In recognition of National Supply Chain Integrity Month, the Cybersecurity and Infrastructure Security Agency (CISA) is partnering with the Office of the Director of National Intelligence (ODNI), the Department of Defense, and other government and industry partners to promote a call to action for a unified effort by organizations across the country to strengthen global supply chains.
Information and communications technology (ICT) systems underpin a broad range of critical infrastructure activities that support critical functions within our communities, such as generating electricity, operating hospitals, and supplying clean water. If vulnerabilities in these systems and their critical hardware and software are exploited, the consequences can have cascading impacts across organizations, sectors, and National Critical Functions.
“As the number of sophisticated cyberattacks increase, we’re reminded that supply chain security in not a nice to have, but an urgent necessity,” said CISA Assistant Director Bob Kolasky. “Government and industry must work together to strengthen and enhance the security and safety of our critical infrastructure and the associated supply chains that support the resilience of our nation.”
Throughout the month of April, CISA will promote resources, tools, and information, including those developed by the public-private ICT SCRM Task Force, to help organizations and agencies integrate SCRM into their overall security posture. CISA themes for each week include:
- Week 1: Building Collective Supply Chain Resilience,
- Week 2: Assessing ICT Trustworthiness,
- Week 3: Understanding Supply Chain Threats, and
- Week 4: Knowing the Essentials.
Here's what security executives had to say in honor of National Supply Chain Integrity Month:
Dave Stapleton, CISO, CyberGRX:
“Leadership by the U.S. government is key as these security initiatives will require broad public/private partnership in order to be effective. I think this resonates with our thoughts on the need for a collaborative approach to addressing a global issue like TPCRM. Also, I like the fundamentals that the NCSC recommended:
- “Diversify Supply Chains”
- “Mitigate Third-Party Risks”
- “Identify and Protect Crown Jewels”
- “Ensure Executive-Level Commitment”
- “Strengthen Partnerships”
Jack Mannino, CEO at nVisium:
“Supply chain security will remain a front and center issue for many organizations as the fallout from recent incidents continue to unfold. In addition to traditional software security testing techniques such as code reviews and penetration testing, an increasing number of organizations may be interested in understanding how software behaves through malicious code reviews. These types of tests explore the likelihood that software contains embedded malware, through malicious code commits or by compromised third-party dependencies.”
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber:
“When a third-party tool is used to breach a business it is usually only a foot in the door. The real damage occurs if the internal systems are also vulnerable and exploitable. Never trust a single layer of protection. Remediate vulnerabilities as quickly as possible and double check that patches are being applied and mitigating actions are being taken. Considering the massive growth and scale of digital systems, and the exponential increase of vulnerabilities every year, this isn’t an easy job but it is possible to succeed.”
Vishal Jain, Co-Founder and CTO at Valtix:
“The need for securing supply chains has been accelerated by Covid and enterprises accelerating their digital transformation. Enterprise Infosec teams need to maintain proper checks and balances when exposing their internal valuable assets, aka the keys to the kingdom, to supply-chain vendors and 3rd party services. We have seen too many times in the past, SunBurst from SolarWinds being in recent times, that attacker enters the front gate of the organization exploiting some vulnerability in their supply change vendor. Once those assets get infected, malware can now move laterally via the network and eventually to the crown jewel holding critical data. Malware on the crown jewel connects to the command-n-control center and exfiltrates critical data out to the hacker.
Enterprises need to follow a layered defense approach to protect their assets when a breach occurs via supply chain vendor. They need to have zero-trust security built in with necessary controls to prevent lateral movement of threats (to reduce the blast radius) and egress filtering to prevent data exfiltration. Enterprises also need to evaluate moving to Cloud based services. Cloud is more secure than their on-prem data center when appropriate cloud security controls are in place. Enterprises also need to ensure that supply chain vendors they use follow the best security practices.”
John Hellickson, CxO Advisor, Cyber Strategy at Coalfire:
“The topic of supply chain security is often more important than we as an industry give it. Until the organization is impacted by a supplier, they themselves are the supplier who has impacted their customers, or a serious event occurs across a given sector that raises concerns by executives or the Board if they were also impacted. There are a lot of elements of a highly mature program which could be daunting when building a program from scratch, however, the larger the organization the more likely there will be elements of existing risk management practices in place that one could build upon.
A decent supply chain risk program would include elements of Enterprise Risk, Third Party Risk, Cyber Risk, Business Continuity and Physical Security, and a leader in this space would need to also partner with procurement and product teams. When performing discovery & analysis on what is critical to the business, often informed by Business Impact Analyses (BIAs) performed within Business Continuity programs, it is important to tier vendors & suppliers accordingly. When it comes to suppliers, understanding threats facing supply chains is key. Threats such as physical tampering, inadvertent use of sensitive data, IP theft / piracy, theft / inventory manipulation, and remote infrastructure access are examples that could have an impact on supply chain risk.
When performing due diligence and risk assessments on suppliers & vendors, it has become more relevant to leverage senior cybersecurity resources such as security architects & engineers to participate in more technical assessments of embedded systems that could be exploited within the supply chain. The type of skills these engineers/architects bring can complement the traditional auditors that are often tied to Governance, Risk and Compliance functions of an organization.
Overall, for many organizations, supply chain security should be a specific topic within enterprise risk committees, while having a dedicated focus within the organization.”
Joseph Carson, chief security scientist and Advisory CISO at Thycotic:
“Organizations have less control and visibility over the actual security that supply chains have put in place. For the most part, this tends to only be covered in legal contracts, rather than a true security risk assessment. Organizations must prioritize privileged access security to reduce the risks exposed in their supply chain security.
Michael Isbitski, Technical Evangelist at Salt Security:
“No longer can organizations delay patching critical, known vulnerabilities because of concerns over outages, the impact on production users, or the loss of oversight of a system. Unpatched systems are leaving important elements of the IT stack vulnerable, especially APIs, which attackers are increasingly targeting these days since they route traffic directly to valuable data and services.
There may be many cloud services (and in turn, APIs and data) that an organization is unaware of. These may be used by their own employees or in turn the partners they work with. We hear a lot of this expansion of partner ecosystems and concerns over the digital supply chain.”