The Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) jointly published a new resource as part of their ongoing efforts to promote awareness of, and help organizations defend against, supply chain risks. The publication, Defending Against Software Supply Chain Attacks, provides recommendations for software customers and vendors as well as key steps for prevention, mitigation and resilience of software supply chain attacks.

Software supply chain attacks occur when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. A software supply chain attack can occur at any phase of the supply chain, including design, development and production, distribution, acquisition and deployment, maintenance, and disposal. The risk is significant because virtually every organization relies on multiple external software vendors to provide services and products to manage the organization’s business operations (e.g., financial, human resources, data analytics, logistics, manufacturing, healthcare, and information technology software and code). Given the prevalence of supply chain cyber attacks, with the well-publicized compromise of Solar Winds and its widespread impact being the most recent example, organizations should take heed of the critically important and practical guidance for protecting their software supply chains contained in the resource.

We have previously written about supply chain risk applicable to Internet of Things (IoT) devices, including recent legislative initiatives to develop standards for government contractors and systems. In this context, the NIST cautions specifically about malicious or vulnerable software that can make its way into information and communications technology (ICT) products and services through the retailers, distributors, vendors, and suppliers that participate in their sale, delivery, and production.

The resource highlights three common, and not mutually exclusive, software supply chain attack techniques:

• Hijacking Updates: where a malicious actor inserts malware into a routine software update by infiltrating a vendor’s network.

• Undermining Codesigning: where a malicious actor inserts malicious code into an update by impersonating a trusted vendor.

• Compromising Open-Source Code: where a malicious actor inserts code into a publicly accessible “open-source” code library, which may then be unintentionally incorporated by software developers into products sold to consumer organizations. Recent vulnerabilities found in publicly available DNS code highlights this method of attack.

Organizations are vulnerable to software supply chain attacks through common products such as, antivirus, IT management and remote access software, all of which typically require frequent communication with the software vendor for updates. For example, the December 2020 SolarWinds hack involved a software supply chain attack on an IT management tool, SolarWinds’ Orion platform, in which a foreign threat actor inserted a “backdoor” into routine software updates, which allowed the threat actor to gain access to numerous government and private sector networks.  Once a malicious actor has gained access to an organization’s network through a software supply chain attack, follow-on actions can include data or financial theft, eavesdropping on sensitive communications and business plans, and disabling networks or systems.

In Defending Against Software Supply Chain Attacks, the NIST provides recommendations to organizations acquiring software or other ICT products and services. To start, the NIST recommends establishing a formal, organization-wide cyber supply chain risk management (C-SCRM) program to ensure that supply chain risk receives attention across the organization, including from executives and managers within operations and personnel across supporting roles. An effective supply chain risk management program can mitigate risk through, among other things, establishing security requirements or controls for software and ICT product suppliers, assessing supplier certifications and component inventory, and ensuring that vendors enforce supply chain security requirements, including through contracts and other safeguards.

In addition to preventative C-SCRM programs, the NIST recommends that organizations develop and implement a vulnerability management program to scan for, identify, triage, and mitigate existing software vulnerabilities. An appropriate vulnerability management program enables an organization to conduct security impact analyses, implement manufacturer-provided guidelines to harden software, operating systems, and firmware, and maintain information system component inventory.

The NIST also recommends that organizations use resilience measures where threat actors have successfully exploited vulnerable software. These include pre-identifying alternative software suppliers, and identifying and establishing failover processes in the event of a compromise.

Organizations subject to regulatory standards to protect personal, health and other sensitive information (e.g., Gramm-Leach Bliley, HIPAA, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act and Biometric Information Protection Act) are already required to use reasonable safeguards to secure protected information in their supply chains. It is critical, however, that all organizations plan for the cybersecurity of their software and ICT products and services and take reasonable steps to ensure that C-SCRM procedures are in place, and that vulnerabilities are addressed in a timely manner consistent with risk.

Defending Against Software Supply Chain Attacks provides helpful guidance for organizations in taking steps to secure their systems against software supply chain attacks that can compromise protected information. These measures include:

• Developing a written program to address software supply chain risk, including as required under applicable data protection statutes and regulations.

• Inventorying organizational reliance on external software and code across all operational departments.

• Assessing risk from these vendors and adopting appropriate contractual and other safeguards.

• Coordinating efforts across management, IT, personnel, compliance, product development and operational departments.

• Monitoring the threats and vulnerabilities to the software supply chain, including through technical measures and threat analysis, on an ongoing basis.