No matter the industry, cybersecurity breaches seem to be escalating in size and scale.
The sprawling hacking campaign launched by Russia three months ago — which impacted as many as 18,000 customers of the Texas-based software maker SolarWinds Corp. — is an egregious example of the far reach of a potential supply-chain attack.
The term “supply-chain risk” is a large umbrella that covers lots of security threats and vulnerabilities. In the SolarWinds case, the threat actors, believed to be working on behalf of a foreign government, trojanized the software updates to a popular tool SolarWinds Orion. The attack left potential backdoor access points to hundreds of companies and nine federal agencies. And that’s only what we know — we will likely be uncovering the effects of this breach for years to come.
Other supply-chain risks may manifest as security flaws baked into electronic devices. Manufacturers of smartphones, printers, routers, internet-of-things devices and critical infrastructure systems buy components from third parties. These components are shipped with embedded firmware that may have existing security flaws. What’s more, some of that firmware wasn’t written by the manufacturer, but comes from open-source code maintained by volunteers in the I.T. community.
Here’s what the broader supply-chain industry needs to know about cyberattacks.
There’s a growing movement of purchasers that are demanding comprehensive lists of the software within a device — but for now, it’s rare for manufacturers to provide it. That list, known as a software bill of material (SBOM) is key to supply-chain security, but it’s important to note that it’s not a cure-all. For example, an SBOM would not have caught the SolarWinds backdoor. What was needed was for a security team member to analyze the final software files themselves, before it was released to customers.
A Back Seat
Software developers and device manufacturers have shifted to rapid development processes. On the software side, this agile development framework pushes numerous and rapid updates, sometimes to add new features, occasionally to fix security flaws. There’s a similar push on the device side of the equation — and this is especially true for IoT devices sold as commodity products in bulk.
In either case, security often ends up taking a back seat. It’s up to an organization’s leadership to recognize the risk of not prioritizing security, and it's up to development teams to be proactive in mitigating those risks before they can be exploited. The reality is, attackers are well ahead of the industry. That has put organizations in a reactive posture and given rise to numerous regulations and standards. It’s more important than ever for companies, manufacturers and buyers alike, to take a proactive approach.
Potential for Access
Global supply chains have become particularly attractive targets due to their largely connected and often poorly secured systems. It's common practice to duplicate software in more than one device — meaning if a hacker finds a vulnerability in a doorbell camera, it might also be possible to exploit another brand of doorbell, a smart TV, a connected refrigerator or a home thermostat.
For hackers, a vulnerability that affects a single device is insignificant, because it is hard to monetize those types of hacks, but pervasive supply-chain vulnerabilities can be much more valuable. For supply-chain executives, it’s important to think of all the devices in your business that could enable pivots to other systems.
The SolarWinds breach was a wake up call for many within the cybersecurity community and outside of it. For others, it was a confirmation of what we already knew, and what we have been working so hard to prevent.
The most important takeaway from this attack is that we need to reevaluate the trust we put into vendors, software and devices. Regardless of where you are in the supply chain, from an enterprise user of software to an OEM to a software supplier, you likely are placing an incredible amount of trust in your vendors and their products. We need to rethink how we assess those trust relationships, and most importantly, we need to understand how we can verify the security of this software, firmware and hardware throughout the entire lifecycle.
Matt Wyckhouse is founder and CEO of Finite State.
Timely, incisive articles delivered directly to your inbox.