Skip to content

Understanding Your Digital Supply Chain Risk

Bottom Line Up Front:

Understanding your digital supply chain risk is becoming one of the significant challenges many businesses face today, especially with the move to the cloud and globalization of the computing behind those services. Recommendations on addressing the additional detailing of the supply chain, which might be part of any significant applications

  • Ensure that COTS/Third Party Suppliers/SaaS are documented on the security context diagram, threat model, CMDB, and any other sources of record, as well as potential platforms which might support them as part of their digital supply chain
  • Ensuring that these dependencies are captured will help to identify supply chain risks better, threat model potential mitigations for them, as well as a myriad of other detection and response activities

Overview of Supply Chain Risk

An organization’s understanding of the supply chain risk of any given system can vary based on the number of integrators or suppliers a company might use to generate its revenue through the production of software or delivery of services. In addition to understanding those integrators or suppliers, understanding the external factors which might affect them and, in turn, affect the producer.

An organization’s ability to identify, detect and respond to those environmental threats/influences to the supply chain becomes a critical factor in maintaining the integrity of software and services. An organization’s Third Party Management (TPM) program helps monitor its Third Parties. This program also helps with the lifecycle management of suppliers while servicing the Organization.

Due to the complexity of an organization’s supply chain, there might be multiple layers of suppliers or intermediaries downstream of the organization. As the layers of downstream suppliers increase, Organization’s ability to have visibility into those suppliers decreases. The figure below from NIST SP 800–161r1 demonstrates the decreased invisibility as the layers of the supply chain increase.

1 NIST SP 800–161r1 Fig. 1–2 An Enterprise’s Visibility, Understanding, and Control of its Supply Chain https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf

This paper will focus on the digital supply chain risks which affect Organizations.

Potential Gaps in Organization Digital Supply Chain

Organizations use a layered approach of controls and processes that manage their digital supply chain; this first section will focus on the internal management of the production of applications and services.

Gaps in Cyber Architecture Requirements

Organizations might not document or track 3rd Parties/Supplier Chain infrastructure as part of its supply chain in its Change Management Database (CMDB), and it is not a requirement for it to be completed.

Impact (So What?):

This means that the Organization might not be able to proactively respond to significant vulnerabilities in our supply chain, which have been integrated or used to build the organization’s products. (e.g., Log4J)

Potential Mitigation:

We can understand the technologies used to support solutions by our critical suppliers and have them linked as an artifact in CMDB and TPM. This will provide the Organization with the ability to proactively understand the risk exposure from suppliers as demonstrated in the below figure.2

2 LoNg4j Anatomy of Attack https://www.cequence.ai/blog/long4j/

Gaps in Change Management Databases (CMDB)

Often; companies do not connect their suppliers or Third-party applications in CMDB are not linked/associated to the authoritative system of record for third party relationships (TPM) therefore understanding the digital supply chain risks caused by those third parties to the applications that they support.

Impact (So What?):

This has the potential to limit an organization’s ability to proactively respond to significant vulnerabilities in our supply chain, which have been integrated or used to build organization products on. (e.g., Solarwinds)

Potential Mitigation:

Require an understanding of the technologies used to support solutions by our critical suppliers and have them linked as an artifact in CMDB and TPM.

The diagram below demonstrates a software supply chain attack.3

3 Software supply chain attack https://blog.adolus.com/three-things-the-solarwinds-supply-chain-attack-can-teach-us

Gaps in Software Supply Chain & Software Development Lifecycles

Currently, Organizations, have a potential lack of/limited visibility in some of the software libraries ingested from software providers, open source software, etc.

Example: Log4J — the Black Kite Research Team analyzed nearly 3,000 companies known to be affected or explicitly disclosed unaffected by the vulnerability and displayed in the figure below.4

4 ASSESSING VENDOR RISK CAUSED BY LOG4J https://blackkite.com/log4j-impact/

Potential mitigations include:

One of the potential mitigations for increased visibility into the software libraries ingested from software providers, open source software, etc., is the Software Bill of Materials. With a software Bill of Materials (SBOM), you can respond quickly to the security, license, and operational risks of open-source use. This could also be potentially used to track the integration of COTS (Commercial Off the Shelf) Software into Organization Business Applications Groups.

Below is a life cycle diagram, a software lifecycle, and a bill of materials associated with it.5

5 The Software lifecycle with multiple stages https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf

5 The Software lifecycle with multiple stages where underlying code might change, and thus the SBOM would be updated to reflect the changes. https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf

The use of the software bill of materials concept can even be expanded to include firmware down at the hardware level. There has been an increase in organizations adopting SBOMs as part of their supply chain, as well as future regulator requirements from the federal government.

Industry Resources for SBOMs:

President Biden issued an executive order in May 2022 advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter supply-chain attacks.

Gaps in Supply Chain Risk Management Process

Organization’s third-party applications which might in CMDB are not linked/associated to the authoritative system of record for third party relationships (TPM Central) (e.g., Solarwinds, VMware, Microsoft, etc.).

Potential mitigation:

It is also recommended that there should be an integration implemented between CMDB and the TPM system of record to organize/document the relationship between business applications and third-party records/engagements. This will allow TPM and other downstream groups to consume this information from systems of record CMDB when needed.

Industry Resources:

Cybersecurity Supply Chain Risk Management C-SCRM

Enterprise’s Supply Chain

Contemporary enterprises run complex information systems and networks to support their missions. These information systems and networks comprise ICT/OT products and components made available by suppliers, developers, and system integrators. Enterprises also acquire and deploy an array of products and services, including:

  • Custom software for information systems built to be deployed within the enterprise, made available by developers;
  • Operations, maintenance, and disposal support for information systems and networks within and outside of the enterprise’s boundaries, made available by system integrators or other ICT/OT-related service providers; and
  • External services to support the enterprise’s operations that are positioned both inside and outside of the authorization boundaries, made available by external system service providers.

CSA SaaS Governance and Security Best Practices

Cybersecurity Supply Chain Risk Management C-SCRM

NIST SP 800–161 R1

Key Practices in Cyber Supply Chain Risk Management: Observations from Industry

MITRE Systems of Trust

Footnotes:

1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf

2 https://www.cequence.ai/blog/long4j/

3 https://blog.adolus.com/three-things-the-solarwinds-supply-chain-attack-can-teach-us

4 https://blackkite.com/log4j-impact/

5 https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf

 
 
 Are you looking for cybersecurity leadership program development/consulting or personal leadership development visit http://www.cpf-coaching.com or email info@cpf-coaching.com
 
 
 
 
 
 
 
 
 
 

Blog comments