No matter the industry, cybersecurity breaches seem to be escalating in size and scale.
The sprawling hacking campaign launched by Russia three months ago — which impacted as many as 18,000 customers of the Texas-based software maker SolarWinds Corp. — is an egregious example of the far reach of a potential supply-chain attack.
The term “supply-chain risk” is a large umbrella that covers lots of security threats and vulnerabilities. In the SolarWinds case, the threat actors, believed to be working on behalf of a foreign government, trojanized the software updates to a popular tool SolarWinds Orion. The attack left potential backdoor access points to hundreds of companies and nine federal agencies. And that’s only what we know — we will likely be uncovering the effects of this breach for years to come.
Other supply-chain risks may manifest as security flaws baked into electronic devices. Manufacturers of smartphones, printers, routers, internet-of-things devices and critical infrastructure systems buy components from third parties. These components are shipped with embedded firmware that may have existing security flaws. What’s more, some of that firmware wasn’t written by the manufacturer, but comes from open-source code maintained by volunteers in the I.T. community.
Here’s what the broader supply-chain industry needs to know about cyberattacks.
There’s a growing movement of purchasers that are demanding comprehensive lists of the software within a device — but for now, it’s rare for manufacturers to provide it. That list, known as a software bill of material (SBOM) is key to supply-chain security, but it’s important to note that it’s not a cure-all. For example, an SBOM would not have caught the SolarWinds backdoor. What was needed was for a security team member to analyze the final software files themselves, before it was released to customers.
A Back Seat
Software developers and device manufacturers have shifted to rapid development processes. On the software side, this agile development framework pushes numerous and rapid updates, sometimes to add new features, occasionally to fix security flaws. There’s a similar push…