The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) recently published “Defending Against Software Supply Chain Attacks”.
The guideline provides an overview of software supply chain risk and how vendors and customers can identify and assess such risks using the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF).
Software supply chains are an integral part of a large information and communications technology (ICT) supply chain framework. It is an ecosystem of retailers, distributors, and suppliers participating in the sale, delivery, and production of hardware, software, and managed services.
An attack on the software supply chain happens when a cyber threat actor invades a vendor's network and uses malicious codes, compromising the software before the vendor sends it to their consumers. The compromised software will then put the customer's data or system at risk.
According to the guideline, newly acquired software may be compromised from the get-go. It can also be compromised through a patch or hotfix. These threats affect all users of the tampered software, resulting in major consequences for government, critical infrastructure, and private sector software consumers.
The guideline thoroughly explains the three most common methods threat groups use to infiltrate the supply chain. It also establishes a few recommendations for software customers and vendors to prevent and mitigate attacks as well as improve resilience against software supply chain attacks.
The three most common methods are taking over the software update mechanism to deliver an updated software with malicious code, exploiting misconfigured access controls, and targeting publicly accessible code libraries, and inserting malicious code, which unknowing customers then download to their systems.
The document also provides the following eight best practices for establishing a C-SCRM approach and applying it to software:
- Incorporating C-SCRM across the organization;
- Creating a formal C-SCRM program;
- Knowing and managing critical components and suppliers;
- Understanding the organization's supply chain;
- Working closely with key suppliers;
- Including key suppliers in resilience and improvement activities;
- Evaluating and monitoring throughout the supplier relationship; and
- Planning for the full life cycle.
While the guideline gives thorough recommendations on preventing supply chain attacks, it is still vital for organizations to take extra measures to mitigate vulnerable software components. Organizations should also create a program that can manage and control their supply chain's vulnerabilities, minimizing the possibilities of attacks. In addition, organizations must know and understand the risks associated with supply chains and smart factories.
To learn more about overlooked risks associated with supply chain and smart factories, read our expert team's proof of concept paper, "Forward-looking security analysis of smart factories". This extensive research also discusses feasible attack scenarios and recommended defense strategies.