Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/29/2021
01:00 PM
Emile Monette
Emile Monette
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Technology's Complexity and Opacity Threaten Critical Infrastructure Security

Addressing the complexity of modern distributed software development is one of the most important things we can do to decrease supply chain risk.

A lack of transparency and accountability are, without a doubt, the most substantial supply chain-specific security threats to the United States. These threats lead to underinformed end users and inequitable distribution of risk in global technology value chains.

Related Content:

Tech Vendors' Lack of Security Transparency Worries Firms

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

The opacity and complexity of technology and its supply chains contribute to an environment where actors in the value chain are incentivized (and permitted) to externalize the risk (and cost) of doing business.

The ultimate risk owner — the end-user consumer — is rarely in control of (and often unaware of) the decisions being made in the supply chain that affect their risk posture. After all, the consumer rarely knows what's in the technology they rely upon, so they have little hope of appropriately managing the risks of using it.

The frantic scramble that occurred after the recent SolarWinds cyber incident, as companies and governments rushed to understand the extent of the incident and where the compromised software was installed, is an example of how little knowledge we have of what goes into our technology.

And this isn't a new phenomenon.

When the federal government banned Kaspersky software in 2017, agencies and companies were forced to spend thousands of hours combing through their technology stacks seeking the offending code because they didn't have visibility into what was in the software they use.

Complexity in technology is only going to increase. As such, it's vital that end users can get more thorough information about what is (or isn't) in the technology they consume, and technology providers are held more accountable for the content of the technology they deliver to consumers.

Impacts on Critical Infrastructure
This brings me to a more widespread concern that was once again highlighted with the recent Colonial Pipeline ransomware attack: how supply chain threats impact critical infrastructure.

Many things have changed since 2013, when the Secretary of Defense and the Administrator of General Services published a joint DoD-GSA report about improving US cybersecurity. One of the more significant changes is that the sophistication, frequency, and volume of cyberattacks has increased.

As the report states:

"The federal government and its contractors, subcontractors, and suppliers at all tiers of the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries seeking to steal, compromise, alter, or destroy sensitive information."

Nobody can deny that critical infrastructure is on that list of targets. As critical infrastructure owners and operators increasingly rely on networked operational technology and the software that makes it work, they increase their attack surface and their risk of an incident like Colonial Pipeline.

The DoD-GSA report also points out that:

"Offshore sourcing has demonstrated its merit as a means to reduce costs, and as a result, most technology is produced in a global supply chain. Movement of production outside the US has also increased government concerns about foreign ownership, control, manipulation, or influence over technology used in or connected to critical infrastructure."

The threats to the technology supply chain from "adversaries (foreign governments, militaries, intelligence services, and terrorist organizations) and those seeking to advance their own cause (hackers and criminal elements)" have introduced significant new risk to critical infrastructure owners and operators in particular, the report continues. 

Driving Transparency and Accountability
To the extent we increase transparency and accountability in technology supply chains, we enable better-informed consumers who will make better decisions and, as a result, will be better able to manage their risks.

The recent Biden administration Executive Order on Improving the Nation's Cybersecurity is by no means a panacea, but it does have the potential to drive increased transparency and accountability in software through requirements for testing and for providing a software bill of materials (SBOM).

In order to achieve the executive order's goals, SBOMs must provide enough detail to convey provenance, pedigree, and linkage that describes how the software is connected throughout the supply chain, along with attestations about steps in the production chain. 

To succeed, the government's implementation of the executive order must address the complexity of modern distributed software development and provide transparency into both the provenance of code and the associated testing performed at each life-cycle stage. Meeting that outcome requires greater transparency into the software development processes employed by all stakeholders.

Emile Monette is the Director of Value Chain Security at Synopsys. His expertise centers on the nexus of cybersecurity, supply chain risk management, and federal procurement. Emile has unique experience in the fields of cybersecurity and procurement in the federal government, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...