Understanding your digital supply chain risk
Managing the risks associated with digital supply chains
TL;DR
Understanding your digital supply chain risk is becoming one of the major challenges many businesses face today, especially with the move to cloud and globalization of the computing behind those services. Recommendations on addressing the additional detailing of the supply chain which might be part of any major applications
-
Ensure that COTS/Third Party Suppliers/SaaS are documented on the security context diagram, threat model, CMDB and any other sources of record, as well as potential platforms which might support them as part of their digital supply chain
-
Ensuring that these dependencies are captured will help to better identify supply chain risks, threat model potential mitigations for them, as well as a myriad of other detection and response activities
What are digital supply chain risks?
As companies move to the cloud and computing becomes globalized, it is important to understand your digital supply chain risk and how to mitigate the risks. Risks we will discuss today include gaps in:
-
Cyber architecture requirements
-
Change management databases (CMDB)
-
Software supply chain & software development lifecycles
-
Supply chain risk management process
How does supply chain risk affect businesses?
An organization’s understanding of the supply chain risk of any given system can range in varying degrees based on the number of integrators or suppliers a company might use to generate its revenue through the production of software or delivery of services. In addition to understanding those integrators or suppliers, understanding the external factors which might affect them, and in-turn affect the producer.
An organization’s ability to identify, detect and respond to those environmental threats/influences to the supply chain become a critical factor in maintaining the integrity of the production of software and services. An organization’s Third Party Management (TPM) program helps monitor its Third Parties. This program also helps with the lifecycle management of suppliers while servicing the Organization.
Due to the complexity of an organization's supply chain, there might be multiple layers of suppliers or intermediaries downstream of the organization. As the layers of downstream supplier’s increase, Organization’s ability to have visibility into those suppliers decreases.
In the figure below from NIST SP 800-161r1 demonstrate the decreased invisibility as the layers of the supply chain increase.
This blog focuses on the digital supply chain risks which affect organizations.
Risk #1: Gaps in cyber architecture requirements
What is the risk associated with cyber architecture?
Organizations might not document or track 3rd parties/supplier chain infrastructure as part of its supply chain in its Change Management Database (CMDB) and it is not a requirement for it to be completed.
Why does the gap in cyber architecture matter?
This means that the Organization might not be able to proactively respond to major vulnerabilities in our supply chain which have been integrated or used to build organizations products on. (e.g. Log4J)
What is a potential mitigation?
Having the ability to understand the technologies used to support solutions by our critical suppliers and have them linked as an artifact in CMDB and TPM. This will provide the organization with the ability to proactively understand the risk exposure from suppliers.
Risk #2: Gaps in Change Management Databases (CMDB)
Oftentimes, companies do not connect their suppliers or third party applications in CMDB to the authoritative system of record for TPM, therefore understanding the digital supply chain risks caused by those third parties to the applications that they support.
The probable impact of gaps in CMDB
This has the potential to limit an organization's ability to proactively respond to major vulnerabilities in the supply chain which have been integrated or used to build organization products on.
The potential mitigation of gaps in CMDB
Require understanding of the technologies used to support solutions by our critical suppliers and have them linked as an artifact in CMDB and TPM. This aDolus blog includes a diagram demonstrating a software supply chain attack.
Risk #3: Gaps in software supply chain and software development lifecycles
Currently, an organization has a potential lack of/limited visibility into some of the software libraries ingested from software providers, open source software, etc.
Take Log4j as an example. The Black Kite Research Team analyzed nearly 3,000 companies known to be affected or explicitly disclosed to be unaffected by the vulnerability, as shown int he figure below.
Potential mitigations of software supply chain and software development lifecycles
One of the potential mitigations for increased visibility into the software libraries ingested from software providers, open source software, etc. is the Software Bill of Materials. With a Software Bill of Materials (SBOM), you can respond quickly to the security, license and operational risks that come with open source use. This could also be potentially used to track the integration of Commercial Off the Shelf (COTS) Software into organization business applications groups.
Below is a software lifecycle. Also, check out National Institute of Standards and Technology (NITA)’s illustration of a software lifecycle and SBOM.
The use of the software bill of materials concept can even be expanded to include firmware down at the hardware level. There has been an increase in organizations adopting SBOM as part of their supply chain, as well as future regulator requirements from the federal government.
Industry resources for SBOMs
In May 2022, President Biden issued an executive order advocating for mandatory software bills of materials, or SBOM, to increase software transparency and counter supply-chain attacks. Some examples of these include:
- CycloneDX SBOM
- NITA SBOM, formats and tooling
- Jupiter One SBOM
- Google Supply-Chain Levels for Software Artifacts (SLSA) framework
- NSA recommended practices for developers to secure the software supply chain
Risk #4: Gaps in supply chain risk management process
An organization’s third party applications which might in CMDB are not linked to/associated with the authoritative system of record for third party relationships (TPM Central) (e.g., Solarwinds, VMware, Microsoft, etc).
Potential mitigation of supply chain risk management process
It is also recommended that there should be an integration implemented between CMDB and the TPM system of record to organize/document the relationship between business applications and third party records/engagements. This will allow for TPM and other downstream groups to consume this information from systems of record CMDB when needed.
Industry resources for supply chain risk management
NIST’s Computer Security Resource Center (CSRC) offers this Cybersecurity Supply Chain Risk Management C-SCRM.
Enterprise’s supply chain
Contemporary enterprises run complex information systems and networks to support their missions. These information systems and networks are composed of ICT/OT products and components made available by suppliers, developers, and system integrators. Enterprises also acquire and deploy an array of products and services, including:
- Custom software for information systems built to be deployed within the enterprise, made available by developers;
- Operations, maintenance and disposal support for information systems and networks within and outside of the enterprise’s boundaries, made available by system integrators or other ICT/OT-related service providers; and
- External services to support the enterprise’s operations that are positioned both inside and outside of the authorization boundaries, made available by external system service providers.
Below are some additional resources: