The supply chain is once again coming to the headlines in the tech world – this time not because of a breach in a supply chain of a multi-national company – but because the Ministry of Defence (MoD) is upping its cyber security standards within its own supply chain.
What’s the headline? In order to contract with the MoD, you’ll need to meet a number of key cyber security standards that are outlined in the Cyber Security Model (CSM), which is based on the government scheme Cyber Essentials. Aimed at securing the supply chain and ensuring that all suppliers understand their cyber risks and how to fill in any gaps, the MoD’s CSM was originally introduced for top level MoD suppliers in 2014 but was extended to other organisations (with a focus on SMEs) in the supply chain in 2017.
You can read the original article here: MoD to Focus on SMEs to Raise Supply Chain Cyber Security.
We think it likely that following on from changes in policy by big organisations like the MoD, the industry will see a shift in focus where supply chain security comes under greater scrutiny.
At the 2018 Public Sector ICT Summit, Phil Blunden, part of the MoD’s Defence Cyber Protection Partnership (DCPP) said: “the cyber threats to the supply chain are real and the National Cyber Security Strategy recognises that”.
As we move through this article we’ll give an overview of the software supply chain and a history of supply chain security breaches before moving onto how developers, and software purchasers, can best protect the supply chain from the bottom up.
A History of Supply Chain Security Breaches
In 2013, US retail chain Target had a case of 40 million customers with compromised data, due to malware that has been introduced into POS systems at 1,800 of the retail giant’s stores. It was one of Target’s subcontractors that was hacked, but because they had access to Target’s network, the attack was able to move up the chain.
In 2017, UK retailer Debenhams suffered a similar supply chain breach, all be it to a lesser extent. The organisation’s online florist contractor, Ecomnova, suffered an attack which travelled up the chain. In the end this breach wasn’t identified for 7 weeks, during which time the personal data of 26,000 of Debenhams’ customers was compromised.
Gloucester council was fined £100,000 by the ICO in 2017 for a data breach that was caused by the failure to protect against an open source vulnerability in OpenSSL known as Heartbleed. Heartbleed was originally found and fixed in 2014, however it was still in the supply chain of software – a great example of why security needs to be taken seriously in all aspects of the supply chain!
There are five years and countless other supply chain breaches between these stories, so why does it appear that supply chain security isn’t being monitored as closely as it could and should be? One reason is that current penalties aren’t strict enough – of course that is all set to change with GDPR when fines of up to 4% of annual turnover will be introduced. (How could we write an article about cyber security without mentioning the ‘G’ word?)
Securing the Supply Chain: The Bottom up Approach
As is the nature of every supply chain, any link within that chain poses the potential for a security breach. If every organisation within that chain has robust cyber security measures put in place, securing their networks and endpoints and encrypting data then the risk is mitigated somewhat.
These traditional cyber security measures aren’t the only thing that suppliers in the chain can be doing to protect against security breaches. What is rarely talked about is the steps that can be taken to secure software and applications right from their very inception.
Securing software and applications from the code up can have a huge impact on the security of the supply chain and is especially important if the currency of a supply chain is software!
What steps can be taken to secure code from the start and start the supply chain off on the right foot? (This one is for the commercial software developers.)
- Make sure that your developers are trained up and following best practise when it comes to secure coding. There are tools out there that not only provide training on how to code securely, but also act as a security ‘spellcheck’ in real-time as developers are writing their code.
- If you frequently use Open Source code in your applications considering taking part in the OpenChain Specification, a Linux Foundation project which outlines the industry best practices to managing an open source software supply chain with an objective of building trust. If you want to find out how well your company’s current processes conform with OpenChain, and where you can improve, Grey Matter are able to offer training.
- Give your software a health check for good measure. Once written, you can have your application or piece of software scanned to reveal any new vulnerabilities that have emerged since the time of coding. Once patched your product will then receive a seal of approval to show that you take cyber security seriously! This service can then be extended at regular intervals to ensure your product is always secure.
Organisations at all levels of the supply chain will start to look for evidence that the applications they are integrating into their systems are secure, and that best practise has been used in their creation and in consideration of the supply chain. Especially with the looming threat of a huge GDPR fine.
What do you need to look out for in your own supply chain?
- Put pressure on your suppliers to produce evidence that they’ve put thought into the security of their software. Do they have a time-stamped bill of materials to show where the code in their software has come from and whether all vulnerability patches are up to date? Does that time-stamped bill of material come from an independent reviewer (it should)?
- Put pressure on suppliers to prove the security of their general business! This become more crucial the further up the supply chain you are. Do your suppliers have robust security measures in place to secure their endpoints, servers and networks? In the examples we’ve talked about the reason big companies have faced breaches is because of the weak security practises of their suppliers.
The news that the MoD is taking steps to further secure its supply chain, and intern that of its own suppliers which include SMEs and infrastructure providers, could spell a general shift in attitude to supply chain security. This shift will have to place the focus on those at the bottom of that supply chain – the commercial software vendors.
If software and application development can begin and end with cyber security in mind with secure coding practises and the regular monitoring and patching of new vulnerabilities, this will go a long way in securing the supply chain.
Of course the general cyber security of each provider is still paramount – one breach in a suppliers network and the whole upward chain can be affected.
To find out more about the tools available for commercial software vendors to secure applications from the code up, and cyber security tools for organisations in general, get in touch with Grey Matter on (+44) 1364 654100 or firstname.lastname@example.org!