Resiliency in Chaos: Digital Supply Chain Strategy

December 3rd, 2024 Eric Hensley Reading Time: 5 minutes
Digital Supply Chain Network Secured By Blockchain Encryption Fo

Supply chain risks are not new, but many companies without a physical supply chain (not shipping anything, not requiring off-site facilities, etc.) assume they are immune to supply chain risks.  

However, in our interconnected world, if you use software programs or have vendors, you have a digital supply chain. And if you have a digital supply chain, you need a digital supply chain strategy. 

Digital Supply Chains Are Vulnerable 

As we’ll see with the Kaseya ransomware attack, most attacks are premeditated (also seen with the SolarWinds incident) and executed when security teams may not be at full capacity, such as during holidays. Software updates are particularly vulnerable and create a chain of events that spreads malicious codes to customers and then on to their customers.  

As software products depend on hundreds, if not thousands, of components (including open-source components) produced by vendors, these risks multiply quickly. 

Kaseya REvil Ransomware Attack 

Digital supply chains are one of cybercriminals’ biggest targets, but many companies are unaware of vulnerabilities within their systems and vendors’ systems.  

On July 2, 2021, Kaseya – an IT management and remote monitoring solution – informed its customers of a compromise in their VSA product after malicious code entered through its update mechanism.  

Enterprise companies and managed service providers (MSPs) use the VSA product as a remote network management and monitoring tool. Kaseya told customers to shut down the VSA so that attackers could not gain further remote access to assets. Kaseya also urged customers to shut down the cloud version of the VSA and all SaaS servers out of precaution. 

A Ripple Effect 

At first, it was believed attackers targeted only 50 companies using VSA. The actual number rose to about 1,500 companies that were likely exposed to downstream impacts of the ransomware attack. The reason for this difference is that the effects ripple out to the customer bases of customer MSPs. The attack can also affect customers relying on the remote monitoring service. 

The REvil ransomware gang responsible for the attack initially demanded $70 million in ransom to release the decryptor necessary to unlock systems.  

By July 23, Kaseya received a universal decryptor tool and was working with customers to restore files. 

Digital Supply Chain Risks 

Considering the number of vendors most companies rely on, these vulnerabilities can seem chaotic.  

To help provide insight into the severity of these threats, the electronic automation company Synopsys conducted an audit in 2020 on risks around open-source components and found: 

  • 99% of codebases contain at least one open-source component 
  • Concerningly, 91% of codebases are more than four years out of date 
  • Open source makes up 70% of the overall code 
  • 75% of codebases audited contained open-source components with high-risk vulnerabilities, a significant increase from audits conducted a year prior 

In addition to open-source components, digital supply chains can also mean utilizing machine learning and AI, replacing manual processes with digital ones, or managing more and more digital data.  

This is not to say this is bad; supply chain technologies usually have a payback of fewer than two years. Yet, as the digital landscape expands and companies use more and more technology providers, the area of attack broadens, and vulnerabilities will only increase. 

This expansion and attacks, such as the one at SolarWinds, have shown us we must monitor the activities of our third parties and their third parties. Viewing third-party vendors as a digital supply chain can help companies decide if the vendors they want to contract with are secure. It can also help technology companies improve their own cyber resiliency. 

Your Key to a Digital Supply Chain Strategy? Transparency 

The vulnerabilities digital supply chains can present have not gone under the radar. The Biden Administration’s Executive Order requires technology vendors who work with the federal government to release a software bill of materials (SBOMs), which documents all components and materials included in software products’ codebases. 

Regulators are also paying more attention to the activities of third parties, and regulators may hold companies responsible for cybersecurity incidents within their third parties.  

In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) published “Key Practices in Cyber Supply Chain Risk Management,” which provides recommendations to help organizations ensure resilience. 

The NIST’s guidance focuses heavily on transparency and collaboration between procurers and vendors. Key points outlined in their report include: 

  1. Integrate C-SCRM (cyber supply chain risk management) across the organization 
  2. Establish a formal C-SCRM program 
  3. Know and manage critical suppliers 
  4. Understand the organization’s supply chain 
  5. Closely collaborate with key suppliers 
  6. Include key suppliers in resilience and improvement activities 
  7. Assess and monitor the supplier relationship 
  8. Plan for the full life cycle 

How to Build Digital Supply Chain Resilience 

In addition to the guidance provided in the NIST publication, companies can implement third-party risk management (TPRM) best practices to help boost cyber supply chain resilience. 

Know Your Vendor Landscape 

The first step toward building cyber supply chain resilience is to know who your vendors are and who their vendors are. This can seem like common sense, but many companies do not fully understand each component within their digital supply chain.  

Take time to determine what each of your vendors do, how dependent you are on them, how they affect your day-to-day operations, and the inherent risks each brings to your cybersecurity. Analyze the vendors your direct third parties use, as well, as they can affect your operations through their downstream activities. 

Prioritize Which Vulnerabilities Are at Highest Risk 

A significant component of building supply chain security and resiliency is ensuring businesses prioritize patching up vulnerabilities rather than just identifying bugs. Businesses that do not fix vulnerabilities where patches are present are at risk of cybercriminals, as many can reverse-engineer patches to discover vulnerabilities in products or systems. 

This task can be daunting, especially if manual processes are heavily relied upon. You can use online code repositories and other automation tools to identify and correct simple vulnerabilities, leaving IT teams more time to focus on complex and high-risk vulnerabilities. 

Not all vulnerabilities are high risk to cybercriminals, and it is impossible to fix every single one. By knowing all of your vendors, third parties, and n-th parties, you can utilize metrics to determine which vulnerabilities need immediate triaging and what the probabilities of exploitation are. 

Don’t forget that third-party software products can also be highly beneficial. TPRM automation tools allow you to view all your third parties in easy-to-navigate dashboards, so you don’t have to dig through data to determine where to focus your efforts. 

Use Multi-Factor Authentication and Zero-Trust Architecture 

There are relatively simple yet essential practices companies can implement to increase their security. Multi-factor authentication and zero-trust architecture (where the system has “zero trust” that you are the approved user and requires additional challenges to log into networks) create more checkpoints against hackers. Embracing these practices is critical to strengthening your software and supply chain security, though it requires collaboration with IT teams to manage controls. 

Update Internal Stakeholders About All Third-Party Purchases 

Another important aspect of building TPRM and supply chain resilience is how we purchase third-party applications and solutions. Small teams, such as marketing departments, often analyze programs and tools that could complement their mar-tech stack.  

Sometimes, when the cost is low or already built into a departmental budget, procurement or IT teams are not informed of or responsible for handling the purchases. Teams put them on the department’s credit card. 

The problem is departments do not conduct IT due diligence when they do not update appropriate internal stakeholders about purchases. While these applications may not affect the operations of the whole organization, they still present vulnerabilities and have downstream implications without due diligence.  

Performing an internal audit of any vendor purchases that may have slipped through the gaps is a good practice for building organizational resiliency. 

Collaborate with Vendors on Digital Supply Chain Resiliency 

As important as it is to boost your own cyber and supply chain resiliency, it can be moot if the vendors you’re dependent on are not making efforts on their side. 

As a customer, your procurement teams should collaborate with vendors to implement technologies such as hot patching, which allows organizations to enable patching without having to reboot the software. This means companies do not have to choose between implementing critical cybersecurity and staying online. Collaborating on other security protocols and procedures helps boost mutual resiliency. 

Learn more about Aravo’s Supply Chain Resilience capabilities and how our solutions help companies prepare for the future. 

Eric Hensley

Eric is responsible for technical delivery of Aravo’s product offerings, including Engineering, QA and Hosting Operations. He has over 15 years’ experience in the development and delivery of enterprise SaaS offerings with a special focus on supply chain management and intelligence solutions.

Before joining Aravo, Eric served as Sr. Director of Technical Operations at Instill Corporation, where he developed infrastructure and integration solutions for supply chain intelligence systems in the foodservice industry. Eric joined Instill in 2002 and was instrumental in the development and deployment of highly scalable SaaS solutions responsible for processing the majority of daily foodservice transactions in North America. Prior to that, Eric served as Director of Technical Operations at ShipServ Ltd., where he was responsible for the development and deployment of one of the earliest SaaS transactional business exchanges, focused on the maritime shipping industry. While at ShipServ, Eric led the development and adoption of MTML, an XML-based transactional document standard now widely deployed in the shipping industry.

Eric holds a BA in Astrophysics with a specialization in Computer Science from the University of California, Berkeley.

Eric is responsible for technical delivery of Aravo’s product offerings, including Engineering, QA and Hosting Operations. He has over 15 years’ experience in the development and delivery of enterprise SaaS offerings with a special focus on supply chain management and intelligence solutions.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management