Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
01:00 PM
Emile Monette
Emile Monette
Connect Directly
E-Mail vvv

Technology's Complexity and Opacity Threaten Critical Infrastructure Security

Addressing the complexity of modern distributed software development is one of the most important things we can do to decrease supply chain risk.

A lack of transparency and accountability are, without a doubt, the most substantial supply chain-specific security threats to the United States. These threats lead to underinformed end users and inequitable distribution of risk in global technology value chains.

Related Content:

Tech Vendors' Lack of Security Transparency Worries Firms

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

The opacity and complexity of technology and its supply chains contribute to an environment where actors in the value chain are incentivized (and permitted) to externalize the risk (and cost) of doing business.

The ultimate risk owner — the end-user consumer — is rarely in control of (and often unaware of) the decisions being made in the supply chain that affect their risk posture. After all, the consumer rarely knows what's in the technology they rely upon, so they have little hope of appropriately managing the risks of using it.

The frantic scramble that occurred after the recent SolarWinds cyber incident, as companies and governments rushed to understand the extent of the incident and where the compromised software was installed, is an example of how little knowledge we have of what goes into our technology.

And this isn't a new phenomenon.

When the federal government banned Kaspersky software in 2017, agencies and companies were forced to spend thousands of hours combing through their technology stacks seeking the offending code because they didn't have visibility into what was in the software they use.

Complexity in technology is only going to increase. As such, it's vital that end users can get more thorough information about what is (or isn't) in the technology they consume, and technology providers are held more accountable for the content of the technology they deliver to consumers.

Impacts on Critical Infrastructure
This brings me to a more widespread concern that was once again highlighted with the recent Colonial Pipeline ransomware attack: how supply chain threats impact critical infrastructure.

Many things have changed since 2013, when the Secretary of Defense and the Administrator of General Services published a joint DoD-GSA report about improving US cybersecurity. One of the more significant changes is that the sophistication, frequency, and volume of cyberattacks has increased.

As the report states:

"The federal government and its contractors, subcontractors, and suppliers at all tiers of the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries seeking to steal, compromise, alter, or destroy sensitive information."

Nobody can deny that critical infrastructure is on that list of targets. As critical infrastructure owners and operators increasingly rely on networked operational technology and the software that makes it work, they increase their attack surface and their risk of an incident like Colonial Pipeline.

The DoD-GSA report also points out that:

"Offshore sourcing has demonstrated its merit as a means to reduce costs, and as a result, most technology is produced in a global supply chain. Movement of production outside the US has also increased government concerns about foreign ownership, control, manipulation, or influence over technology used in or connected to critical infrastructure."

The threats to the technology supply chain from "adversaries (foreign governments, militaries, intelligence services, and terrorist organizations) and those seeking to advance their own cause (hackers and criminal elements)" have introduced significant new risk to critical infrastructure owners and operators in particular, the report continues. 

Driving Transparency and Accountability
To the extent we increase transparency and accountability in technology supply chains, we enable better-informed consumers who will make better decisions and, as a result, will be better able to manage their risks.

The recent Biden administration Executive Order on Improving the Nation's Cybersecurity is by no means a panacea, but it does have the potential to drive increased transparency and accountability in software through requirements for testing and for providing a software bill of materials (SBOM).

In order to achieve the executive order's goals, SBOMs must provide enough detail to convey provenance, pedigree, and linkage that describes how the software is connected throughout the supply chain, along with attestations about steps in the production chain. 

To succeed, the government's implementation of the executive order must address the complexity of modern distributed software development and provide transparency into both the provenance of code and the associated testing performed at each life-cycle stage. Meeting that outcome requires greater transparency into the software development processes employed by all stakeholders.

Emile Monette is the Director of Value Chain Security at Synopsys. His expertise centers on the nexus of cybersecurity, supply chain risk management, and federal procurement. Emile has unique experience in the fields of cybersecurity and procurement in the federal government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-12-04
Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp sticky header plugin <= 1.0.8 on WordPress.
PUBLISHED: 2022-12-04
Reflected Cross-Site Scripting (XSS) vulnerability in 2kb Amazon Affiliates Store plugin <=2.1.5 on WordPress.
PUBLISHED: 2022-12-04
A response-header CRLF injection vulnerability in the Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) web interface allows a remote attacker to set cookies for a victim's browser that are longer than the server expects, causing a client-side DoS. This affects Chromium-based browsers...
PUBLISHED: 2022-12-04
Proxmox Virtual Environment (PVE) and Proxmox Mail Gateway (PMG) are vulnerable to SSRF when proxying HTTP requests between pve(pmg)proxy and pve(pmg)daemon. An attacker with an unprivileged account can craft an HTTP request to achieve SSRF and file disclosure of any files on the server. Also, in Pr...
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. A default password is persisted after installation and may be discovered and used to escalate privileges.