While the 400 year old John Donne poem, No Man is an Island, is about the interconnectedness of the individual to humanity, it could just as easily had been written about the nature of cybersecurity and modern technology.
Just as we’re all connected, interdependent, all modern technology is likewise interconnected and interdependent. And as we see so often, a vulnerability in one software can easily mean vulnerabilities across many other programs, infrastructures, and organizations.
One need look no further than the Heartbleed vulnerability made possible by a flaw in OpenSSL that affected 17% of all SSL servers, or the recent breach of international outsourcer Wipro and the light that breach shines on third-party risk.
As the National Institute of Standards and Technology (NIST) recently put it, the supply chain security of information and communications technology (ICT) relies on a complex, globally distributed, and interconnected ecosystem that is deep, consists geographically diverse routes, and numerous levels of outsourcing relationships. This supply chain “ecosystem” consists of vendors, system integrators, services suppliers and other third-parties, plus the entire services and technology stack that contributes to the design, manufacturing, distribution, deployment, and consumption of information and communications technologies and services.
If that sounds very complex it is because it is very complex. The same is true for the technology stack of every business. It doesn’t matter what size the organization, from a small or mid-sized business, large corporation, or the U.S. federal government — every business is dependent on open source and commercially provided hardware and software and their security depends to varying degrees on trusting every entity that is involved throughout the entire supply chain.
Taking in the complexity — and the associated challenges on cybersecurity — can be mind-boggling. To remain reasonably secure, enterprises must consider the complexity of not only their own architectures, the products and services they run, but also all of the third-parties their vendors and suppliers rely upon as well as all of the third-party software dependencies. A bad actor anywhere along the chain can potentially place any organization at increased risk.
No organization is an island, so there’s no easy way to contend with this — no one can build their own hardware, software, operating systems (although some have tried) and provide all of their own support services. Organizations need to find a way to mitigate the risks associated with supply chain security. That’s where a recent update from NIST comes in.
The Best Practices in Cyber Supply Chain Risk Management, based on the 1.1 Cybersecurity Framework. Essentially the guide stresses that cybersecurity best practices call for the cybersecurity supply chain to be viewed as a function that touches sourcing, vendor management, supply chain continuity and quality, transportation security and many other functions across the enterprise and require a coordinated effort to address.
Here are the cybersecurity supply chain principles as they are laid out by NIST:
Develop your defenses based on the principle that your systems will be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach.
Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.
Security is Security. There should be no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyber-attack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.
Examples of Cyber Supply Chain Best Practices: Companies have adopted a variety of practices that help them manage their cyber supply chain risks. These practices include:
- Security requirements are included in every RFP and contract.
- Once a vendor is accepted in the formal supply chain, a security team works with them on-site to address any vulnerabilities and security gaps.
- “One strike and you’re out” policies with respect to vendor products that are either counterfeit or do not match specification.
- Component purchases are tightly controlled; component purchases from approved vendors are pre- qualified. Parts purchased from other vendors are unpacked, inspected, and x-rayed before being accepted.
- Secure Software Lifecycle Development Programs and training for all engineers in the life cycle are established.
- Source code is obtained for all purchased software.
- Software and hardware have a security handshake. Secure booting processes look for authentication codes and the system will not boot if codes are not recognized.
- Automation of manufacturing and testing regimes reduces the risk of human intervention.
- Track and trace programs establish provenance of all parts, components and systems.
- Programs capture “as built” component identity data for each assembly and automatically links the component identity data to sourcing information.
- Personnel in charge of supply chain cybersecurity partner with every team that touches any part of the product during its development lifecycle and ensures that cybersecurity is part of suppliers’ and developers’ employee experience, processes and tools.
- Legacy support for end-of-life products and platforms; assure continued supply of authorized IP and parts. Tight controls on access by service vendors are imposed. Access to software is limited to a very few vendors. Hardware vendors are limited to mechanical systems with no access to control systems. All vendors are authorized and escorted.
The best practices also call for reviewing the security of suppliers by reviewing hardware/software vendor’s security processes, their mitigation techniques, ongoing Vulnerability management, and more.
Enterprises have long focused on the security of their internal systems, but flaws within widely-used opensource applications as well as attacks on services providers like Wipro show that enterprises are going to have to start paying more attention to the security of their third-party providers as well as the security of their third-party software dependencies within their commercially acquired software.