Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

// // //
6/29/2021
01:00 PM
Emile Monette
Emile Monette
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

Technology's Complexity and Opacity Threaten Critical Infrastructure Security

Addressing the complexity of modern distributed software development is one of the most important things we can do to decrease supply chain risk.

A lack of transparency and accountability are, without a doubt, the most substantial supply chain-specific security threats to the United States. These threats lead to underinformed end users and inequitable distribution of risk in global technology value chains.

Related Content:

Tech Vendors' Lack of Security Transparency Worries Firms

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

The opacity and complexity of technology and its supply chains contribute to an environment where actors in the value chain are incentivized (and permitted) to externalize the risk (and cost) of doing business.

The ultimate risk owner — the end-user consumer — is rarely in control of (and often unaware of) the decisions being made in the supply chain that affect their risk posture. After all, the consumer rarely knows what's in the technology they rely upon, so they have little hope of appropriately managing the risks of using it.

The frantic scramble that occurred after the recent SolarWinds cyber incident, as companies and governments rushed to understand the extent of the incident and where the compromised software was installed, is an example of how little knowledge we have of what goes into our technology.

And this isn't a new phenomenon.

When the federal government banned Kaspersky software in 2017, agencies and companies were forced to spend thousands of hours combing through their technology stacks seeking the offending code because they didn't have visibility into what was in the software they use.

Complexity in technology is only going to increase. As such, it's vital that end users can get more thorough information about what is (or isn't) in the technology they consume, and technology providers are held more accountable for the content of the technology they deliver to consumers.

Impacts on Critical Infrastructure
This brings me to a more widespread concern that was once again highlighted with the recent Colonial Pipeline ransomware attack: how supply chain threats impact critical infrastructure.

Many things have changed since 2013, when the Secretary of Defense and the Administrator of General Services published a joint DoD-GSA report about improving US cybersecurity. One of the more significant changes is that the sophistication, frequency, and volume of cyberattacks has increased.

As the report states:

"The federal government and its contractors, subcontractors, and suppliers at all tiers of the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries seeking to steal, compromise, alter, or destroy sensitive information."

Nobody can deny that critical infrastructure is on that list of targets. As critical infrastructure owners and operators increasingly rely on networked operational technology and the software that makes it work, they increase their attack surface and their risk of an incident like Colonial Pipeline.

The DoD-GSA report also points out that:

"Offshore sourcing has demonstrated its merit as a means to reduce costs, and as a result, most technology is produced in a global supply chain. Movement of production outside the US has also increased government concerns about foreign ownership, control, manipulation, or influence over technology used in or connected to critical infrastructure."

The threats to the technology supply chain from "adversaries (foreign governments, militaries, intelligence services, and terrorist organizations) and those seeking to advance their own cause (hackers and criminal elements)" have introduced significant new risk to critical infrastructure owners and operators in particular, the report continues. 

Driving Transparency and Accountability
To the extent we increase transparency and accountability in technology supply chains, we enable better-informed consumers who will make better decisions and, as a result, will be better able to manage their risks.

The recent Biden administration Executive Order on Improving the Nation's Cybersecurity is by no means a panacea, but it does have the potential to drive increased transparency and accountability in software through requirements for testing and for providing a software bill of materials (SBOM).

In order to achieve the executive order's goals, SBOMs must provide enough detail to convey provenance, pedigree, and linkage that describes how the software is connected throughout the supply chain, along with attestations about steps in the production chain. 

To succeed, the government's implementation of the executive order must address the complexity of modern distributed software development and provide transparency into both the provenance of code and the associated testing performed at each life-cycle stage. Meeting that outcome requires greater transparency into the software development processes employed by all stakeholders.

Emile Monette is the Director of Value Chain Security at Synopsys. His expertise centers on the nexus of cybersecurity, supply chain risk management, and federal procurement. Emile has unique experience in the fields of cybersecurity and procurement in the federal government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-23119
PUBLISHED: 2023-02-02
The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes Ubiquiti airFiber AF2X Radio firmware version 3.2.2 and earlier vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new firmware im...
CVE-2023-23120
PUBLISHED: 2023-02-02
The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes TRENDnet TV-IP651WI Network Camera firmware version v1.07.01 and earlier vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new fi...
CVE-2023-0651
PUBLISHED: 2023-02-02
A vulnerability was found in FastCMS 0.1.0. It has been classified as critical. Affected is an unknown function of the component Template Management. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be u...
CVE-2023-23110
PUBLISHED: 2023-02-02
An exploitable firmware modification vulnerability was discovered in certain Netgear products. The data integrity of the uploaded firmware image is ensured with a fixed checksum number. Therefore, an attacker can conduct a MITM attack to modify the user-uploaded firmware image and bypass the checksu...
CVE-2023-0650
PUBLISHED: 2023-02-02
A vulnerability was found in YAFNET up to 3.1.11 and classified as problematic. This issue affects some unknown processing of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be...