for those that fail to conform.
With the supply chain’s importance increasing in proportion to the threat landscape, organisations and suppliers find themselves at a crossroads – do they acquiesce to the requirements of those seeking full control or do they abstain from the demands and forego the partnership?
The good news is that organisations do not need to have full control of the supply chain to protect it from cyberattack – whether they know it yet or not. By mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation, organisations can close the gap on some vulnerabilities and prevent malware attacks from propagating without the burden and cost of trying to maintain full control.
Supply chain a common window for attacks
Up to 80 percent of security breaches now originate in the supply chain, according to a report by KPMG. In a common software supply chain attack, bad actors typically gain access to a software company’s distribution system and then insert malicious code in the legitimate software. When the customers update their versions, they are infected with the malware.
To reduce risk, most product managers seek a detection and reporting solution so an exploit targeting a specific vulnerability cannot disrupt their entire system. In industries where safety and critical compliance requirements exist (automotive, aviation or healthcare), security is often a function of the level of compliance. But, despite any efforts to comply, attackers can insert malware into a system via suppliers, keeping those within the chain exposed to memory-based attacks that bypass root of trust, encryption, and intrusion detection systems.
The Atlantic Council recently said in a brief that while software security vulnerabilities are a natural result of the development process and cannot be fully eliminated, they are increasingly passing through the supply chain. And in many instances, a single software component can now compromise the operational integrity of many critical systems and devices.
Unfortunately, many companies, especially small and medium-sized suppliers, lack full visibility into their supply chain nor do they have a process for assessing the cybersecurity of third-parties with which they share data or networks. This is a big problem when considering that so many flaws are unintentionally built into software components.
Nonetheless, managing the supply chain is now a critical function of optimising quality, cost and reliability. In fact, many companies use it to create strategic advantages, drive brand differentiation and improve efficiencies. While stronger brands may have more contained influence over their supply chain, companies are seeking to diversify sources so as not to be impacted by a single supplier or the demands of one brand over another.
To fear or not to fear lack of supply chain control – that is the question
For many organisations, just the thought of not having full control over their supply chain produces anxiety. After all, lack of control could mean that suppliers might not be required to meet standards, which could ultimately put organisations at a higher risk for several threats, including loss of intellectual property shared with supply chain partners and third-party access to IT networks, customer information or operational control systems.
Winston Churchill famously said that perfection is the enemy of progress, and his idea is apt for this discussion. The reality is that it’s virtually impossible to eliminate cyber risk throughout a supply chain – whether a company has complete control over it or not. Our increasingly interconnected technology products have a long journey from component manufacture to “shelf.” It’s hard to conceive of a tech product that is produced entirely in one location – as labour costs often dictate that materials circumnavigate the globe more than once. Further, any device that incorporates software, whether open source or custom, is touched by many different hands during the development process. Risk is baked in to the way organisations operate.
The first piece of good news for those weary of anything less than complete supply chain control is that executives in critical infrastructure industries in particular are starting to take a closer look at their supply chains, performing risk assessments, collecting threat analysis, conducting trials, and considering alternative security measures as part of a comprehensive strategy. This is important, as in today’s environment, one must assume that the supply chain has been compromised.
Mark Weatherford, Senior Vice President and Chief Cybersecurity Strategist at vArmour, said in a presentation there are several things companies can do to lessen their risks. Start by identifying and learning more about your vendors. Map out your supply chain and identify your sub-tier suppliers with critical IT components or software embedded in your products and systems. Clearly identify exactly what information or systems your vendors can access, then review their practices and integrate the CISO team in the process.
The next piece of positive news is that there is a new way to apply cybersecurity across the entire supply chain and eliminate the dependence on what each supplier individually is able or willing to do. Since security is increasingly a strategic differentiator, it is now an area for the company to invest in with an approach that works across all systems.
What product managers must understand is that supply chain risk will remain no matter their level of control, and that blind pursuit of full control will only hinder productivity and will eventually impact the bottom line. By staying focused on mapping out their supply chain, validating vendors, and reviewing security policies combined with technology implementation pre or post production, manufacturing and commerce can move forward without the fear of an imminent supply chain attack.
By Joe Saunders, CEO RunSafe Security RunSafe Security is the pioneer of a patented cyberhardening transformation process designed to disrupt attackers and protect vulnerable embedded systems and devices.