The Digital Supply Chain Is Not a Trust Chain
On May 12, 2021, President Joe Biden signed an executive order to improve the nation’s cybersecurity. The order came days after a crippling ransomware attack on the largest pipeline system for refined oil products in the U.S. The difficult questions to ask about cybersecurity have not changed, but the answers have because the imminent danger and level of risk have escalated.
Standards drive compliance, compliance drives innovation, and innovation drives transformation. In 1983, President Ronald Reagan proposed the Strategic Defense Initiative (SDI) missile defense program to render nuclear missiles ineffective. The Cold War was defused but hostilities did not cease, as the world transformed into the current digital cyber skirmishes orchestrated by proxy nation-state actors. It will require a strategic cyber initiative digital transformation program to render sophisticated malware ineffective.
The brave new 360-degree cyber threat
There are no 360-day remedies to eliminate 360-degree threats and risks in cyberspace. Planning and preparation are needed – you cannot drill a well the moment you need the water. The federal government, public sector and private sector need to factor in the recurring costs of harm to the digital economy unless digital transformation becomes the core initiative. Cyber is about digitally connected things – users, systems, devices, machines, and data. Cyber is fueled by an intricate and global supply chain. The attack surface spans across intricate actions within this complex supply chain based on implicit trust in actors. Protection requires a foundation of measurable trust in actors and actions. Is the supply chain a trust chain?
The paradigm shift from “need to know” to “need to share” was beneficial for threat intelligence as the reactive and preemptive elements of detection for prevention. Sharing cyber threat and incident information requires forensic investigations and analysis post-attack to harvest intelligence. However, protection requires building intrinsic resilience, tamper resistance, and supply chain provenance from the point of manufacture, through distribution channels, to field operations for high assurance of lifetime operational integrity.
Designing protection controls requires collaborative effort by device vendors, operators, and service providers. The detection and prevention methods have proven inadequate by the frequency and magnitude of relentless cyberattacks on corporations, citizens, and public utilities. The people, process and technology checklist requires rethinking, because the cybercrime syndicate has sophisticated tools and methods in their arsenal. This is an infinite game of will and resources, and the rules of the game must be changed to stay protected.
Embracing digital transformation
Since a counteroffensive based on a mutually assured destruction strategy may amount to a suicide pact with anonymous nation-state adversaries, the only rational alternative is to embrace digital transformation with lessons learned from unwise cyber.
Let’s decipher the core elements of the executive order. It calls for:
- Modernizing infrastructure with a zero-trust architecture for damage-control on compromise
- Migration to “as a service” cloud models (IaaS, PaaS, SaaS) for improved governance and data analytics
- Multi-factor authentication and encryption for data at rest and in transit
- Rapidly enhancing software supply chain security for integrity of critical software
- Attesting to the integrity and provenance of open-source software components in the software bill of materials (SBOM)
- Developing new standards to achieve compliance
- Public awareness of the security capabilities of Internet of Things (IoT) devices
- Identifying IoT cybersecurity criteria for labeling schemes manufacturers can use to inform consumers about the security of their products
- Ways to incentivize manufacturers and developers to participate in pilot education programs
These are truly noble intentions but unfunded mandates on an unrealistic timeline with a limited local scope – because cyber is a global supply chain marketplace from the silicon mezzanine to hosted cloud services.
Protection in the era of IT/OT convergence
However, the fundamental principles and objectives are commendable. User credentials are cracked to infiltrate continuously monitored operational systems and devices and seize data (for exfiltration or extortion). For digital technology officers and product security architects of operational technology (OT) systems, from the lessons learned from traditional information technology (IT) security controls, this call to action translates (in technical parlance) to:
1) Supply chain protection from software developers, through software providers and publishers along the distribution network to authenticated devices and systems.
2) Migration from (or disclosures of) open-source software (OSS) components in software BOM for SaaS vendors to address security risks, complexity, and support in their service license agreement (SLA).
3) FIPS 140-3 certification for the device platform to ensure that data protection and secure transport protocol stacks are linked to a validated cryptographic engine underneath.
4) Application security by design for greenfield and brownfield device platforms, with or without a secure element, for anti-tamper (signed, encrypted, and node locked) data protection.
5) Full-stack integration of security transport protocol stacks with root-of-trust services for attestation, integrity, and confidentiality.
6) Use of manufacturer issued initial device identifier and owner/operator issued local device identifier for secure device provisioning and trusted multi-factor authentication.
7) Certificate-based authentication with protected keys on software development systems to protect against orchestrated advanced persistent threats (APTs) that breach source code repositories in the upstream supply chain.
In recent years, several cybersecurity standards, guidelines, and frameworks have been proposed by standards, alliances, and organizations such as NIST, FedRAMP, IEC, IIC, FCG, FIDO, NERC-CIP, IETF, and IEEE. The ultimate challenge for industry thought leaders and innovators is to, expeditiously and diligently, perform cost-benefit analysis and incentivize stakeholders – device manufacturers, line of business (LOB) application developers, software supply chains, service providers, and operators of device management systems, security operations centers and network operations centers. It takes a village to protect cyberspace.