Emerging Technologies To Secure the Supply Chain
This article, prepared in conjunction with AFCEA’s Technology Committee, is the third in a series of three articles addressing supply chain considerations of software and hardware. The first article is titled Securing the Federal Software Supply Chain and the second is titled Securing the Hardware Supply Chain.
The advent of the digital era has seen a progressive escalation of cyber threats targeting supply chain systems.
Supply chain professionals historically have measured success primarily through cost reductions and increased operational efficiencies. Unfortunately, this method is no longer effective on its own. As supply chain networks become more interconnected, complex and globally distributed, opportunities for disruption to the supply chain by malicious actors grow exponentially. Emerging technologies are key to securing the supply chain, starting with 5G and using key encryption and application, automation and robots to ensure secure data transfer.
Government agencies are focused on improving the security of their supply chains, and many are deploying dedicated supply chain security teams to enable a more holistic view of the threat landscape. With improved monitoring across the supply chain, agencies can stay better informed as risks emerge.
A holistic approach also fuels deeper conversations between supply chain risk managers and stakeholders such as cybersecurity specialists, physical security teams and human resources. Increased collaboration and connectivity between these disciplines is critical. The definition of supply chain is ever-expanding, and an agency must think of all operations. Just because you are using a cloud vendor does not stop an organization from needing to map out the data flow, the infrastructure, the software bill of materials and all the dependencies within this holistic view.
Likewise, threat intelligence services can help groups stay informed of the latest attack trends and tactics. Many suppliers seek ways to share information and help protect industries against threats.
Zero-trust security quickly is becoming another new standard. Here, employees and partners are assigned only the access required to do their job. This limited access approach helps combat the increasing threat mechanisms and attack vectors. Employing a zero-trust approach can help enhance an agency’s information security risk management.
Agencies seek to align with supply chain security standards to protect assets. Certifications such as ISO 28000 and ISO 27001 or the use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST AI Risk Management Framework can assure that groups are taking the right steps to prevent and quickly remediate breaches. External validation and finely tuned internal controls can help confirm compliance and promote more effective certification efforts. Most manufacturing supply chains rely on automation using artificial intelligence (AI)/machine learning (ML), so ensuring the frameworks are deployed successfully is critical. By leveraging other model techniques, it is possible to establish a full chain of custody.
This takes us to the software bill of materials, or SBOM. As part of building stronger cybersecurity requirements, SBOM has emerged as key in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up the software package, application and set of components. The SBOM work has advanced since 2018 as a collaborative community effort, driven by the National Telecommunications and Information Administration’s multistakeholder process.
The Cybersecurity and Infrastructure Security Agency (CISA) has been advancing the SBOM work by facilitating community engagement within the government, industry and academia, focusing on the scaling and operationalization creating this bill of materials. Companies are developing tools and delivering them to the open-source community; tools are available for sale to produce an SBOM of your environment. CISA looks to be the nexus for the broader set of SBOM resources across the digital ecosystem and around the world.
An SBOM-related concept is the VEX is a security advisory that indicates whether a product is affected by a known vulnerability.
With an ever-increasing proliferation of cyber attacks on supply chain systems, it’s time for an all-hands-on-deck approach. Continuous monitoring facilitated by AI/ML can aggregate troves of data, mine it for patterns and anomalies that could signify a security breach and effectively mitigate the risks.
In recent years, blockchain technology has emerged as a complementary solution to AI/ML techniques providing cryptographically secure and decentralized records of transactions that improve transparency and traceability. By “tokenizing” transaction data—purchase orders, shipments, receipts—blockchain ensures data integrity while AI/ML verifies its accuracy and relevance, making it difficult for attackers to alter the chain.
The surge in remote users, emerging mission needs and heightened cybersecurity risks throughout the supply chain puts incredible demand on information technology (IT) teams to improve bandwidth, user experience, availability, functionality and security. To keep pace with evolving user expectations and threats, organizations must adopt NetSecOps.
NetSecOps is akin to what DevSecOps does for application development in that it prioritizes security from the earliest network design stages, sets success criteria, tests anticipated results upfront before building systems and avoids misaligned handoffs from engineering to operations.
NetSecOps enables the review of the entire acquisition life cycle and substantiates a secure design, digital implementation and continuous monitoring of aggregated information, including third-party data. There is no need for a magic wand answer with NetSecOps. Maximizing existing technology investments extends their useful life, avoiding costly retraining and cutover complexities common with new tooling.
Cloud-based technology, software-as-a-service and mobility make the traditional perimeter-based security model obsolete. Enter zero-trust security—a significant paradigm shift that will affect IT solutions and architectures for years to come.
There is no single end-to-end zero-trust solution. Zero trust enables the journey toward a digital supply chain business model, and achieving the desired end state involves incremental steps. It is not necessary to “rip and replace” existing security tools. Instead, design a zero-trust architecture, deploy zero-trust tools to support the environment and reconfigure existing tools by following these recommendations, guidelines and governance measures created in partnership with vendors, equipment manufacturers, software vendors, application developers, staff, contractors and more:
- Vendor Evaluation and Selection: Conducting thorough evaluations of vendors, suppliers and partners is essential. Assess reputation, track record, security practices and adherence to standards and regulations. Choosing trusted and reputable partners reduces the risk of compromised or malicious components entering the supply chain.
- Component Authentication: Implementing mechanisms to authenticate the origin and authenticity of components is crucial. This situation may involve verifying unique identifiers, such as serial numbers or secure labels, and conducting audits to ensure components are sourced from authorized suppliers.
- Secure Manufacturing Facilities: Implementing strict security protocols within manufacturing facilities helps prevent unauthorized access, tampering or introduction of malicious components. The approach includes controlled access to sensitive areas, video surveillance, employee background checks and strict inventory management.
- Secure Transportation: Protecting components and products during transportation is vital. Employing secure shipping methods, tracking systems and tamper-evident packaging helps prevent unauthorized access or tampering during transit.
- Secure Storage and Handling: Implementing secure storage and handling practices ensures that components and products are protected from unauthorized access or tampering. This plan may involve controlled access to storage areas, surveillance, inventory management systems and periodic inspections to detect any signs of tampering.
- Quality Control and Testing: Implementing robust quality control processes and testing procedures throughout the supply chain helps identify anomalies, defects or malicious components. Regular inspections, functional testing and vulnerability assessments can help detect and address risks.
- Secure Configuration Management: Implementing strict configuration management practices ensures only authorized and trusted software, firmware and configurations are applied to components and products.
- Incident Response Planning: Developing incident response plans and protocols mitigates the impact of security incidents. This strategy includes establishing procedures to detect, respond to and recover from security breaches or supply chain disruptions. Regular training and drills can enhance preparedness and response capabilities.
- Regulatory Compliance: Adhering to relevant security standards, regulations and certifications helps ensure compliance and maintain a high level of security throughout the supply chain. This proposal includes standards like ISO 27001, NIST SP 800-161 | NIST and industry-specific regulations.
- Continuous Monitoring and Auditing: Implementing continuous monitoring and auditing processes helps identify and address security vulnerabilities, emerging threats or deviations from established security practices.
In conclusion, in today’s highly connected world, organizations rely on others for products and services. However, with the existence of globalization, these same organizations no longer have full control or visibility into their entire supply chain. It is a multiheaded hydra. As more businesses adopt a “digital first” philosophy, the value of supply chain cybersecurity increases exponentially. It is critical to remember that whatever technologies, practices and governance you employ over the large threat landscape, it must include the physical hardware, the digital software and the human components to be most effective. All organizations must identify, assess and mitigate cyber supply chain risks quickly and efficiently—our nation depends on it.
Gretchen Stewart and Vicki Barbur are members of AFCEA International’s Technology Committee. Stewart is the chief data scientist-public sector at Intel Corporation, and Barbur is senior adviser at KeyLogic Systems, focused on technology commercialization, technology licensing and technology partnerships.