By The Claroty Team | January 19, 2022

For the cybersecurity industry, 2021 may go down in history as the year of the software supply chain attack. We began the year still trying to understand the impact of the SolarWinds and Accellion attacks discovered in December 2020, only to see a subsequent flurry of similar attacks against software sold or distributed by vendors and organizations such as Kaseya, Microsoft and, most recently, the open-source Log4j library distributed by the Apache Software Foundation.

This surge has generated a lot of press coverage and analysis, including a report issued by the European Union Agency for Cybersecurity (ENISA) in July 2021 that forecasted software supply chain attacks in 2021 would increase fourfold compared to 2020, as cybercriminals shift to larger, cross-border targets. But these attacks are nothing new.

For years, threat actors have taken advantage of weak links in the supply chain as stepping-stones to infiltrate other organizations. We all remember the Target security breach nearly a decade ago, in which attackers used stolen credentials from an HVAC systems vendor to access Target’s network and move laterally until finally stealing the bank card data and personal information of millions of customers. A few years later, the NotPetya ransomware was another high-profile supply chain attack that initially poisoned software from a Ukrainian accounting firm and went on to affect multinational corporations and cause an estimated $10 billion in damages. However, supply chain attacks that take advantage of the Apache Log4j vulnerabilities signal an even more damaging trend – a wave that is different in severity and priority. Vulnerabilities in pervasive applications like Java, create pathways for threat actors to compromise all types of cyber-physical systems (CPS) and connected assets and put our lives and livelihoods at risk.

In enterprise, industrial and healthcare environments, we increasingly depend on CPS that are interconnected. This will only accelerate as our reliance on online access to physical systems for greater automation, control, efficiency and convenience continues to grow. Consider operational technology (OT) equipment to support critical manufacturing processes, building automation systems and medical imaging equipment, along with all the Internet of Things (IoT), Industrial IoT (IIoT) and Internet of Medical Things (IoMT) devices they connect to. In this ever-expanding universe of the XIoT, new attack vectors emerge because many of these systems were not necessarily designed to co-exist seamlessly.

What you can do to manage risk

Supply chain cyber risk is complicated and spans the entire lifecycle of a product—design, manufacturing, distribution, deployment, maintenance, and disposal. The more protracted and complex the life cycle, the more opportunities for threat actors to exploit the product by targeting less secure elements in the chain. And because supply chains are often global and span multiple tiers of suppliers, the responsibility of security doesn’t rest with a single organization. Each tier must address risk accordingly in order to minimize threats to the software supply chain.

That’s why, when creating business continuity plans, executives need to look beyond their own company to also consider the security measures their immediate suppliers have in place and how they, in turn, manage and mitigate risk with their extended network of suppliers. These seven steps can help:

    1. Communication and assessment: Managing this critical risk starts with determining internal responsibility for procurement and verifying a partner’s process security. This requires legal teams to be involved, in addition to technology and line-of-business leaders across business units and geographies. Decision makers need threat intelligence related to supply chain attacks to make informed decisions about risks to the business. Secure procurement and data protection must be wrapped in effective communication with partners and internal stakeholders.
    2. Detailed visibility of all connected assets, including cyber-physical systems: Consider a dedicated cybersecurity solution that secures CPS of connected organizations. The Claroty Platform provides unmatched visibility and protection, continuously monitoring and detecting threats across industrial (OT/IIoT), healthcare (IoMT) and enterprise IoT assets. Simplifying management and enabling collaboration between IT and OT teams, the Platform connects to your organization’s existing security network, and connects to all access points with your supply chain partners, extending this visibility across all key parties.
    3. Threat Intelligence and alerting vigilance: Keep up to date with the latest intelligence on emerging threats and triage new alerts. Most recently, with respect to the Apache Log4j vulnerabilities, CISA, along with the FBI, NSA, and security agencies from the other nations in the Five Eyes intelligence alliance (Australia, Canada, New Zealand, and the U.K.), issued an advisory with concrete guidance to help defenders protect against these attacks.
    4. Strengthened cybersecurity coalitions: Given the critical urgency of the current moment, many executives and board members have become attuned to operational concerns and more aware of why having the right cyber defense technology and processes in place is essential for ensuring availability, reliability, and safety. As a security leader, seize the moment to garner cross-functional buy-in for supporting present and future cybersecurity initiatives.
    5. Collaboration across the supply chain: Your supply chain is an integral part of your business ecosystem. As such, it needs to be an integrated part of your security ecosystem and protected with the same level of defenses. Cloud-based solutions simplify secure connectivity with key supply chain partners. They can also be more secure, updated more easily, and new features added more quickly. But even if the transition to the cloud isn’t yet feasible within your industry due to regulatory requirements, you can still set benchmarks and share reports and insights into vulnerabilities and hygiene risk with your supply chain partners.
    6. Secure software development: If you are going to use third-party software components, it’s crucial to carefully analyze the code to identify and understand any potential vulnerabilities present. By formally integrating security best practices into your software development process, vendors and developers can substantially reduce supply chain risk.
    7. Software bill of materials (SBOM): One specific aspect of secure software development to uphold is the practice of keeping an SBOM, which is a detailed record of all components used to build a given piece of software. This report from the U.S. Dept. of Commerce and NTIA lays out what should be seen as the minimum requirements for an SBOM

Supply chain attacks are not new, but they are on the rise. And while XIoT is good for business, it also expands risk. Fortunately, there are steps you can take to mitigate risk and the timing is right to move fast.

To learn more about how Claroty can help you secure your enterprise environment across the extended internet of things (XIoT), request a demo.