Mar 16 2021

How Agencies Can Tackle Supply Chain Cybersecurity Threats

Having emergency response plans in place in advance can mitigate potential damage.

Cybersecurity professionals have worried for years about the insidious risk posed by supply chain attacks — that sophisticated attackers with the ability to breach the internal systems of technology vendors might inject malicious code directly into devices that agencies rely on to perform their work.

Worst of all, this code could be delivered through trusted update mechanisms, rendering it virtually undetectable by traditional IT security defenses.

At the end of 2020, federal agencies saw this nightmare scenario come to life when officials at network management vendor SolarWinds revealed that the company had been the victim of just such an attack.

The attackers had successfully leveraged their compromise to gain access to the internal systems of multiple SolarWinds customers, even though about 30 percent of the targets had no direct connection to SolarWinds.

With the SolarWinds incident still under investigation, agency cybersecurity teams should continue to analyze susceptibility to future supply chain attacks and put countermeasures in place. These best practices can help agencies build resilience against supply chain attacks.

Keep Track of Your Agency’s IT Vendors

Today, federal agencies rely upon hundreds, if not thousands, of vendors to provide components of their technology infrastructure. Agencies use billions of lines of code to power everything from routers, switches and firewalls to software that runs programs for jobs as varied as tax calculations and environmental modeling.

Cybersecurity teams seeking to secure their supply chains must first build and maintain an inventory of all the moving parts that make up their technology ecosystems. Knowing all the details about what’s in place is critical to nipping supply chain attacks in the bud.

In the aftermath of the SolarWinds breach, cybersecurity teams quickly searched for vulnerable deployments within their scope of control. This was a relatively easy task, because the company’s products are typically large-scale purchases made by networking teams.

History tells us that not all attacks will be this easy to analyze. The Heartbleed vulnerability of 2014 in the OpenSSL cryptographic library was particularly difficult to track down. Most OpenSSL users don’t know that they rely on the package; the open-source library is bundled into many other software packages that require secure communications.

Tracking these second-order dependencies is a crucial component in building a supplier inventory. Agencies need to know not only what suppliers they use directly, but also what suppliers their vendors rely upon.

DIVE DEEPER: What other supply chain risk management best practices should your agency follow? 

Stay on Alert for Emerging Security Threats 

In the world of cybersecurity, information is power. New vulnerabilities and exploits spread rapidly, and agencies that respond quickly to security alerts decrease the likelihood of compromise.

For this reason, agency cybersecurity teams should develop formal processes for both remaining in close contact with vendors and monitoring vendor security bulletins. Vendors may not be able to contact agencies every time there is a critical outbreak — especially one they may be dealing with themselves — but security bulletins arrive automatically.

Agencies can subscribe to a vendor’s security mailing list using an email address that automatically opens a ticket in the team’s incident tracking system. When new vulnerabilities arise, the arrival of the bulletin will trigger a ticket that someone on the team must address, creating both accountability and a paper trail.

In addition to using these formal support mechanisms, it’s also a good idea for agencies to develop personal relationships with the vendors that they rely upon the most. That helps put an agency at the top of a vendor’s call list when a crisis occurs.

MORE FROM FEDTECH: Learn three ways to stay ahead of supply chain security challenges.

Follow Cybersecurity Incident Response Plans

No matter how well teams prepare, the next supply chain attack is virtually inevitable. In addition to putting controls in place to protect against that attack, teams should also develop comprehensive response plans that help their agency maintain operations while they recover from the next attack.

Fortunately, federal agencies already have cybersecurity incident response plans in place, and these plans should serve them well in the event of another supply chain cybersecurity incident.

These plans should follow the four-step process detailed by the National Institute of Standards and Technology in its Computer Security Incident Handling Guide: Prepare for future response efforts; detect potential incidents and perform initial analysis; contain the damage, eradicate the effects and recover operations; and conduct after-action sessions and other post-incident activities to see how the process can be improved.

Agencies should also coordinate with other federal incident response teams during a potential supply chain attack. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency leads cybersecurity incident response efforts across the federal government and plays a crucial role in facilitating these connections.

Supply chain security incidents pose a significant risk to agency information and systems because they infiltrate agencies through highly trusted mechanisms.

Agency cybersecurity teams should put policies and practices in place now to reduce their exposure to these incidents and improve their ability to respond to future supply chain attacks.

Oivind Hovland/Theispot

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT