Hardening Cybersecurity of your supply chain

PARCA eNews – May 5, 2021 – Strengthening ICT supply chains requires an ongoing, unified effort between government and industry, says the US Cybersecurity & Infrastructure Security Agency (CISA).

In March 2020, SolarWinds unwittingly sent out software updates to its customers that contained hacked code that gave the hackers access to many SolarWinds customers’ network.
Consequently, SolarWinds serves as a cautionary tale about a new hacker strategy. It is not hard to imagine a similar strategy being used by hackers to gain access to healthcare records via vendor software updates.

To help combat this threat CISA issued additional guidance April 26, 2021 for strengthening cybersecurity of supply chains as part of its April awareness campaign for supply chain integrity.

The guidance emphasized the need for stronger collaborative efforts on the part of buisinesses, industry and government that is consistent and ongoing.

To that end the agency issued CISA’s SCRM (Supply Chain Risk Management) Essentials, a guide for defending against software supply chain attacks. It calls for leaders and staff encompassing all organizational personnel with roles in IT and information and communications technologies for implementing practices and policies.

The guide identifies six steps:

1. Identify the people,
2. Manage the security and compliance,
3. Assess the components,
4. Know the supply chain and suppliers,
5. Verify assurance of third parties, and
6. Evaluate your SCRM program.

As demonstrated in the Solar Winds attack, malicious code that gave attackers persistent access was spread via software update mechanisms.

The CISA guidance makes several recommendations for using NIST’s (National Institute of Standards and Technology) Cyber Supply Chain Risk Management framework and the Secure Software Development Framework to improve resistance to software supply chain attacks.

The CISA SCRM Essentials guide is available for download on the CISA website.

Read more…