Chapter 1. Supply Chain Security
When you purchase something, the product you purchase usually has had a long journey from its original idea to the moment of delivery, as shown in Figure 1-1. You may recognize that the supply chain involves many participants in the item’s journey, but you may not realize how many opportunities exist for something to happen as that item moves along the path. Supply chain security has been part of our existence for thousands of years, such as when spices were carried from East to West, when ships moved goods between continents during colonization, or when military troops transported food and weapons during world wars. In all those situations, people prepared for attacks and defended their supplies so the items could make it to their intended destination.
After all this time, supply chain attacks have evolved and defense mechanisms must adapt to these changes. These attacks can be on individual products, as was the case when seven people were murdered in 1982 from poisoned Tylenol medicine capsules.1 The follow-on regulations mandating tamper-evident packaging for medicine, food, and drinks in the United States has been repeated throughout the world. Organizations have taken great care in defending their logistics from distribution attacks, but now the attackers have moved earlier in the supply chain by attacking the design, development, and manufacturing processes or by attacking an organization’s operations through ransomware attacks, data breaches, and theft of intellectual property. Regardless of the method of attack, when an organization cannot distribute products or services to customers, the supply chain is disrupted. Supply chain attacks have now become global, general-interest media stories after the ransomware attack on Colonial Pipeline disrupted travel and shipping in the eastern US for several days.2 The impact that ransomware and other malicious attacks have on the supply chains of our products and services every day leads me to the reason for writing this book on supply chain security for software, firmware, and hardware.
The goal of this chapter is to provide you with a foundation to build upon as you read the rest of the book. I start with defining common supply chain concepts so you have an understanding of the terminology that I use throughout the book. I then describe the impacts of supply chain security on organizations and finish by referencing the many worldwide regulations, laws, and guidelines that focus on supply chain security.
Supply Chain Definitions
When I speak with people about supply chain security, they often do not recognize themselves as part of a supply chain because they think it’s only about suppliers or manufacturing. If your organization provides products or services to others, your organization is part of the supply chain. To provide clarity, the following are definitions for the core terminology that I will be using throughout this book:
- Supply chain
-
The people, processes, materials, and technologies used in the creation, production, and distribution of physical or digital products. Thousands of individuals, hundreds of components, and dozens of organizations may be part of the supply chain to create, produce, and deliver a single product (physical or nonphysical), such as a mobile phone or a mobile phone application.
- Supply chain risk
-
“The risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of an item of supply or a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of a system.”3 This definition demonstrates the many opportunities to introduce risk to a product’s lifecycle and will be discussed throughout this book.
- Supply chain risk management (SCRM)
-
“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subelements, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”4 The security controls provided in this book should be part of your organization’s supply chain risk management program.
- Software supply chain
-
The people, processes, software libraries, software or firmware components, as well as technologies used in the creation, development, publication, production, and distribution of digital products, including intelligent physical products such as Internet of Things (IoT), Industrial IoT (IIoT), and operational technology (OT).5 The primary difference to general supply chain security is the software or firmware development and distribution processes.
- Software supply chain security
-
A systematic process for managing software supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the software supply chain and developing mitigation strategies to combat those threats, whether presented by the supplier, software libraries, software or firmware components, the supplied product and its subelements, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal). The primary addition to the supply chain risk management definition is the risk of software or firmware compromise.
- Third-party risk
-
A risk from external sources such as suppliers, organizations, groups, or individuals in your supply chain, infrastructure, systems, or processes. This can include commercial engagements where you purchase items, or free and open source software (FOSS) and tools.6
Several of the previous definitions come from the National Institute of Standards and Technology (NIST), which has an extensive glossary in its Computer Security Resource Center (CSRC).7 Although NIST is a US agency in the Department of Commerce, its mission is to advance measurement science, standards, and technology, which benefits a global. Many of the references and publications mentioned in this book come from NIST and its collaboration with industry, other organizations, and people. I have personally collaborated with NIST on several of the software supply chain topics discussed in this book.
Software Supply Chain Security Impacts
When I describe supply chain security to people, I always hold up my cell phone and explain to them there were hundreds, maybe thousands, of opportunities for a malicious actor to compromise the phone before I purchased it from the store. As shown in Figure 1-2, the phone is made up of hardware, firmware, and software, and anyone who created my phone or came in contact with it could have put a compromised chip or software into it. I trust my cell phone manufacturer and the operating system publisher, but imagine if malicious software (malware) went unnoticed and millions of phones were impacted before it was discovered. This compromise in the supply chain would be detrimental not only to the company but also to millions of customers. A severe enough event could destroy a company of almost any size.
Now imagine that your organization was one of the upstream suppliers that wrote the operating system software, or designed the Bluetooth antenna hardware chip, or assembled the phone’s components. As a supplier to the cell phone manufacturer, your organization may be found at fault if you don’t have strong supply chain security. It could result in a severe financial impact to the organization and its employees, possibly leading to the organization’s closure.
You may be on the other end of the supply chain as a downstream customer who purchased thousands of these cell phones for your organization. Were you familiar enough with software supply chain security to have evaluated the manufacturer, set internal policies as to how your employees used the cell phones, and monitored the software security for potential compromises? Understanding the risks of software supply chain security will allow you to prepare yourself and your organization for when, not if, the supply chain will be compromised.
When the infamous software compromise affected the SolarWinds Orion platform (a widely used IP network management tool), it raised awareness of software supply chain security, just as the Colonial Pipeline event previously raised awareness of supply chain security. Technical details on the SolarWinds attack will be discussed in Chapter 5, but in summary, the supply chain compromise began in October 2019 and remained undetected until December 2020, by then placing 18,000 customers at risk, with Microsoft confirming 40 customers were breached, including a number of US government agencies.8,9 The SolarWinds organization settled a $26 million lawsuit with its investors due to the financial losses stemming from the supply chain attack.10 This loss does not include the millions spent by SolarWinds and its customers on incident response, threat investigations, downtime, remediations, and loss of revenue when customers’ systems were unavailable.
Third-party risks from commercially purchased or open source software libraries can also cause significant impacts worldwide. Two software vulnerabilities (security weaknesses that can be exploited by a malicious actor or software) announced in December 2021 in the Apache Log4j logging framework can be found in hundreds of thousands of open source packages, according to an article published by SC Media.11 The math indicates there are millions of applications using the Log4j open source libraries, and many of these applications have not yet upgraded the software libraries to a version where the vulnerabilities have been patched. In the SC Media article, the author, Menghan Xiao, noted cost estimates to locate Log4j vulnerabilities range between $33,000 and $90,000. Multiplied by millions of applications, the financial impact is quite high, especially since this does not yet include any breach or legal costs for applications that do not patch Log4j. A user may not even be aware these vulnerabilities exist in their software applications if the software publisher has not disclosed (announced) the vulnerabilities or provided a list of software components using a software bill of materials (SBOM), as I will discuss in Chapter 8.
Impacts to an organization from supply chain attacks may result in reputational damage, loss of customer confidence, lawsuits, government penalties, and a reduction of future business after the event. An attack also can cause disruptions or downtime to an organization’s business operations, which could cause loss of revenue. If something doesn’t work, it can’t make money. Also, as a result of the attack, there will need to be incident response, threat investigations, and remediations, which take up time and use resources. Software supply chain security attacks affect not only the company and its direct customers but also those at the nth degree of separation.
Requirements, Laws, Regulations, and Directives
The risks and impacts to users, organizations, national infrastructure, and global economies have triggered governments around the world to release requirements, laws, regulations, directives, and guidance for organizations to follow in regard to software supply chain security. Many of these requirements pertain to third-party risk, supply chain risk management, and software development. Table 1-1 contains a summary of supply chain security references in worldwide laws, regulations, guidance, and directives at the time of this book’s publication. The documents referenced in this table are the basis for the software supply chain risks and controls throughout this book.
Location | Document | Supply chain security mentions | ||
---|---|---|---|---|
Australia | Guidance: Cyber Supply Chain Risk Managementa | |||
Australia | Guidance: Identifying Cyber Supply Chain Risksb |
|
||
Australia | Critical Technology Supply Chain Principlesc |
|
||
Australia | Security of Critical Infrastructure Act 2018d |
|
||
China | GB/T 36637—2018 (Information Security Technology ICT Supply Chain Security Risk Management Guidelines)e | |||
China | New Measures for Cybersecurity Reviewf |
|
||
China | National Standard on Information Security Technology Software Supply Chain Security Requirements (proposed)g |
|
||
EU | GDPR: General Data Protection Regulationh | |||
EU | Cybersecurity Acti |
|
||
EU | Cyber Resilience Actj |
|
||
EU | Council conclusions on ICT supply chain securityk |
|
||
EU | Network and Information Systems Directive 2 (NIS2)l |
|
||
EU | Chips Act (proposed)m |
|
||
Ireland | Electronic Communications Security Measures (ECSM) 009: Supply Chain Securityn | |||
New Zealand | NCSC Cyber Security Frameworko | |||
New Zealand | Supply Chain Cyber Securityp |
|
||
United Kingdom | Supply Chain Security Guidanceq | |||
UK | Supplier Assurance Framework: Good Practice Guider |
|
||
UK | Secure development and deployment guidances | |||
UK | Supply Chain Guidancet |
|
||
UK | How to Assess and Gain Confidence in Your Supply Chain Cybersecurityu |
|
||
US | NIST Cybersecurity Framework (CSF): Framework for Improving Critical Infrastructure Cybersecurityv | |||
US | NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizationsw |
|
||
US | Executive Order 14017: America’s Supply Chainsx |
|
||
US | Executive Order 14028: Improving the Nation’s Cybersecurityy |
|
||
US | The Minimum Elements for a Software Bill of Materials (SBOM)z | |||
US | Memo M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practicesaa |
|
||
US | NIST SP 800-161: Cybersecurity Supply Chain Risk Management for Systems and Organizationsab |
|
||
US | NIST SP 800-218: Secure Software Development Framework (SSDF)ac | |||
US | Chips and Science Actad |
|
||
US | National Cybersecurity Strategyae |
|
||
US | Food and Drug Administration (FDA)—Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissionsaf |
|
||
a “Cyber Supply Chain Risk Management”, Australian Cyber Security Centre, May 22, 2023. b “Identifying Cyber Supply Chain Risks”, Australian Cyber Security Centre, May 22, 2023. c Commonwealth of Australia, Critical Technology Supply Chain Principles, 2021. d “Security of Critical Infrastructure Act 2018”, Australian Government, May 2, 2022. e “国家标准”, National Standardization Management Committee, March 9, 2022. f “网络安全审查办法_信息产业(含电信)_中国政府网”, Gov.cn, accessed December 7, 2023. g “全国信息安全标准化技术委员会”, Org.cn, accessed December 7, 2023. h “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016”, EUR-Lex, accessed December 16, 2023. i “Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019”, EUR-Lex, accessed December 16, 2023. j The European Parliament and Council, Proposal for a Regulation of the European Parliament and of the Council on Horizontal Cybersecurity Requirements for Products with Digital Elements and Amending Regulation (EU) 2019/1020, September 15, 2022. k “Council Conclusions on ICT Supply Chain Security”, Council of the European Union, October 17, 2022. l “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022”, EUR-Lex, accessed December 16, 2023. m “European Chips Act”, European Commission, April 18, 2023. n Government of Ireland, Electronic Communications Security Measures 009—Supply Chain Security, 2021. o “NCSC Cyber Security Framework”, National Cyber Security Centre of New Zealand, accessed December 7, 2023. p National Cyber Security Centre of New Zealand, Supply Chain Cyber Security. In Safe Hands, accessed December 7, 2023. q “Supply Chain Security Guidance”, UK National Cyber Security Centre, January 28, 2018. r Cabinet Office, Supplier Assurance Framework: Good Practice Guide, version 1.1, May 2018. s UK National Cyber Security Centre, “Secure Development and Deployment Guidance”, November 22, 2018. t “Supply Chain Guidance”, National Protective Security Authority, April 21, 2022. u “How to Assess and Gain Confidence in Your Supply Chain Cyber Security”, UK National Cyber Security Centre, October 12, 2022. v National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, version 1.1, April 16, 2018. w Joint Task Force Interagency Working Group, NIST 800-53: Security and Privacy Controls for Information Systems and Organizations, National Institute of Standards and Technology, September 2020. x “Executive Order on America’s Supply Chains”, The White House, February 24, 2021. y “Executive Order on Improving the Nation’s Cybersecurity”, The White House, February 24, 2021. z US Department of Commerce, The Minimum Elements for a Software Bill of Materials (SBOM), July 12, 2021. aa Shalanda D. Young, “Memo M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”, Executive Office of the President, Office of Management and Budget, September 14, 2022. ab Jon M. Boyens, Angela Smith, Nadya Barol, Kris Winkler, Alex Holbrook, and Matthew Fallon, NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management for Systems and Organizations, National Institute of Standards and Technology, May 2022. ac Murugiah Souppaya, Karen Scarfone, and Donna Dodson, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1, National Institute of Standards and Technology, February 2022. ad “H.R.4346—Chips and Science Act: 117th Congress (2021–2022)”, Congress.gov, August 9, 2022. ae The White House, National Cybersecurity Strategy, March 1, 2023. af US Food & Drug Administration, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions: Guidance for Industry and Food and Drug Administration Staff, September 27, 2023. |
Countries also have certain requirements and regulatory oversight such as the US Food and Drug Administration, as referenced in the previous table, the US Federal Risk and Authorization Management Program (FedRAMP), which we’ll mention in Chapter 8, and the Federal Energy Regulatory Commission (FERC). We can expect there to be more requirements and laws as supply chain security risks increase globally.
You should leverage customers, industry associations, and peer networks to maintain awareness of new supply chain requirements, standards, laws, directives, guidance, and regulations. Industry groups, such as technology alliances, may have sector-specific supply chain guidance, as seen in the North American Electric Reliability Corporation’s (NERC) Supply Chain Risk Management Program.12
Summary
Supply chain security is an age-old topic, but it has received significant attention over the past few years as malicious actors have taken advantage of vulnerabilities, suppliers, open source, and supply chains. New concepts, such as software having its own supply chain, raise the importance of understanding how supply chains work for physical and digital products. Software supply chains are being attacked daily by malicious actors, thus leading to business impacts such as data loss, operational downtime, lost revenue, decreased customer trust, and potential violation of regulations or laws. It is vital that organizations understand and comply with global supply chain security laws and regulations before implementing the frameworks, standards, or models that I’ll introduce in Chapter 2.
1 Marcia Wendorf, “Tamper-Resistant Packaging Began in 1982 with 7 Still Unsolved Murders”, Interesting Engineering, December 16, 2019.
2 Katie Balevic, “Colonial Pipeline Ransomware Attack Fuels Gas Price Fears after Russian ‘DarkSide’ Hack Halts Pipeline Between TX and NJ”, The Sun, May 10, 2021.
3 “Supply Chain Risk”, NIST, accessed December 7, 2023.
4 “Supply Chain Risk Management (SCRM)”, NIST, accessed December 7, 2023.
5 Firmware is software permanently programmed into hardware, and then the firmware can instruct the hardware to perform functions. Firmware is also known as embedded software, though historically firmware was for lower-level functions and embedded software was for higher-level functions.
6 Free and Open Source Software (FOSS), which includes open software libraries and source code packages (a collection of binaries, scripts, and data), is free to use, copy, study, and change according to its software license. Popular examples of FOSS are the Linux operating system, MySQL database, OpenSSL secure communication package, and Log4j logging framework.
7 “Computer Security Resource Center”, NIST, accessed December 7, 2023.
8 Pam Baker, “The SolarWinds Hack Timeline: Who Knew What, and When?” CSO, June 4, 2021.
9 Catalin Cimpanu, “Microsoft Confirms It Was Also Breached in Recent SolarWinds Supply Chain Hack”, ZDNET, December 17, 2020.
10 Eduard Kovacs, “SolarWinds Agrees to Pay $26 Million to Settle Shareholder Lawsuit over Data Breach”, Security Week, November 7, 2022.
11 Menghan Xiao, “Digging into the Numbers One Year after Log4Shell”, SC Media, December 16, 2022.
12 “Supply Chain Risk Mitigation Program”, North American Electric Reliability Corporation, accessed December 7, 2023.
Get Software Supply Chain Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.