Supply Chain Security

Supply chain security can refer to suppliers who provide services, staffing, support, or who develop software/hardware. The supply chain is varied and different across industry segments and organizations. If you consider the development of applications or electronics, there may be a long list of companies who contribute to the final product. The longer the supply chain and the less visibility you have into (or ability to assess) each supplier, the higher the overall complexity and resulting risk to your organization.

Let’s consider the software that we use in our own organizations. There is a lot of it. Do you have a complete inventory of the software you have running on your endpoints, or supporting business processes? Having a granular software inventory and an approved enterprise application catalog is a starting point. The granular information you need includes: “Who owns and makes decisions about the application?” “Who supports and patches it?” “Who budgets for and pays for licenses?” “What is the application architecture and how does it communicate?” Having a central trusted software inventory (this may differ between desktops and servers) is a starting point.

Whether you develop code in-house and use open-source software, or whether you consider it a cost savings measure to opt for open-source software, you need to consider whether it contains open-source code. There should be an enterprise process for onboarding and retiring purchased and open-source software, to assess the Software Bill of Materials (what makes up the software) and to assess the risk and real total cost of ownership.

We’ve all seen the news and have concerns about Solarwinds and Log4j, and we’ve probably see either direct or indirect impacts on our organizations because of them. When you have lots of servers to manage across different environments, on-prem and in the cloud, and you combine that with a desire to cut costs and consolidate the toolsets used for management, you end up with something that is pervasive and which may be open-source. Open-Source software is not always a bad choice, however it comes with certain risks. It may not have the support model that purchased software does and you may need to rely on other vendors, colleagues and industry sources to help you identify and respond to address pervasive, exploitable vulnerabilities that arise.

Some best practices for business applications include knowing its dependencies and what other servers and services it needs to communicate with, and how. Does it need to communicate out across the firewall to an Internet server? Why? Ask the right questions to understand how your applications function in advance and limit Internet communications to just what is necessary and justified.

• 

Suppliers and subsidiaries can also add risk to the equation. They may have access to your network and resources, may provide support, or may be involved in designing and developing code or hardware included in products that you manufacture and sell. It is very likely that smaller companies will have smaller budgets and fewer security resources. They may cause a weak point in your supply chain that adversaries can attack.

What does the future hold? The trends are showing that attacks are increasing and becoming more sophisticated. Add to that the connection of billions of smart devices: IoT, ICS and OT devices with limited security. These smart devices (homes, cars, factories, utilities…) will benefit consumers and create new value streams, but these complex environment will also need new operating models. The increased use of AI and integration of diverse technologies will pose risks.

The opportunities and risks will be greater in the future. It will be a challenge to manage the increased complexity and risk, and organizations who don’t make security and privacy a key requirement will be left behind. Suppliers who are weak links will no longer be in business.

Here is an educational clip, intended to illustrate how a weak link in the supply chain can affect the larger parent organization. In this clip, from Superman III (1983), Richard Pryor plays a disgruntled employee of a large corporation who uses social engineering to access and hack the computer system at a subsidiary (an Ag Dealer), in order to access the corporate mainframe. Having worked in the Ag industry myself, I always found this an interesting example of the consequences of poor supply chain security. (I’m glad to see these are red tractors!)