Resiliency in Chaos: Digital Supply Chain Strategy
December 3rd, 2024 •
Eric Hensley • Reading Time: 5minutes
Supply chain risks are not new, but many companies without a physical supply chain (not shipping anything, not requiring off-site facilities, etc.) assume they are immune to supply chain risks.
However, in our interconnected world, if you use software programs or have vendors, you have a digital supply chain. And if you have a digital supply chain, you need a digital supply chain strategy.
Digital Supply Chains Are Vulnerable
As we’ll see with the Kaseya ransomware attack, most attacks are premeditated (also seen with the SolarWinds incident) and executed when security teams may not be at full capacity, such as during holidays. Software updates are particularly vulnerable and create a chain of events that spreads malicious codes to customers and then on to their customers.
As software products depend on hundreds, if not thousands, of components (including open-source components) produced by vendors, these risks multiply quickly.
Kaseya REvil Ransomware Attack
Digital supply chains are one of cybercriminals’ biggest targets, but many companies are unaware of vulnerabilities within their systems and vendors’ systems.
On July 2, 2021, Kaseya – an IT management and remote monitoring solution – informed its customers of a compromise in their VSA product after malicious code entered through its update mechanism.
Enterprise companies and managed service providers (MSPs) use the VSA product as a remote network management and monitoring tool. Kaseya told customers to shut down the VSA so that attackers could not gain further remote access to assets. Kaseya also urged customers to shut down the cloud version of the VSA and all SaaS servers out of precaution.
A Ripple Effect
At first, it was believed attackers targeted only 50 companies using VSA. The actual number rose to about 1,500 companies that were likely exposed to downstream impacts of the ransomware attack. The reason for this difference is that the effects ripple out to the customer bases of customer MSPs. The attack can also affect customers relying on the remote monitoring service.
The REvil ransomware gang responsible for the attack initially demanded $70 million in ransom to release the decryptor necessary to unlock systems.
By July 23, Kaseya received a universal decryptor tool and was working with customers to restore files.
Digital Supply Chain Risks
Considering the number of vendors most companies rely on, these vulnerabilities can seem chaotic.
To help provide insight into the severity of these threats, the electronic automation company Synopsys conducted an audit in 2020 on risks around open-source components and found:
99% of codebases contain at least one open-source component
Concerningly, 91% of codebases are more than four years out of date
Open source makes up 70% of the overall code
75% of codebases audited contained open-source components with high-risk vulnerabilities, a significant increase from audits conducted a year prior
In addition to open-source components, digital supply chains can also mean utilizing machine learning and AI, replacing manual processes with digital ones, or managing more and more digital data.
This is not to say this is bad; supply chain technologies usually have a payback of fewer than two years. Yet, as the digital landscape expands and companies use more and more technology providers, the area of attack broadens, and vulnerabilities will only increase.
This expansion and attacks, such as the one at SolarWinds, have shown us we must monitor the activities of our third parties and their third parties. Viewing third-party vendors as a digital supply chain can help companies decide if the vendors they want to contract with are secure. It can also help technology companies improve their own cyber resiliency.
Your Key to a Digital Supply Chain Strategy? Transparency
The vulnerabilities digital supply chains can present have not gone under the radar. The Biden Administration’s Executive Order requires technology vendors who work with the federal government to release a software bill of materials (SBOMs), which documents all components and materials included in software products’ codebases.
Regulators are also paying more attention to the activities of third parties, and regulators may hold companies responsible for cybersecurity incidents within their third parties.
In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) published “Key Practices in Cyber Supply Chain Risk Management,” which provides recommendations to help organizations ensure resilience.
The NIST’s guidance focuses heavily on transparency and collaboration between procurers and vendors. Key points outlined in their report include:
Integrate C-SCRM (cyber supply chain risk management) across the organization
Establish a formal C-SCRM program
Know and manage critical suppliers
Understand the organization’s supply chain
Closely collaborate with key suppliers
Include key suppliers in resilience and improvement activities
The first step toward building cyber supply chain resilience is to know who your vendors are and who their vendors are. This can seem like common sense, but many companies do not fully understand each component within their digital supply chain.
Take time to determine what each of your vendors do, how dependent you are on them, how they affect your day-to-day operations, and the inherent risks each brings to your cybersecurity. Analyze the vendors your direct third parties use, as well, as they can affect your operations through their downstream activities.
Prioritize Which Vulnerabilities Are at Highest Risk
A significant component of building supply chain security and resiliency is ensuring businesses prioritize patching up vulnerabilities rather than just identifying bugs. Businesses that do not fix vulnerabilities where patches are present are at risk of cybercriminals, as many can reverse-engineer patches to discover vulnerabilities in products or systems.
This task can be daunting, especially if manual processes are heavily relied upon. You can use online code repositories and other automation tools to identify and correct simple vulnerabilities, leaving IT teams more time to focus on complex and high-risk vulnerabilities.
Not all vulnerabilities are high risk to cybercriminals, and it is impossible to fix every single one. By knowing all of your vendors, third parties, and n-th parties, you can utilize metrics to determine which vulnerabilities need immediate triaging and what the probabilities of exploitation are.
Don’t forget that third-party software products can also be highly beneficial. TPRM automation tools allow you to view all your third parties in easy-to-navigate dashboards, so you don’t have to dig through data to determine where to focus your efforts.
Use Multi-Factor Authentication and Zero-Trust Architecture
There are relatively simple yet essential practices companies can implement to increase their security. Multi-factor authentication and zero-trust architecture (where the system has “zero trust” that you are the approved user and requires additional challenges to log into networks) create more checkpoints against hackers. Embracing these practices is critical to strengthening your software and supply chain security, though it requires collaboration with IT teams to manage controls.
Update Internal Stakeholders About All Third-Party Purchases
Another important aspect of building TPRM and supply chain resilience is how we purchase third-party applications and solutions. Small teams, such as marketing departments, often analyze programs and tools that could complement their mar-tech stack.
Sometimes, when the cost is low or already built into a departmental budget, procurement or IT teams are not informed of or responsible for handling the purchases. Teams put them on the department’s credit card.
The problem is departments do not conduct IT due diligence when they do not update appropriate internal stakeholders about purchases. While these applications may not affect the operations of the whole organization, they still present vulnerabilities and have downstream implications without due diligence.
Performing an internal audit of any vendor purchases that may have slipped through the gaps is a good practice for building organizational resiliency.
Collaborate with Vendors on Digital Supply Chain Resiliency
As important as it is to boost your own cyber and supply chain resiliency, it can be moot if the vendors you’re dependent on are not making efforts on their side.
As a customer, your procurement teams should collaborate with vendors to implement technologies such as hot patching, which allows organizations to enable patching without having to reboot the software. This means companies do not have to choose between implementing critical cybersecurity and staying online. Collaborating on other security protocols and procedures helps boost mutual resiliency.
Eric is responsible for technical delivery of Aravo’s product offerings, including Engineering, QA and Hosting Operations. He has over 15 years’ experience in the development and delivery of enterprise SaaS offerings with a special focus on supply chain management and intelligence solutions.
Before joining Aravo, Eric served as Sr. Director of Technical Operations at Instill Corporation, where he developed infrastructure and integration solutions for supply chain intelligence systems in the foodservice industry. Eric joined Instill in 2002 and was instrumental in the development and deployment of highly scalable SaaS solutions responsible for processing the majority of daily foodservice transactions in North America. Prior to that, Eric served as Director of Technical Operations at ShipServ Ltd., where he was responsible for the development and deployment of one of the earliest SaaS transactional business exchanges, focused on the maritime shipping industry. While at ShipServ, Eric led the development and adoption of MTML, an XML-based transactional document standard now widely deployed in the shipping industry.
Eric holds a BA in Astrophysics with a specialization in Computer Science from the University of California, Berkeley.
Eric is responsible for technical delivery of Aravo’s product offerings, including Engineering, QA and Hosting Operations. He has over 15 years’ experience in the development and delivery of enterprise SaaS offerings with a special focus on supply chain management and intelligence solutions.