Last year, the United States saw a massive jump in the number of software supply chain attacks. Depending on which statistics you look at, the number increased by upwards of 300%1 (or more) over 2020. In fact, many in the cybersecurity world call 2021 “the year of the software supply chain attack”. This is due in large part to the well-known SolarWinds nation-state attack which impacted thousands of enterprises and government agencies.
The rise of hybrid workforce and cloud migrations has thrust every large organization into the practice of software development. “All businesses have become software developers, and all have, therefore, become targets of nation-state attacks (software supply chain attacks).”2
What are Software Supply Chain Attacks?
A software supply chain attack occurs when threat actors break into a software vendor’s network and insert malicious code in the software before the vendor distributes it to its customers. In this manner, the actor can potentially infiltrate hundreds or thousands of networks.
“Hackers like software supply chain attacks because they only need to compromise one link in a long chain to smuggle malware everywhere. They can insert malicious code into software at several points during build, compilation, distribution and update.”3
There are several contributing factors to a business’s susceptibility to these attacks, including:
- faulty software updates
- unpatched software vulnerabilities
- weak links in the software supply chain
- use of open-source code
- loosely managed open-source software library repositories
Foresight and Prevention
The damage caused by software (or cyber) supply chain attacks can be severe, even deadly. Threat actors can attempt to perform data or financial theft or disable networks or systems, which can lead to disastrous consequences. Among the primary targets for these attacks are hospitals and healthcare providers.
Consider this, “The FBI says that infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals. Infections have been detected on devices running software used for controlling high-tech imaging devices such as X-ray and MRI machines.”4
This is frightening!
Organizations need to start preparing for these attacks as they will come in 2022. Their focus should be on heightened awareness, stricter policies, and preventative approaches to stopping these attacks before they impact the organization or its software supply chain. Many governmental and private organizations have recommendations and plans for implementing such a program. We have reviewed the recommendations from the National Institute of Standards and Technology, Department of Health and Human Services, Kaspersky, and Harvard Business Review and have produced our own C-SCRM (cyber supply chain risk management) strategic recommendations. They include the following:
- Closely collaborate with key suppliers and apply the same policies to them that your organization uses internally – SCRM is a collaborative process and should be done in conjunction with your close partners and vendors. A good best practice is to secure contracts with supplier and third-party partners to ensure they comply with your risk management plan and requirements.
- Employ threat modeling during software development to identify and assess application threats, attack surfaces and vulnerabilities throughout your software development projects. Once identified, your cyber security team can remediate these potential vulnerabilities early in the development lifecycle.
- Hire the right cybersecurity professionals – In addition to potentially hiring cyber security companies, also bring on your own highly skilled information systems security personnel (including security specialists, SOC analysts, cyber trained analysts, and a proven and reliable incident response team)
- Require vendors to implement “hot patching” – Require your critical software vendors to implement security patches (code changes which fix software vulnerability) on the fly (to keep their systems up-to-date and secure) without shutting down or restarting the system or program in question. This accelerates the patching process and provides more instant cyber security protection.
Software supply chain attacks are real and very threatening. This means that risk management teams must employ a holistic process across the organization that prepares for, anticipates, and remediates a broad range of potential supply chain attack events. As such, supply chain risk management is really an operational issue companywide with a risk management component built into it.
“One challenge for supply chain security practitioners is choosing which of the multitude of guidance documents and best practice frameworks to use when building a cyber supply chain risk management (C-SCRM) program. There is no touchstone in this arena; instead, we have shades and gradations of goodness and a plurality of approaches.”5
Regardless of which approach you take to shore up your cyber supply chain risk management operation, it is important that you start now, if you haven’t already. 2022 is sure to bring a windfall of C-SCRM attacks and your software supply chain is at great risk.
1) “Supply Chain Attacks Study: Identifying Primary Risk Areas”, Aqua, Jan. 2022.
2) “Software Supply Chains and Enterprise IoT will be Big Attack Targets in 2022”, Forbes, Jan. 18, 2022.
3) “Detection is better than cure: Seeing and preventing supply chain attacks”, Kaspersky, 2019.
4) “FBI Warns of Healthcare Sector Supply Chain Attacks Involving ‘Kwampirs’ Malware”, CPO Magazine, Apr. 2020
5) “A blueprint for cyber supply chain risk management”, Security Magazine, Jan. 28, 2022.