- Dec 20, 2020 6:36 pm GMT
The author of this article, Eric Byers, is a well known cybersec expert in ICS communities. His new Company, adolus, is working to help companies identify risks in software supply chains. Other companies are also working on software supply chain risk assessment solutions, e.g. Fortress and, my Company, Reliable Energy Analytics LLC. Solutions for software supply chain risk assessments are really just in their infancy, however their valuable role in helping companies identify and prevent harmful software from being installed is becoming an imperative. There is much room for improvement with these software risk assessment tools, however the solutions available today are effective at identifying known culprits and notifying Companies of the inherent risk they face if they decide to install a "Risky" software package. It's surprising to me that more Companies are not using software supply chain risk assessment solutions to protect themselves from harm - maybe the Solarwinds incursion will serve as a catalyst for greater adoption for these solutions. Here are some key takeaways from Eric's article that I find insightful, pragmatic and prudent:
- This blog is not going to tell you that there is a silver bullet out there. There isn’t. Supply chain attacks are very difficult to detect. But the lack of an easy solution doesn't mean we can't learn from the attack (and make life much more challenging for the next attacker).
- Just last month we saw trojanized security software hit South Korea users in a supply chain attack that, like SUNBURST, also involved signed code [RJB signed software needs to be treated as "guilty" until proven innocent]
- Clearly supply chain exploits are now a core tool in the cyber-weapons toolbox
- The second takeaway is that software code signing alone is poor defence against supply chain attacks. [RJB - Totally agree]
- To be 100% clear, I am not saying that code signing, SBOMs, or network monitoring are bad. I’m a big proponent of all three as critical tools in our cyber-defence toolbox. My company even generates SBOMs for ICS software companies. But SBOMs or code signing or the tool "du jour" are limited when used on their own. [RJB, I agree Eric, each of the items you list are just part of a comprehensive, best practices, software supply chain risk assessment - see the Energy Central PowerSession from 8/12, on demand, for a best practices approach to software supply chain risk assessments based on the NIST Cybersecurity Framework V1.1]
- What we need is a way to coordinate the information about the software we use in our critical systems. [RJB, I agree with Eric, Never trust software, always verify and report!™]
- We need cooperation on software threats and vulnerabilities across companies and sectors. We need coordination between vendors, users, and consultants. And we need that cooperation to be in real time, not after the fact. [RJB, Well said, Eric; you can count on Reliable Energy Analytics LLC to stand with you and adolus in the pursuit of this goal.]
Excellent piece, Eric - well done.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.