Attacks and Vulnerabilities
Critical infrastructure
Features
Risk & Compliance
Supply Chain Security
Threat Landscape

Crucial to assemble and construct best practices into product and supply chain security frameworks

April 24, 2022
Crucial to assemble and construct best practices into product and supply chain security frameworks

Bringing about product and supply chain security is turning out to be an imperative and indispensable element in understanding and mitigating the security risks across supply networks belonging to operational technology (OT) environments and critical infrastructure sectors. 

The networks are far more complex than the earlier linear supply chains. Further, as each new node is connected or as each individual supplier is given access to core systems, the security risks and vulnerabilities of the entire ecosystem only multiply. This gets further driven in today’s hyper-connected world, pushed along by increased fluidity needed to manage the COVID-19 pandemic, as the potential number of points for security vulnerability within the connected enterprises continues to increase exponentially. The influence of these intermediary elements renders an organization only as secure as the weakest point in its supply chain network. 

Accenture said that the present circumstances have led organizations to look towards expanding their security strategies and processes while working with their suppliers to increase visibility. In addition, enterprises also understand the threats and weaknesses comprehensively, their potential applicability, and likely impact on their organization and supply chain holistically. The integrated approach will help focus attention on developing a range of flexible tools and best practices to mitigate the risks, which will help bolster and strengthen product and supply chain security while enhancing the cybersecurity fabric of the organization.

Industrial Cyber reached out to experts in the product and supply chain security field to analyze the depth of the issue for enterprises to deliver product and supply chain security as supply chains become more complex and connected. 

“Recent supply chain threats and critical vulnerabilities in connected devices have brought device supply chain security to the forefront and fundamentally changed the nature of enterprise risk management,” Matt Wyckhouse, founder and CEO at Finite State, told Industrial Cyber. Coupled with connected device ubiquity, this has created exponential growth in both an enterprise’s external links and the volume of data that’s exchanged. This means that an organization’s attack surface and exposure to potential vulnerabilities have also grown dramatically, making for exponentially larger risk exposure, he added.

Matt Wyckhouse, founder and CEO at Finite State
Matt Wyckhouse, founder and CEO at Finite State

“Enterprises that previously only had to manage their own risk now have to account for the broad supply risk that connected devices introduce,” according to Wyckhouse. “Each connected device brings with it, its own broad supply chain risk, where the weakest link is the best measure of the security of that entire supply chain. Putting it together, today’s environment where an enterprise has vast exposure to the risk of every supplier in their supply chain means they must evolve their strategy around managing risk, so it’s absolutely imperative to take a holistic approach to product and supply chain security,” he added.

Enterprises and product manufacturers save development costs by relying on existing third-party libraries and software modules, whether open source or preparatory ones, David Barzilai, vice president for sales and marketing and co-founder at Karamba Security, told Industrial Cyber. “The issue is most common in IoT and embedded devices, where there is a large variety of third-party fundamental modules, such as IP communication stacks, databases, and legacy operating systems,” he added.

David Barzilai, vice president for sales and marketing and co-founder at Karamba Security
David Barzilai, vice president for sales and marketing and co-founder at Karamba Security

Barzilai said that being relatively old and widely used, such supply-chain, third party modules carry with them hidden vulnerabilities that once discovered and reported, expose the enterprise or the product manufacturer to cyberattacks. “For example, Ripple 20, which highlighted 19 hidden vulnerabilities in a third-party IP stack, which is used by products manufactured and sold by 31 vendors, such as ABB, Schneider Electric, and Rockwell Automation,” he added.

“Supply chain security is one of the weakest links for an organization, even in the best of times. The challenges are not just in how they impact production capabilities, but also in how they affect the security of the final product,” Slava Bronfman, co-founder and CEO of Cybellum, told Industrial Cyber. 

Slava Bronfman, co-founder and CEO of Cybellum
Slava Bronfman, co-founder and CEO of Cybellum

The reliance on supplier-provided components and software in connected devices introduces security issues much greater than in-house developed software, according to Bronfman. “This is made even more challenging by the increased complexity of device software, with its mix of software libraries and open-source code. On top of that, the supply chain is often backed up these days, due to the pandemic and shortages of chips and parts. Even if the components are produced, they cannot promptly make their way to the next steps in the production line. This leads to companies seeking out alternative suppliers who can produce the necessary supplies,” he added. 

According to Bronfman, new and unvetted suppliers come with the added risk of new components and the increased potential for threats and vulnerabilities.

Analyzing whether the introduction of a taxonomy for supply chain attacks facilitates their classification and potentially acts as a starting point for a more structured approach to analyzing such attacks, Wyckhouse said “absolutely – supply chain attacks, especially at this global scale and ferocity, are a relatively new occurrence and so rapidly morphing in their shape.”

Wyckhouse added that thinking about recent prominent supply chain attacks – Log4j or SolarWinds, or Codecov, to name a few – they all have subtle variations in several factors. “For instance, there were differences in the attack techniques that were used, what assets were targeted, or even who, whether a link in the supply chain or the end target itself.”  

“There’s not a single type of supply chain attack, and so there’s not a one-size-fits-all solution to solving them,” according to Wyckhouse. “They’re incredibly complex, and nuanced – classification and specificity allow for us to diagnose their exact type, and install measures to best remediate or better, mitigate against each form. What’s more, is that supply chain risk comes in so many different forms – third-party software, shared systems, and vendors who aren’t prioritizing cyber hygiene, or don’t know that they are actually introducing risk,” he added.

Collectively, “they all get grouped as a supply chain attack – which is at least a first step, but I don’t think we make meaningful progress until we align around a common language to help map out patterns, allowing for us to distinguish between them. The good news is we’re starting to see the industry coalesce around a few taxonomies already – Mitre’s ATT&CK, for example,” Wyckhouse added.

Bronfman said that to some degree, organizations already work with classifications of security flaws and attack vectors based on existing databases of known threats and vulnerabilities (CVEs), but these can always be improved. “In the event of an attack, the first step that should be taken is to uncover the threat vector, the source of the attack, and any products that have been affected. The next step would be to isolate the products or devices from other systems,” he added. 

Classification systems and security databases would then be used to help mitigate the attack as quickly as possible, according to Bronfman. “The better the classification or security database, the quicker the resolution and the lower the risk or cost from the attack.”

Given the critical nature of intelligent products and supply chains, it is essential for organizations adopting them to reconfigure them for greater resilience, transparency, and speed in the wake of rising threats, attacks, and geopolitical turmoil.

“With what’s happening around supply chain attacks, the criticality of product and supply chain security has become apparent, where it wasn’t before – so this newfound realization has been transformative toward organizations adapting to manage this risk,” Wyckhouse said. “Discovery and asset identification – which assets are vulnerable (devices, software, both) will give any organization a baseline for understanding what they have and where any platform or device resides. Then, you can hone in on the areas where your visibility is weakest. This enables teams to drill down with more certainty into blind spots to surface vulnerabilities and remediate them,” he added.

Wyckhouse added that “you see change happening in a number of ways – It all starts with a comprehensive understanding of an organization’s exposure to risk. How can you expect to manage risk without understanding what’s at risk? So you see organizations identifying, classifying, and quantifying their exposure to risk. The very first step is identifying risk, so having full visibility into your risk, which is easier said than done when you consider the complexity of connected device supply chains.”

“One innovation that’s part of the May 2021 Executive Order on Improving the Nation’s Cybersecurity, and crucial toward having this needed visibility is the Software Bill of Materials (SBOM), a formal record containing the details and supply chain relationships of components used in building software,” according to Finite State’s Wyckhouse. “This critical need for transparency is why you’re seeing the market start to respond with purpose-built solutions and further, even a shift toward transparency being built into the procurement process, where ongoing transparency becomes a requirement before a device is connected to the network or supply chain,” he added.

“Organizations use sophisticated binary analysis tools to automatically discover their software bill of materials. Each software component is scanned for vulnerabilities, weak passwords, credentials, and misconfiguration issues,” Karamba’s Barzilai said. “Once issues are uncovered within a software module, they are automatically associated to the supplier of that module, to enable the enterprise to request the supplier to remediate that security matter and ensure the final product resilience,” he added.

Crucial to assemble and construct best practices into product and supply chain security frameworks

In production, when a new vulnerability is reported, vulnerability management systems highlight the software modules that are exposed to such vulnerability, according to Barzilai. “The system reports of the affected module and advises the provider of that module to patch and release a fixed version of its software library,” he added.

Bronfman said that mitigating risk and building greater resilience against threats requires continuous vulnerability monitoring also on the supplier side but more importantly when the software or component is delivered to the manufacturer at the initial phase of integration.

“Software Bills of Materials (SBOMs) should be created, and a threat analysis should be executed whereby the underlying code has been checked against existing databases of known vulnerabilities,” according to Cybellum’s Bronfman. “This inventory of software components can be generated through source code analysis, but this is often not available to the manufacturer from the suppliers, which makes using binary code analysis a better alternative. The SBOM should also be checked for zero-day vulnerabilities using more sophisticated threat analysis. Any uncovered vulnerabilities should be remediated before any integration work commences. But that isn’t enough,” he added. 

Throughout the entire product development cycle, SBOMs should be created periodically, and continuous vulnerability monitoring should be built into the development process, Bronfman added.

Assembling the additional protective measures can organizations adapt to prevent and respond to potential product and supply chain attacks and the additional efforts required to mitigate and address such attacks, Wyckhouse said that “given the criticality, complexity, and scale of the problem, the most important thing that needs to happen is for management of connected product supply chain risk to move beyond just being a single team (IT/Security/Product Security) problem to one that’s managed through ongoing visibility at a board or executive-level, where resources can be better allocated toward implementing a holistic, top-down strategy.” 

The goal should be to move from reactive responses by siloed security teams that are outmanned in the face of rapid-fire attacks to a proactive, strategic, concerted, and org-wide approach to managing these attacks, Wyckhouse said. “As each organization and each organization’s risk exposure is different, only then can you formulate the best plan for a given organization,” he added.

Downstream, Wyckhouse has seen many approaches, including some organizations implementing a zero-trust architecture, incorporating exploit and threat intelligence, third-party patch management, incident response planning, and red team testing, to name a few.

“Finally, there’s also an increase in sharing of intelligence that’s proving tremendously helpful, between industry and government for example – this is especially the case in critical infrastructure, where in some cases, the declassification of information from the government has gone from months to hours,” according to Wyckhouse. “Imagine how powerful that would be toward mitigating attacks. So making sure your enterprise is fully, proactively leveraging intelligence to remain informed on emerging threats goes a long way to keeping your supply chain safe,” he added.

third-party cyber risk

To proactively address the endless mouse and cat situation, whereas hackers identify and exploit vulnerabilities in third-party modules used by many products, as part of those products’ supply chain, manufacturers are hardening their products’ software image, Barzilai said. 

“Such hardening locks the device to unauthorized changes, i.e. hackers exploiting vulnerabilities in the fundamental software provided as part of the supply chain process. Such hardening has become pervasive in mission-critical applications, such as renewable energy (e.g. Solar Edge, APsystems) and in the connected enterprise space (e.g. Hitachi),” he added. 

“In addition to threat intelligence gathering, vulnerability monitoring, code analysis and validation, and penetration testing, organizations today are also implementing red teams more and more to proactively uncover threats,” Bronfman said. “Security teams sometimes become complacent or overconfident with their work and with the defense systems they have in place. Red teams see the enterprise in the way a potential attacker sees it, including their weaknesses and vulnerabilities. The team should have minimum restrictions and maximum freedom to act. They should be allowed to access and infiltrate employees and their systems, to try to break into the organizational assets through them,” he added.

According to Bronfman, for the team to succeed with real-life scenarios, their work should be ongoing and over time, instead of a short-term surgical operation.

“In asymmetrical cybersecurity warfare, the hacker always has a major advantage over the target,” Bronfman said. “The defending organization does its best to secure its systems, clients, supply chains, people, domains, assets, and so on. The attacker only needs to find one open window to succeed in infiltrating. To put up the best fight possible, a red team is a great solution, providing the closest simulation to the real-world hackers trying to break in,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Sprinting Toward NIS2 Compliance
Sprinting Toward NIS2 Compliance
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet's FortiClient EMS
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography