The Risk Story – Software Supply Chain Security

Introduction

In a recent discussion in Santosa, Singapore, Jane Low had the privilege of speaking with KC Crosley, the Vice President for Supply Chain Security at Schneider Electric, regarding the critical topic of software supply chain security. With a strong background in software development and cybersecurity, Crosley shared insights drawn from his experience and his new book focused on supply chain risks.

Motivation Behind the Book

Crosley's motivation to write about software supply chain security stems from his long career as a developer, where he led numerous projects across research and development (R&D) and IT. He recognized the significant gaps and risks inherent in the software supply chain well before the notorious SolarWinds attack highlighted these vulnerabilities on a larger scale. His previous work included contributing a chapter to a digital book on supply chain security, igniting his passion for addressing these issues.

Operational Technology and Supply Chain Risks

During their conversation, the focus turned to operational technology (OT) cybersecurity, particularly regarding Hardware and Firmware vulnerabilities. Crosley emphasized that both software and firmware are integral components of operational technology, highlighting risks from various stages including design, development, testing, and manufacturing. Cybersecurity threats can arise deliberately through malicious actions or inadvertently through accidental errors, creating numerous vulnerabilities from "chipset" levels all the way to final product deployment.

He noted the importance of security being "by design" and "by default," while also acknowledging the challenges faced in OT environments. Factors such as competitive market pressures can lead to rushed product releases, which impede comprehensive security testing.

Crosley drew attention to the differences between traditional IT cybersecurity practices and those applicable to OT. For instance, approaches like multi-factor authentication (MFA) are not only impractical but can also jeopardize safety in OT systems. He emphasized the need for tailored security measures that recognize the unique requirements and constraints of OT environments.

The Challenge of SBOMs

A significant topic Crosley discussed was the concept of Software Bill of Materials (SBOMs), which help in identifying the software components and their vulnerabilities within a software supply chain. While creating and scanning SBOMs has improved, many OT products use legacy systems that complicate the process. The accuracy of SBOMs can vary significantly from product to product, with some achieving only 15% accuracy due to proprietary elements that scanning tools do not capture.

Moreover, the challenge is compounded when considering transitive dependencies—libraries or components that may be dependent on other libraries. Ensuring transparency and accuracy across entire supply chain networks continues to be a critical challenge, particularly across multiple generations of product development.

AI’s Role in Enhancing Security

Crosley also addressed how Artificial Intelligence (AI) could assist in managing software supply chain security. AI technologies are emerging to analyze large datasets, identify correlations among repositories, and provide intelligent code suggestions to developers. By employing AI, organizations can enhance their efficiency in software development and security management, potentially preempting cybersecurity threats before they become significant issues.

Fostering a Culture of Responsiveness

As their conversation drew to a close, Crosley urged organizations to be proactive in their partnerships with suppliers. He advised that enterprises should seek clarity in product security and advocate for enhanced vulnerability management practices. He noted that asking the right questions of suppliers can lead to significant improvements in product security practices.

Interestingly, he shared a personal success story where posing challenging questions to a supplier resulted in the creation of a new position focused on product security. This indicates a growing awareness and shift in organizational culture towards recognizing the critical nature of supply chain security.

Crosley underscored the value of collaboration among enterprises in addressing cybersecurity risks, viewing it as a "team sport." By facilitating open communication and demanding transparency, organizations can strengthen their cybersecurity posture and mitigate risks within their software supply chains.

Conclusion

The dialogue on software supply chain security is increasingly relevant in today’s interconnected environment. Addressing these complexities requires an integrated approach that encompasses technological advancements, best practices, and a well-informed corporate culture committed to security.

Keywords

software supply chain security, operational technology, cybersecurity, vulerabilities, SBOM, AI in security, supplier partnerships, firmware security, risk management, proactive security measures, threat modeling, transitive dependencies

FAQ

Q1: What is software supply chain security?
A1: Software supply chain security involves protecting the software and its components through all phases of development and deployment, addressing vulnerabilities and threats that can arise from various sources.

Q2: Why are SBOMs important?
A2: Software Bills of Materials (SBOMs) are critical for identifying components within software, helping organizations assess the security of those components and manage known vulnerabilities.

Q3: How does operational technology differ from traditional IT when it comes to cybersecurity?
A3: Operational technology (OT) systems often face unique constraints and requirements, such as safety concerns and limited capabilities for measures like multi-factor authentication, necessitating tailored cybersecurity strategies.

Q4: Can AI help in supply chain security?
A4: Yes, AI can analyze large volumes of data to identify potential security vulnerabilities, automate threat detection, and provide intelligent suggestions to improve coding practices.

Q5: What should organizations ask their suppliers regarding security?
A5: Organizations should inquire about specific product security practices, vulnerability management processes, and request transparency about their supply chain to ensure better security outcomes.