Supply chain cyber-attacks are on the rise. These attacks infiltrate a company's network through a trusted third-party supplier that has been breached. With more businesses outsourcing services and adopting cloud solutions, the potential entry points for attackers have expanded. Recent examples like the famous SolarWinds Orion supply chain attack demonstrate how compromising one vendor can have massive downstream impacts. By penetrating SolarWinds' software development environment, attackers inserted malicious code into Orion updates which granted access to thousands of public and private sector organizations upon installation. With such potentially catastrophic consequences, securing the supply chain is now both a cyber and a business priority. The Challenges of Assessing Third-Party Cyber Risk Expanding supply chains increase reliance on third parties, which expands the potential attack surface. While organizations invest heavily in securing their own systems, vendor and partner networks can have weaker defenses. Yet, evaluating the security posture of suppliers, with limited visibility into their security measures, is tremendously challenging and mainly based on trust in the suppliers’ declared security posture robustness. For example, a technology supplier may have thousands of customers requesting security assessments or audit information, taxing their ability to answer all those requests with specific questions, which might lead to shortcuts in the process. Suppliers may also avoid sharing details on vulnerabilities or incidents to prevent contract risks or revenue loss. The Shared Responsibility Model for Cloud Security Adding to the assessment challenges, the shared responsibility cloud security model further muddles the issues and limits visibility. The Shared Responsibility Model for Cloud Security is a framework that delineates the roles and responsibilities of cloud service providers (CSPs) and their clients in maintaining cloud security. This model is fundamental in cloud computing, ensuring that both parties understand their obligations to protect data, applications, and infrastructure in the cloud environment. Under this model, the responsibilities are typically divided as follows: Cloud Service Provider Responsibilities : The CSP is responsible for securing the underlying infrastructure that supports cloud services. This includes the physical security of data centers, network, and hardware security, and the virtualization layer. Infrastructure security : For Platform as a Service (PaaS) and Software as a Service (SaaS) models, the provider also manages the security of the platform or application software, including updates and patches. Platform and Software Maintenance Client Responsibilities : Clients are responsible for protecting the confidentiality, integrity, and availability of their data stored in the cloud. This involves encryption, access controls, and data backup strategies. Data Security : In the case of Infrastructure as a Service (IaaS) and PaaS, clients must secure the applications they deploy in the cloud. This includes ensuring that applications are free from vulnerabilities and are configured securely. Application Security : Clients must manage user access to cloud services, including authentication, authorization, and monitoring user activities. Identity and Access Management : For IaaS models, clients are responsible for securing the operating system and network configurations of their cloud-based servers. Operating System and Network Configuration The Shared Responsibility Model emphasizes that while CSPs must ensure the security of the cloud infrastructure, clients are responsible for securing their data and applications within the cloud. This division of responsibility is crucial for maintaining effective cloud security and requires clients to be proactive in understanding and implementing their part of the model. Integrating Cybersecurity into Supply Chain Processes Today's modern supply chains extend far beyond physical product flows. Companies now regularly outsource major business functions to IT service providers, software vendors, and other third-party partners that handle sensitive systems and data. While these digital supply chain elements enable innovation and efficiency, they also introduce significant cybersecurity risks that cannot be ignored. Effectively governing security across interconnected suppliers requires tearing down historical silos between procurement and cybersecurity functions. By bringing cyber expertise into purchasing and vendor oversight processes, organizations can bake security into supply chain relationships from the start. • This expansion means that supply chains have important digital components requiring cybersecurity measures. Recognize that supply chains now encompass IT systems, software, and service providers in addition to physical flows. • Effective security integration requires these teams to work closely together, ensuring procurement decisions consider cyber risk insights. Enable collaboration between procurement and cybersecurity teams. • Security considerations should shape purchasing choices and the standards suppliers must meet. Allow cybersecurity to guide purchasing requirements and technical vendor standards. • . When selecting vendors, assess their risk profile and openness to audits. Make cyber risk and audit compliance part of vendor selection processes • . Agreements should define security service levels and incident reporting procedures. Mandate security SLAs and breach notification in vendor contracts • . Automating evaluations enhances efficiency and consistency. Utilize automated tools to systematize security assessments Integrating those elements in the supply chain selection and monitoring process contributes to bridging cybersecurity and supply chain risk management and can drive major improvements in vendor security oversight. MITRE Supply Chain Framework for Risk Assessments MITRE Corporation has developed a new framework prototype focused specifically on facilitating better supply chain risk management. The MITRE Supply Chain System of Trust (SoT) aims to provide organizations with a standardized methodology for evaluating risks across 14 key decision areas spanning their acquisition activities. Over 200 sub-risk categories are included within the framework, assessed through answering approximately 2,200 defined questions. While a significant portion relates to non-digital supplier due diligence factors, SoT also covers software supply chain risks in depth. Central to SoT's software supply chain assessment is analyzing Software Bill of Materials (SBOMs). SBOMs offer visibility into the components within supplied software. By understanding third-party dependencies, organizations can better track vulnerabilities and make informed risk decisions. While powerful, MITRE acknowledges that SBOM-centered assessments also have limitations. SBOMs alone cannot detect all supply chain compromises or guarantee immediate disclosure by vendors. Additional assurance techniques around validating supplier security postures would strengthen integrity guarantees. By formalizing a repeatable evaluation methodology, the MITRE Supply Chain SoT framework aims to bring consistency in how organizations measure and monitor supply chain risks. As the prototype continues development, further customizations to align with organizational risk tolerance are also expected. As supply chains become increasingly digital and interconnected, tightly weaving cybersecurity into every aspect of supply chain management is now a strategic imperative. The adoption of frameworks like MITRE's Supply Chain System of Trust, alongside a proactive approach in vendor selection and collaboration between procurement and cybersecurity teams can preemptively mitigate the exposure to supply chain attacks

This story contains AI-generated text. The author has used AI either for research, to generate outlines, or write the text itself. 

Augmentastic || Augmented Reality

How to Manage a Zero Trust Infrastructure in 2024 

The EU AI Act: Implications for SEO on LLMs

Addressing the Growing Threat of Supply Chain Cyberattacks

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

5 Tips to Prevent Hackers From Stealing Your Crypto Assets

Cybersecurity Predictions For 2022

Explaining Supply Chain Attacks: Here's What You Need to Know

How Companies Can Prevent Supply Chain Attacks With Attack Surface Management Solutions

The Three Components of Social Engineering Attacks

How to Recover from the Log4j Supply Chain Attack with Ilkka Turunen

5 Tips to Prevent Hackers From Stealing Your Crypto Assets

Cybersecurity Predictions For 2022

Explaining Supply Chain Attacks: Here's What You Need to Know

How Companies Can Prevent Supply Chain Attacks With Attack Surface Management Solutions

The Three Components of Social Engineering Attacks

How to Recover from the Log4j Supply Chain Attack with Ilkka Turunen

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps