Building Management Systems
CISA
Critical infrastructure
Industries
Manufacturing
Medical
Mining, Oil & Gas
News
Transportation
Utilities: Energy & Power, Water, Waste

Federal agencies must implement recommendations to manage software supply chain threats, GAO says

May 27, 2021
software supply chain

The U.S. Government Accountability Office (GAO) stressed that, as a result of not fully implementing foundational security practices, federal agencies continue to face software supply chain threats and are at a greater risk of malicious actors exploiting vulnerabilities in the ICT supply chain. Such exploits cause disruptions to mission operations, harm to individuals, and theft of intellectual property. 

Recent cybersecurity events, involving a software supply chain compromise of SolarWinds Orion, and the recent shutdown of a major U.S. fuel pipeline, highlight the significance of these threats. Malicious hackers may exploit vulnerabilities in the supply chain, leading to the compromise of the confidentiality, integrity or availability of an organization’s systems and the information they contain.

“We have ongoing work examining federal agencies’ responses to SolarWinds and any lessons that they have identified from the compromise. We plan to issue a report detailing our findings later this fall 2021,” the GAO observed in its report.

Last December, the GAO made 145 recommendations to 23 federal agencies. The GAO recommended that each of the 23 agencies fully implement these foundational practices. This month, the GAO received updates from six of the 23 agencies regarding actions taken or planned to address its recommendations. However, none of the agencies had fully implemented the recommendations. Until they do so, agencies will be limited in their ability to effectively address supply chain threats across their organizations, it pointed out.

In December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring agencies to take action regarding a threat actor that had been observed leveraging a software supply chain compromise of the SolarWinds Orion enterprise network management software suite.

The National Security Council staff subsequently formed a Cyber Unified Coordination Group (UCG) to coordinate the government response to the cyberattack. The group took a number of steps, including gathering intelligence and developing tools and guidance, to help organizations identify and remove the threat. In April, the Deputy National Security Advisor for Cyber and Emerging Technology announced the deactivation of the Cyber UCG for the SolarWinds incident. According to the Deputy National Security Advisor, the group was deactivated after the UCG completed its initial surge efforts. 

Following the actions taken by the UCG, in April U.S. intelligence agencies released a cybersecurity advisory that alleged ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisory was released alongside the U.S. government’s formal attribution of the SolarWinds supply chain compromise and related cyber-espionage campaign.

In May, the Biden administration issued an Executive Order that was prompted, in part, by the compromise of the SolarWinds software supply chain. Among other things, the executive order directed the Secretary of Homeland Security, in consultation with the Attorney General, to establish a Cyber Safety Review Board to review and assess the threat activity.

While addressing software supply chain security, the executive order directed, among other things, the director of the National Institute of Standards and Technology’s (NIST) to publish guidelines that include criteria to evaluate the security practices of developers and suppliers of critical software and to provide guidance on identifying practices that enhance the security of the software supply chain.

Earlier in March, the GAO delivered an update that the federal government needs to move with greater urgency to improve the nation’s cybersecurity, as the country faces grave and rising cybersecurity threats. At that time, the agency said that the government needs to take 10 critical actions to address four major challenges that the agency identified in 2018, including securing federal systems and protecting critical infrastructure, privacy and sensitive data.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations