Supply chain security has stolen the spotlight from every other cybersecurity trend the past few months -- and for a good reason. The impact of the SolarWinds attack is still not yet fully known, and with the US now looking to take public action against the alleged Russian hackers, the stakes for the supply chain industry to avoid another mass cybersecurity incident have never been higher.
We spoke with Nick Cappi, VP Product Management and Technical Support at PAS Global, a leader in critical infrastructure and supply chain security, to discuss what the real threats are to the supply chain industry, what keeps him up at night, and how the government and its partners can defend themselves against supply chain attacks.
Supply chain security challenges are here to stay. But what makes the supply chain so difficult to secure?
What makes securing the supply chain difficult is the cascade effect of manufacturing in the overall process. Can you imagine how many companies and hands a technology passes through in the actual build of a solution? An easy example is software, each company doesn’t go out and reinvent the wheel as it relates to things like charts, reports, grids, mathematical analysis, encryption, etc. They purchase that code or library from other companies (usually multiple) and embed them into their overall solution, each with different security processes and controls. All it takes is one weakness or lapse in execution along this cascade of technology for things to be compromised. A weakness in a lower-level component (like a device library) can cross companies and industries without any of the companies downstream realizing they have now just been impacted. Everyone downstream in the process has also been impacted and so on until you get to the final consumer. What kind of supply chain security incident keeps you up at night? Do you think SolarWinds was a test for something larger scale?
What scares me the most isn’t a big single technology event like SolarWinds, it’s a lower-level stack technology like a universal library being compromised. Example: go to ICS CERT (https://search.us-cert.gov/) and in the search window type “HART DTM.” You will get back multiple results all dealing with a single vendor weakness generated by one library (CodeWrights GmbH HART Device DTM Vulnerability (Update C) | CISA).
That library was purchased and used by multiple companies:
Each of those companies then sold their solutions to other companies who built process plants. Each of those process plants made raw materials and sold their products to other companies who combined the raw materials together. That process keeps happening until ultimately we, the consumer, end up with a bottle, medicine, car, beverage, household good, etc., that was built using something that has security weaknesses (luckily in this example it wasn’t compromised code).
Low-level stack compromises can cross vertical markets, geographic regions, and multiple manufactures with ease. That scares me. Can you imagine if something like Microsoft .Net Framework was compromised? That impact would/could reach everyone in the globe.
OT and CI are known to be out of date in terms of technology. Is this a disadvantage or advantage when it comes to security?
I think the age of Operational Technology is a blessing and a curse. The advantage is typically the older the technology the more proprietary it was. The more proprietary it was the less external technology that could be used/leveraged. This is good from a supply chain standpoint. The disadvantage is security typically wasn’t considered in the older technology, so it has lots of internal weaknesses. What should the government and its partners do to jump-start supply chain security?
The risk is too large for there not to be a group that’s providing oversight, guidance and audit capability (aka security governance). We need a minimum-security governance program that should be applied to all industries, which should include supply chain. Without a minimum-security governance program (including certification) we the consumer are at greater risk than necessary.