Many organizations are increasingly outsourcing software development and acquiring open source software products. In an effort to reduce costs for production or manufacturing requirements for information technology systems, networks and software, companies are disregarding the complexity of a supply chain cybersecurity.
Supply chains that contain IT systems such as software or hardware components are often a target of cyber attacks, malware, advanced persistent threats (APT) and cyber terrorism. This can lead to one or more components being compromised somewhere during the lifecycle of the supply chain, varying from development process to deployment. In order to avoid such security breaches, thorough and detailed cybersecurity measures must be implemented during the entire process of supply chain transportation. Here are a few tips on how to cyber-secure supply chains and ensure a safe delivery of products.
In-depth Analysis
A company should always run an in-depth analysis and assessment of the supply chain in order to find potential security threats and vulnerabilities. Supply chain cybersecurity threats can be found in computer hardware or networks that have been delivered with preinstalled malware on it, malware that has been inserted into software or hardware somewhere during the delivery process, vulnerabilities in software applications or networks within a supply chain that hackers can discover and exploit in order to breach security.
For example, back in December 2014, Lenovo shipped their notebooks worldwide with a preinstalled adware known as “Superfish”. Users couldn’t detect this software as malicious nor could the antivirus software installed on their system, mostly because that kind of software tends to be trusted since it came as default software. Superfish software installs a self-signed root HTTPS (Hypertext Transfer Protocol Secured) certificate that intercepts encrypted traffic for every website that a user visits.
Whenever a user visits an HTTPS website, the site’s certificate is signed and therefore controlled by Superfish, falsely presenting itself as the official website certificate. The private encryption key associating the Superfish-signed Transport Layer security (TLS) was the same for every Lenovo device. Hackers were able to use the key to certify imposter HTTPS websites that impersonate user’s Bank websites or other secure websites on the Internet. To make things worse, PCs with an installed Superfish root certificate would fail to recognize these websites as forgeries. It wasn’t until February 2015 that this security breach was discovered.
In fact, cybersecurity threats can originate anywhere from developer’s coding to delivery of the components to their destination. That’s why it is of the utmost importance for a company to conduct a comprehensive and in-depth analysis for cybersecurity risks and threats for each part of the supply chain’s lifecycle.
Communication
Aside from the analysis, companies should strive to procure software and hardware components from trusted sources as well as organize reliable means of transportation and well informed and educated personnel that will be a part of the supply chain. Also, establishing an open communication between the IT staff and the supply chain staff is of vital importance. Companies can fully utilize the potential of ecommerce logistics as well as implement user-defined policies and protocols for supply chain staff members and IT support staff. With premade detailed policies and regulations, the staff should make sure that delivery of the components is secure and that the integrity of the hardware or software components is not compromised at any moment, during the transportation.
Automation
Most parts of the software supply chain can be automated, further increasing its cybersecurity. For example, the U.S. National Institute of Standards and Technology’s Risk Management Framework offers companies detailed automated policies and security protocols that will ensure a higher level of cybersecurity. Automation of software supply chain can implement firewalls, assessment analysis and monitoring of software components and applications from the moment they are developed until they are up and running. Automation can effectively detect vulnerabilities and security threats early on, as opposed to manual monitoring which is prone to human error.
Leverage Government
Government can be an asset when it comes to cybersecurity. Although, a single company’s supply chain may not be on government’s agenda, its focus on infrastructure from a cyber risk point of view, certainly fits together with corporate interests. As mentioned, a good example is the U.S. Department of Homeland Security’s Office of Cybersecurity & Communications and the National Institute of Standards and Technology that are developing a set of cybersecurity standards and protocols for critical infrastructure and increased cybersecurity that companies can utilize.
Cyber-securing a supply chain is a difficult process because there are too many factors that can compromise the products. However, with some time and effort, companies can increase their cybersecurity and lower the risks of potential threats.
[su_box title=”About Nate Vickery” style=”noise” box_color=”#336588″][short_info id=’61879′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.