Software Supply Chain Cybersecurity | Complete Guide

The Software Supply Chain is Vulnerable

Going upstream: A new cybersecurity frontier

In the past, cybercriminals would search for software vulnerabilities and then strike before the issue could be patched. Now, frustrated by improved cybersecurity, hackers are directing efforts upstream - targeting software’s fundamental building blocks.

This is the danger presented by open-source and third-party software.

To save time and expense, developers draw on open-source components as they develop complex programs. Proprietary components, exclusive to a vendor, are a small percentage of the end product. In fact, 90% of components in completed software are open source.

In other words, the majority of a product came from someone else. Yet, organizations often don’t have access to a list of these components: limiting their understanding of what is (and isn’t) supported by third parties.

Making matters worse, 11% of open-source product components have known vulnerabilities.

Cybercriminals actively seek out these vulnerabilities in order to insert malware into the pipeline.

• In 2020 alone, Sonatype reported a 430% year-over-year growth in cyberattacks targeting open-source software products.

• According to a 2020 DevSecOps Community survey, one out of five developers endured an open-source related breach.

As digital transformation requires more software, and that software grows increasingly complex - cybercriminals have more avenues for attack.

‍

4 Vulnerabilities in the Software Supply Chain

Cybercriminals may launch an assault at any stage in the software supply chain.

The Cybersecurity and Infrastructure Security Agency (CISA) has identified four areas where security is a concern:

1. Development environment

A cybercriminal can…

• Plant malware directly into the product

• Steel data from the vendor

2. Management of third-party software components during development

A cybercriminal can…

• Plant malware in open-source components

• Trick a developer into using a hacker’s malware instead of trusted open-source software

• Leverage an unknown vulnerability in an open-source component

3. Deployment to users

A cybercriminal can…

• Tamper with the completed software before it reaches your business

• Access your network directly by stealing a vendor’s credentials

4. Transmission of updates and patches

A cybercriminal can…

• Insert malware by hijacking an update or pretending to be a patch.

These cyber threats aren’t theoretical. The slew of recent high-profile attacks has prompted utilities and the federal government to make cybersecurity a priority.

In the news: High-profile supply chain attacks

Target Data Breach (2013)

Hackers used an HVAC vendor’s credentials to break into Target’s network and access customer data, including bank, credit card, and other personal information.

Equifax Data Breach (2017)

Equifax didn’t patch a known vulnerability in its system and hackers gained access to personal information, including Social Security numbers, for 147 million consumers (56% of Americans). Equifax paid $700 million in a settlement.

CCleaner (2017)

CCleaner is a program that deletes unnecessary and malicious files from a computer, cleaning up the device. However, hackers planted malware into free versions of the software, likely affecting over 2 million users.

WannaCry (2017)

The WannaCry ransomware attack, like NotPetya, targeted the EternalBlue exploit in Microsoft Windows machines. WannaCry affected approximately 230,000 computers and cost organizations $4 billion globally.

Operation Dragonfly (2014, 2017)

Dragonfly, a group of hackers, attacked entities using industrial control systems (ICS), a global hack that affected over 1,000 energy companies in North America and Europe.

Delta Airlines Data Breach (2017)

Hackers gained access to millions of customers’ data, including credit card information, through a compromised chatbot on Delta’s website. The AI company behind the chatbot hadn’t implemented adequate cybersecurity.

NotPetya (2017)

NotPetya disrupted systems globally by targeting Microsoft Windows machines, shutting down systems or installing ransomware. It used the EternalBlue exploit, among other vulnerabilities.

Operation ShadowHammer (2018)

Cybercriminals stole legitimate ASUS certificates and sent malware to nearly 1 million customers. Barium, the group responsible, also conducted Shadowpad, a 2017 supply chain attack that affected hundreds of organizations globally.

Zerologon (2020)

Secura researchers discovered a vulnerability in Microsoft’s NETLOGIN protocol, allowing a hacker to establish domain administrator privileges. This severe risk underscores the importance of promptly installing patches and updates.

Amnesia:33 (2020)

Amnesia:33 is the name assigned to 33 zero-day vulnerabilities found in software libraries, likely affecting millions of devices.

SolarWinds (2020)

Hackers compromised SolarWinds, an IT software company, and added malware to an update installed by 18,000 customers, including the Department of Energy, Microsoft, and Cisco.

Microsoft Exchange Breach (2021)

HAFNIUM, a cybercriminal group, used zero-day exploits in Microsoft Exchange servers to steal data and access networks - affecting hundreds of thousands of entities globally.

A troubling picture for supply chain cybersecurity

Organizations understand that software supply chain attacks are rising. Crowdstrike’s 2018 survey of IT professionals highlights the problem’s scope:

• 66% reported a software supply chain attack

• 90% of those attacked suffered financial impact

• 1 in 6 had paid ransom after a software supply chain attack in the last year

Despite these troubling trends, many IT professionals aren’t taking sufficient action to secure their organizations.

Insufficient action

Though 90% recognized they were at risk of a supply chain attack, only one third of the IT professionals actually vet software suppliers.

The Ponemon Institute, in a 2018 study on data risk from third parties, highlights a similar disconnect between awareness of third-party threats and tangible remediation of the problem.

59% of IT practitioners confirmed their organizations experienced a data breach through one of their third parties, while 76% observe cybersecurity incidents from vendors is increasing.

Despite this:

• Only 37% report they have sufficient resources to handle third-party risks

• Only 39% regularly brief boards of directors on the effectiveness of their third-party management program and potential risks

• Only 35% describe their third-party risk management program as “highly effective”

• 57% don’t know if their vendor safeguards are enough to prevent a breach

Slow response times

For many high-profile supply chain attacks and vulnerabilities, the solution is prompt detection and remediation. Often, this involves a quick software patch or update.

When a weakness is discovered, a race begins between cybercriminals and security experts. Developers must generate a solution and IT must install the patch - shoring up the system before a hacker gets in.

However, according to a 2020 report by Sonatype, 48% of developers became aware of open-source vulnerabilities within a week’s time, and 51% required more than a week to respond.

If a cybercriminal can exploit a zero-day vulnerability in 3 days, they have an edge over the majority of their targets.

Likewise, IT professionals averaged 63 hours to remediate a software supply chain attack.

Securing a system depends on third-party developers and in-house IT, but the response times for both are concerning.

Poor vendor visibility and security

To protect against software supply chain attacks, it’s essential that organizations ensure third-party security and track vendor software and access.

You can’t respond to a vulnerability or breach if you don’t know it exists, and organizations depend on vendors or third parties to develop patches. That said, only 29% of IT professionals say that they’d be contacted by a third party if a data breach occurred.

Unfortunately, it’s dangerous to trust that vendors will self-police.

In a 2020 webinar, Tobias Whitney of Fortress Information Security observed that among the 150 most common vendors and suppliers to the Bulk Electric System:

• 19% don’t require multi-factor authentication for remote access to internal networks

• 32% don’t maintain a logging and monitoring program

• 17% don’t require background checks for all employees

• 33% of information security policies aren’t mapped to an industry-recognized framework

Utilities need comprehensive cybersecurity solutions and pursuing a Software Bill of Materials (SBOM) with vendors is an important first step.

5 Steps for Effective C-SCRM

1. Know your software and vendors

‍

As you develop a C-SCRM, it’s important to remember a common adage among cybersecurity experts: you can’t protect what you can’t see.

A thorough audit may be necessary to identify all the software, firmware, and hardware across your organization in both IT and OT. You can then compile a list of your vendors and other relevant third parties.

If you don’t identify these assets, you can be confident cybercriminals will.

A good first step, once you’ve completed an audit, is to request an SBOM for your software. Even though an SBOM isn’t yet required, many vendors understand that they likely soon will be.

With SBOMs, you can then search for known vulnerabilities, determine whether you’re using unsupported software, and map out the lifecycle and ownership of each software component.

2. Assess & rank critical infrastructure risks

‍

With the vast size and scope of critical infrastructure networks, addressing each and every risk is unrealistic. That’s why assessing and ranking those risks is vital.

Where can a cybercriminal cause the greatest damage? Focus your efforts there first.

Not all zones in a network are created equal, and not all software has the same permissions or capabilities. Knowing this hierarchy will help you direct resources where they’re most needed.

NERC recommends asking the following questions:

1. Does the software require an Internet connection?
   ‍
2. Can the system be reached by an internal network user in a different department?
   ‍
3. How directly can the system be reached by an external attacker?
   ‍
4. What would be the impact if the system failed (went offline or was disabled)?
   ‍
5. What would be the impact if the system mis-operated?
   ‍
6. What secondary systems are connected or reachable from the primary system? How critical are they?
   ‍
7. Where do the system’s inputs come from and how trustworthy are those inputs?
   ‍
8. Does the software require or run with administrative privilege?
   ‍
9. How trustworthy is the software?

After asking these questions, you may decide to limit the access of some software. Either way, it’s wise to watch for unusual activity.

3. Maintain high security standards for vendors

‍

If your vendors and software are vulnerable, you’re vulnerable - so it’s essential to understand how your vendors will be…

• Protecting their own infrastructure

• Ensuring the integrity of their software and patches

• Protecting your data and network credentials

• Notifying you of software vulnerabilities or breaches

• Scanning their own software, preparing patches, and securely conveying those patches

• Safely incorporating open-source and third-party software into their products

Even though vendors aren’t directly managing critical infrastructure, you should hold their cybersecurity to the same high standard as your own.

At the simplest level, this should include basic cyber hygiene: anti-malware, multi-factor authentication, data encryption, trust zones, firewalls, background checks, staff training, and response plans. Remember, a chatbot company’s failures in these areas led to the Delta Airlines data breach in 2017.

But as cybercriminals become more sophisticated, many organizations are embracing a more rigorous Zero Trust Architecture, which assumes a breach has already occurred and carefully monitors all traffic within the networks.

As you assess current or potential vendors, take steps to understand their cybersecurity by providing vendors with a questionnaire and negotiating security requirements in your contract.

If you’re unsure what to ask of your vendors, CISA provides a thorough template.

4. Partner with vendors to develop cybersecurity policies and protocols

‍

According to Utility Dive’s 2021 State of the Electric Utility (SEU) Survey Report, only 55% of electric utility professionals have systematic and prompt patching of their systems.

On the development side, only 73% of known vulnerabilities are closed or remediated.

To secure the supply chain, software procurement can’t be a single exchange. You’re not buying software; you’re buying into a relationship that’ll continue as long as you’re using their products.

Three Recommendations:

1. The Utilities Telecom Council advises establishing clear and consistent communication with your vendors about potential threats. Detecting and resolving a software vulnerability requires visibility and shared threat intelligence.

2. Understand your vendors’ policies, protocols, and response plans, so you can create complimentary processes in your own organization.

3. Consider coordinating with vendors for supply chain “war games” to test your plans and refine your response times.

5. Collaborate: Industry partners, other sectors, and government

‍

Visibility into assets, vendors, and threats is essential to C-SCRM. To address cyber threats effectively, critical infrastructure providers need robust threat intelligence feeds.

A threat intelligence feed provides data on cybercrime and potential vulnerabilities.

According to a 2021 Ponemon Institute survey of IT professionals...

• 50% of cyberattacks could be foiled with timely and actionable intelligence

• 38% of cyberattacks succeeded because IT lacked timely and actionable data

Collaborating with your vendors goes a long way, but don’t neglect industry partners, other sectors, and the federal government.

When cybercriminals attacked the Colonial Pipeline, Colonial didn’t contact the Cybersecurity and Infrastructure Security Agency (CISA). Instead, Colonial informed the FBI, who then reached out to CISA.

Critical infrastructure providers must share information on attacks and vulnerabilities for the sake of network and asset integrity. It’s a joint effort, and everyone needs to be onboard.

Resources for Threat Intelligence:

• Consider joining a sector-specific Industry Sharing and Analysis Center (ISAC) or an Information Sharing and Analysis Organization (ISAO)

• The FBI manages the Internet Crime and Complaint Center, offering the InfraGard membership to support organizations in protecting critical infrastructure

• CISA’s Automated Indicator Sharing (AIS) is another source for threat intelligence

While past efforts at transparency have been plagued by distrust, the million-dollar price tag of an attack should outweigh any doubts. Effective supply chain risk management can’t exist in isolation, and utilities can spearhead information sharing.