Addressing the Growing Threat of Supply Chain Cyberattacks

Supply chain cyber-attacks are on the rise. These attacks infiltrate a company's network through a trusted third-party supplier that has been breached. With more businesses outsourcing services and adopting cloud solutions, the potential entry points for attackers have expanded.

Recent examples like the famous SolarWinds Orion supply chain attack demonstrate how compromising one vendor can have massive downstream impacts. By penetrating SolarWinds' software development environment, attackers inserted malicious code into Orion updates which granted access to thousands of public and private sector organizations upon installation.

With such potentially catastrophic consequences, securing the supply chain is now both a cyber and a business priority.

The Challenges of Assessing Third-Party Cyber Risk

Expanding supply chains increase reliance on third parties, which expands the potential attack surface. While organizations invest heavily in securing their own systems, vendor and partner networks can have weaker defenses. Yet, evaluating the security posture of suppliers, with limited visibility into their security measures, is tremendously challenging and mainly based on trust in the suppliers’ declared security posture robustness.

For example, a technology supplier may have thousands of customers requesting security assessments or audit information, taxing their ability to answer all those requests with specific questions, which might lead to shortcuts in the process. Suppliers may also avoid sharing details on vulnerabilities or incidents to prevent contract risks or revenue loss.

The Shared Responsibility Model for Cloud Security

Adding to the assessment challenges, the shared responsibility cloud security model further muddles the issues and limits visibility.

The Shared Responsibility Model for Cloud Security is a framework that delineates the roles and responsibilities of cloud service providers (CSPs) and their clients in maintaining cloud security. This model is fundamental in cloud computing, ensuring that both parties understand their obligations to protect data, applications, and infrastructure in the cloud environment.

Under this model, the responsibilities are typically divided as follows:

Cloud Service Provider Responsibilities

• Infrastructure security: The CSP is responsible for securing the underlying infrastructure that supports cloud services. This includes the physical security of data centers, network, and hardware security, and the virtualization layer.
• Platform and Software Maintenance: For Platform as a Service (PaaS) and Software as a Service (SaaS) models, the provider also manages the security of the platform or application software, including updates and patches.

Client Responsibilities

• Data Security: Clients are responsible for protecting the confidentiality, integrity, and availability of their data stored in the cloud. This involves encryption, access controls, and data backup strategies.
• Application Security: In the case of Infrastructure as a Service (IaaS) and PaaS, clients must secure the applications they deploy in the cloud. This includes ensuring that applications are free from vulnerabilities and are configured securely.
• Identity and Access Management: Clients must manage user access to cloud services, including authentication, authorization, and monitoring user activities.
• Operating System and Network Configuration: For IaaS models, clients are responsible for securing the operating system and network configurations of their cloud-based servers.

The Shared Responsibility Model emphasizes that while CSPs must ensure the security of the cloud infrastructure, clients are responsible for securing their data and applications within the cloud. This division of responsibility is crucial for maintaining effective cloud security and requires clients to be proactive in understanding and implementing their part of the model.

Integrating Cybersecurity into Supply Chain Processes

Today's modern supply chains extend far beyond physical product flows. Companies now regularly outsource major business functions to IT service providers, software vendors, and other third-party partners that handle sensitive systems and data. While these digital supply chain elements enable innovation and efficiency, they also introduce significant cybersecurity risks that cannot be ignored.

Effectively governing security across interconnected suppliers requires tearing down historical silos between procurement and cybersecurity functions. By bringing cyber expertise into purchasing and vendor oversight processes, organizations can bake security into supply chain relationships from the start.

• Recognize that supply chains now encompass IT systems, software, and service providers in addition to physical flows. This expansion means that supply chains have important digital components requiring cybersecurity measures.

• Enable collaboration between procurement and cybersecurity teams. Effective security integration requires these teams to work closely together, ensuring procurement decisions consider cyber risk insights.

• Allow cybersecurity to guide purchasing requirements and technical vendor standards. Security considerations should shape purchasing choices and the standards suppliers must meet.

• Make cyber risk and audit compliance part of vendor selection processes. When selecting vendors, assess their risk profile and openness to audits.

• Mandate security SLAs and breach notification in vendor contracts. Agreements should define security service levels and incident reporting procedures.

• Utilize automated tools to systematize security assessments. Automating evaluations enhances efficiency and consistency.

Integrating those elements in the supply chain selection and monitoring process contributes to bridging cybersecurity and supply chain risk management and can drive major improvements in vendor security oversight.

MITRE Supply Chain Framework for Risk Assessments

MITRE Corporation has developed a new framework prototype focused specifically on facilitating better supply chain risk management. The MITRE Supply Chain System of Trust (SoT) aims to provide organizations with a standardized methodology for evaluating risks across 14 key decision areas spanning their acquisition activities.

Over 200 sub-risk categories are included within the framework, assessed through answering approximately 2,200 defined questions. While a significant portion relates to non-digital supplier due diligence factors, SoT also covers software supply chain risks in depth.

Central to SoT's software supply chain assessment is analyzing Software Bill of Materials (SBOMs). SBOMs offer visibility into the components within supplied software. By understanding third-party dependencies, organizations can better track vulnerabilities and make informed risk decisions.

While powerful, MITRE acknowledges that SBOM-centered assessments also have limitations. SBOMs alone cannot detect all supply chain compromises or guarantee immediate disclosure by vendors. Additional assurance techniques around validating supplier security postures would strengthen integrity guarantees.

By formalizing a repeatable evaluation methodology, the MITRE Supply Chain SoT framework aims to bring consistency in how organizations measure and monitor supply chain risks. As the prototype continues development, further customizations to align with organizational risk tolerance are also expected.

As supply chains become increasingly digital and interconnected, tightly weaving cybersecurity into every aspect of supply chain management is now a strategic imperative. The adoption of frameworks like MITRE's Supply Chain System of Trust, alongside a proactive approach in vendor selection and collaboration between procurement and cybersecurity teams can preemptively mitigate the exposure to supply chain attacks