Chapter 1. Supply Chain Security

When you purchase something, the product you purchase usually has had a long journey from its original idea to the moment of delivery, as shown in Figure 1-1. You may recognize that the supply chain involves many participants in the item’s journey, but you may not realize how many opportunities exist for something to happen as that item moves along the path. Supply chain security has been part of our existence for thousands of years, such as when spices were carried from East to West, when ships moved goods between continents during colonization, or when military troops transported food and weapons during world wars. In all those situations, people prepared for attacks and defended their supplies so the items could make it to their intended destination.

After all this time, supply chain attacks have evolved and defense mechanisms must adapt to these changes. These attacks can be on individual products, as was the case when seven people were murdered in 1982 from poisoned Tylenol medicine capsules.¹ The follow-on regulations mandating tamper-evident packaging for medicine, food, and drinks in the United States has been repeated throughout the world. Organizations have taken great care in defending their logistics from distribution attacks, but now the attackers have moved earlier in the supply chain by attacking the design, development, and manufacturing processes or by attacking an organization’s operations through ransomware attacks, data breaches, and theft of intellectual property. Regardless of the method of attack, when an organization cannot distribute products or services to customers, the supply chain is disrupted. Supply chain attacks have now become global, general-interest media stories after the ransomware attack on Colonial Pipeline disrupted travel and shipping in the eastern US for several days.² The impact that ransomware and other malicious attacks have on the supply chains of our products and services every day leads me to the reason for writing this book on supply chain security for software, firmware, and hardware.

The goal of this chapter is to provide you with a foundation to build upon as you read the rest of the book. I start with defining common supply chain concepts so you have an understanding of the terminology that I use throughout the book. I then describe the impacts of supply chain security on organizations and finish by referencing the many worldwide regulations, laws, and guidelines that focus on supply chain security.

Supply Chain Definitions

When I speak with people about supply chain security, they often do not recognize themselves as part of a supply chain because they think it’s only about suppliers or manufacturing. If your organization provides products or services to others, your organization is part of the supply chain. To provide clarity, the following are definitions for the core terminology that I will be using throughout this book:

Supply chain: The people, processes, materials, and technologies used in the creation, production, and distribution of physical or digital products. Thousands of individuals, hundreds of components, and dozens of organizations may be part of the supply chain to create, produce, and deliver a single product (physical or nonphysical), such as a mobile phone or a mobile phone application.
Supply chain risk: “The risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of an item of supply or a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of a system.”³ This definition demonstrates the many opportunities to introduce risk to a product’s lifecycle and will be discussed throughout this book.
Supply chain risk management (SCRM): “A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the supply chain and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subelements, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”⁴ The security controls provided in this book should be part of your organization’s supply chain risk management program.
Software supply chain: The people, processes, software libraries, software or firmware components, as well as technologies used in the creation, development, publication, production, and distribution of digital products, including intelligent physical products such as Internet of Things (IoT), Industrial IoT (IIoT), and operational technology (OT).⁵ The primary difference to general supply chain security is the software or firmware development and distribution processes.
Software supply chain security: A systematic process for managing software supply chain risk by identifying susceptibilities, vulnerabilities, and threats throughout the software supply chain and developing mitigation strategies to combat those threats, whether presented by the supplier, software libraries, software or firmware components, the supplied product and its subelements, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal). The primary addition to the supply chain risk management definition is the risk of software or firmware compromise.
Third-party risk: A risk from external sources such as suppliers, organizations, groups, or individuals in your supply chain, infrastructure, systems, or processes. This can include commercial engagements where you purchase items, or free and open source software (FOSS) and tools.⁶

Several of the previous definitions come from the National Institute of Standards and Technology (NIST), which has an extensive glossary in its Computer Security Resource Center (CSRC).⁷ Although NIST is a US agency in the Department of Commerce, its mission is to advance measurement science, standards, and technology, which benefits a global. Many of the references and publications mentioned in this book come from NIST and its collaboration with industry, other organizations, and people. I have personally collaborated with NIST on several of the software supply chain topics discussed in this book.

Software Supply Chain Security Impacts

When I describe supply chain security to people, I always hold up my cell phone and explain to them there were hundreds, maybe thousands, of opportunities for a malicious actor to compromise the phone before I purchased it from the store. As shown in Figure 1-2, the phone is made up of hardware, firmware, and software, and anyone who created my phone or came in contact with it could have put a compromised chip or software into it. I trust my cell phone manufacturer and the operating system publisher, but imagine if malicious software (malware) went unnoticed and millions of phones were impacted before it was discovered. This compromise in the supply chain would be detrimental not only to the company but also to millions of customers. A severe enough event could destroy a company of almost any size.

Cell phone hardware, firmware, and software

Now imagine that your organization was one of the upstream suppliers that wrote the operating system software, or designed the Bluetooth antenna hardware chip, or assembled the phone’s components. As a supplier to the cell phone manufacturer, your organization may be found at fault if you don’t have strong supply chain security. It could result in a severe financial impact to the organization and its employees, possibly leading to the organization’s closure.

You may be on the other end of the supply chain as a downstream customer who purchased thousands of these cell phones for your organization. Were you familiar enough with software supply chain security to have evaluated the manufacturer, set internal policies as to how your employees used the cell phones, and monitored the software security for potential compromises? Understanding the risks of software supply chain security will allow you to prepare yourself and your organization for when, not if, the supply chain will be compromised.

When the infamous software compromise affected the SolarWinds Orion platform (a widely used IP network management tool), it raised awareness of software supply chain security, just as the Colonial Pipeline event previously raised awareness of supply chain security. Technical details on the SolarWinds attack will be discussed in Chapter 5, but in summary, the supply chain compromise began in October 2019 and remained undetected until December 2020, by then placing 18,000 customers at risk, with Microsoft confirming 40 customers were breached, including a number of US government agencies.⁸^,⁹ The SolarWinds organization settled a $26 million lawsuit with its investors due to the financial losses stemming from the supply chain attack.¹⁰ This loss does not include the millions spent by SolarWinds and its customers on incident response, threat investigations, downtime, remediations, and loss of revenue when customers’ systems were unavailable.

Third-party risks from commercially purchased or open source software libraries can also cause significant impacts worldwide. Two software vulnerabilities (security weaknesses that can be exploited by a malicious actor or software) announced in December 2021 in the Apache Log4j logging framework can be found in hundreds of thousands of open source packages, according to an article published by SC Media.¹¹ The math indicates there are millions of applications using the Log4j open source libraries, and many of these applications have not yet upgraded the software libraries to a version where the vulnerabilities have been patched. In the SC Media article, the author, Menghan Xiao, noted cost estimates to locate Log4j vulnerabilities range between $33,000 and $90,000. Multiplied by millions of applications, the financial impact is quite high, especially since this does not yet include any breach or legal costs for applications that do not patch Log4j. A user may not even be aware these vulnerabilities exist in their software applications if the software publisher has not disclosed (announced) the vulnerabilities or provided a list of software components using a software bill of materials (SBOM), as I will discuss in Chapter 8.

Impacts to an organization from supply chain attacks may result in reputational damage, loss of customer confidence, lawsuits, government penalties, and a reduction of future business after the event. An attack also can cause disruptions or downtime to an organization’s business operations, which could cause loss of revenue. If something doesn’t work, it can’t make money. Also, as a result of the attack, there will need to be incident response, threat investigations, and remediations, which take up time and use resources. Software supply chain security attacks affect not only the company and its direct customers but also those at the nth degree of separation.

Requirements, Laws, Regulations, and Directives

The risks and impacts to users, organizations, national infrastructure, and global economies have triggered governments around the world to release requirements, laws, regulations, directives, and guidance for organizations to follow in regard to software supply chain security. Many of these requirements pertain to third-party risk, supply chain risk management, and software development. Table 1-1 contains a summary of supply chain security references in worldwide laws, regulations, guidance, and directives at the time of this book’s publication. The documents referenced in this table are the basis for the software supply chain risks and controls throughout this book.

Table 1-1. Government mentions relevant for supply chain security
Location	Document	Supply chain security mentions
Australia	Guidance: Cyber Supply Chain Risk Management^a	Identify the cyber supply chain, understand the risk, set expectations, audit for compliance, monitor and improve.
Australia	Guidance: Identifying Cyber Supply Chain Risks^b	Foreign control, influence, and interference. Cyber supply chain risks. Security practices, transparency, access, and privileges.
Australia	Critical Technology Supply Chain Principles^c	Ten principles grouped into three pillars: security-by-design, transparency, and autonomy and integrity. Know your suppliers, what needs to be protected, and your transparency requirements.
Australia	Security of Critical Infrastructure Act 2018^d	Vulnerability assessments and incident management.
China	GB/T 36637—2018 (Information Security Technology ICT Supply Chain Security Risk Management Guidelines)^e	Chinese technical standard on supply chain security for Information and Communication Technology (ICT).
China	New Measures for Cybersecurity Review^f	Cybersecurity reviews of data processing, network products, or services for critical infrastructure information and network platform operators.
China	National Standard on Information Security Technology Software Supply Chain Security Requirements (proposed)^g	Security requirements, security testing, and evaluation for the software supply chain. Organizational management and supply activity management requirements, including personnel, intellectual property, and delivery. Derived from GB/T 36637—2018 (Information Security Technology ICT Supply Chain Security Risk Management Guidelines).
EU	GDPR: General Data Protection Regulation^h	Parties to ensure data rights are enforced. Compliance to security standards. Liability for data processing leaks.
EU	Cybersecurity Actⁱ	Mutual Recognition Agreements between governments for conformity assessments, conformity marks, certificates, and test reports by conformity assessment bodies.
EU	Cyber Resilience Act^j	Digital elements are developed in a secure manner and have timely security updates. Manufacturers should include software bills of materials (SBOMs) and ensure their products do not contain vulnerable components developed by third parties. The supply of incorrect, incomplete, or misleading information can lead to administrative fines.
EU	Council conclusions on ICT supply chain security^k	Strengthen resilience and security of supply chains. Continuous assessment, analysis, and monitoring. Diversify suppliers. Certification schemes that include requirements on supply chain security. Supply chain risk management. Development of an Information and Communication Technologies (ICT) Supply Chain Toolbox.
EU	Network and Information Systems Directive 2 (NIS2)^l	Member states to designate Computer Security Incident Response Teams (CSIRTS) to monitor for supply chain compromises. Member states’ cybersecurity strategies should help small and medium-sized enterprises with supply chain challenges. Align to industry standards and best practices including supply chain assessments. Supplier’s secure development procedures. Coordinated security risk assessments on critical supply chains.
EU	Chips Act (proposed)^m	Building and reinforcing Europe’s capacity (including resiliency) to innovate in the design, manufacturing, and packaging of advanced chips. Developing an in-depth understanding of global semiconductor supply chains.
Ireland	Electronic Communications Security Measures (ECSM) 009: Supply Chain Securityⁿ	Implement supply chain security measures such as risk profiles, incident management, and monitoring. Security requirements between parties must be in place. Minimize data sharing to only what is necessary. Host data natively instead of through a third party when possible.
New Zealand	NCSC Cyber Security Framework^o	Knowing where security responsibilities lie between an organization and its suppliers.
New Zealand	Supply Chain Cyber Security^p	Introduction to understanding and managing supply chain cyber risk. Three phases (identify, assess, and manage) to guide organizations.
United Kingdom	Supply Chain Security Guidance^q	Twelve principles, including risk management, controls, and continuous improvement. Know your suppliers, security risks, and requirements. Security awareness, incidents, assurance, and measurements.
UK	Supplier Assurance Framework: Good Practice Guide^r	Consistent proportionate baseline, implementable in stages, for managing information risk in supplier contracts. Risk levels and visibility. Physical security, business continuity, cyber, personnel and information security. Common Criteria for Assessing Risk (CCfAR) assessment—set of outline criteria according to risk levels. Statement of Assurance (SoA) tool—assessment criteria aligned to ISO 27001:2005 information security.
UK	Secure development and deployment guidance^s	Guidance for developers on producing clean and maintainable code; securing the development environment, code repository, build pipeline, and deployment pipeline; and continuous testing. Contains implementation actions and self-assessments.
UK	Supply Chain Guidance^t	Guidance for business leaders, practitioners, and suppliers. Governance, culture, expectations, security levels, and risk management. Questionnaires, assessments, contracts, performance, and termination. Threats, exposure, incident management.
UK	How to Assess and Gain Confidence in Your Supply Chain Cybersecurity^u	Supplier relationships and the ways organizations are exposed to vulnerabilities and attacks. Cybersecurity in supplier assessments and contracts. Continuous improvement for supply chain security. Expected outcomes and steps for supplier cyber assessments.
US	NIST Cybersecurity Framework (CSF): Framework for Improving Critical Infrastructure Cybersecurity^v	Identifies four tiers of supply chain risk management maturity. Requirements to communicate with stakeholders. Outlines cyber supply chain relationships. Framework core includes the Supply Chain Risk Management category.
US	NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations^w	Supply chain risk management controls, processes, strategies, and planning. Supply chain incident management. Supply chain risk assessments.
US	Executive Order 14017: America’s Supply Chains^x	Supply chains for semiconductor manufacturing and advanced packaging, information and communications technology (ICT), energy sector, transportation, digital products. Third-party risks (nation-states). Location of key manufacturing and production assets. Alternative and redundant sources for critical goods and materials. Workforce skills and best practices. Addressing software vulnerabilities. Supply chain monitoring.
US	Executive Order 14028: Improving the Nation’s Cybersecurity^y	Remove contractual barriers that prevent sharing of threats, incidents, and risks. Service providers collect, preserve, and share information relevant to cybersecurity events. Publish software supply chain security guidelines for secure software development environments and tools, software origins, and software bills of materials.
US	The Minimum Elements for a Software Bill of Materials (SBOM)^z	An SBOM is a formal record containing details and supply chain relationships of various components used in building software. Minimum elements for data fields, data formats, practices, and processes.
US	Memo M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices^aa	US federal agencies must only use software that meets NIST guidance (e.g., NIST 800-218). Self-attestation forms and SBOMs must be obtained from software publishers.
US	NIST SP 800-161: Cybersecurity Supply Chain Risk Management for Systems and Organizations^ab	Cybersecurity Supply Chain Risk Management (C-SCRM) is a process for managing exposure to cybersecurity risks throughout the supply chain and developing response strategies, policies, processes, and procedures. Guidance to enterprises on how to identify, assess, select, and implement risk management processes and mitigating controls. C-SCRM security controls including access control, training, configuration management, identification and authentication, incident response, physical and environmental protection, personnel security, risk assessments, system and information integrity, and supply chain risk management.
US	NIST SP 800-218: Secure Software Development Framework (SSDF)^ac	Identifies secure software development practices: protect the organization, protect the software, produce well-secured software, and respond to vulnerabilities. Communicating requirements to third parties. Third-party attestation and provenance.
US	Chips and Science Act^ad	Funding for security, innovation, facilities, equipment, and workforce to support the development, fabrication, assembly, testing, and packaging for semiconductors, telecommunications, and emerging technologies. Support information security measures for the development and lifecycle of software and the software supply chain.
US	National Cybersecurity Strategy^ae	Secure the federal civilian executive branch (FCEB) through software supply chain risk mitigation. Strategic objective to secure global supply chains for information, communications, and operational technology products and services.
US	Food and Drug Administration (FDA)—Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions^af	Requires a Secure Product Development Framework (SPDF) and secure design when creating medical devices. Transparency including SBOMs. Supply chain security of third-party software components.
^a “Cyber Supply Chain Risk Management”, Australian Cyber Security Centre, May 22, 2023. ^b “Identifying Cyber Supply Chain Risks”, Australian Cyber Security Centre, May 22, 2023. ^c Commonwealth of Australia, Critical Technology Supply Chain Principles, 2021. ^d “Security of Critical Infrastructure Act 2018”, Australian Government, May 2, 2022. ^e “国家标准”, National Standardization Management Committee, March 9, 2022. ^f “网络安全审查办法_信息产业（含电信）_中国政府网”, Gov.cn, accessed December 7, 2023. ^g “全国信息安全标准化技术委员会”, Org.cn, accessed December 7, 2023. ^h “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016”, EUR-Lex, accessed December 16, 2023. ⁱ “Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019”, EUR-Lex, accessed December 16, 2023. ^j The European Parliament and Council, Proposal for a Regulation of the European Parliament and of the Council on Horizontal Cybersecurity Requirements for Products with Digital Elements and Amending Regulation (EU) 2019/1020, September 15, 2022. ^k “Council Conclusions on ICT Supply Chain Security”, Council of the European Union, October 17, 2022. ^l “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022”, EUR-Lex, accessed December 16, 2023. ^m “European Chips Act”, European Commission, April 18, 2023. ⁿ Government of Ireland, Electronic Communications Security Measures 009—Supply Chain Security, 2021. ^o “NCSC Cyber Security Framework”, National Cyber Security Centre of New Zealand, accessed December 7, 2023. ^p National Cyber Security Centre of New Zealand, Supply Chain Cyber Security. In Safe Hands, accessed December 7, 2023. ^q “Supply Chain Security Guidance”, UK National Cyber Security Centre, January 28, 2018. ^r Cabinet Office, Supplier Assurance Framework: Good Practice Guide, version 1.1, May 2018. ^s UK National Cyber Security Centre, “Secure Development and Deployment Guidance”, November 22, 2018. ^t “Supply Chain Guidance”, National Protective Security Authority, April 21, 2022. ^u “How to Assess and Gain Confidence in Your Supply Chain Cyber Security”, UK National Cyber Security Centre, October 12, 2022. ^v National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, version 1.1, April 16, 2018. ^w Joint Task Force Interagency Working Group, NIST 800-53: Security and Privacy Controls for Information Systems and Organizations, National Institute of Standards and Technology, September 2020. ^x “Executive Order on America’s Supply Chains”, The White House, February 24, 2021. ^y “Executive Order on Improving the Nation’s Cybersecurity”, The White House, February 24, 2021. ^z US Department of Commerce, The Minimum Elements for a Software Bill of Materials (SBOM), July 12, 2021. ^aa Shalanda D. Young, “Memo M-22-18: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices”, Executive Office of the President, Office of Management and Budget, September 14, 2022. ^ab Jon M. Boyens, Angela Smith, Nadya Barol, Kris Winkler, Alex Holbrook, and Matthew Fallon, NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management for Systems and Organizations, National Institute of Standards and Technology, May 2022. ^ac Murugiah Souppaya, Karen Scarfone, and Donna Dodson, NIST SP 800-218: Secure Software Development Framework (SSDF) Version 1.1, National Institute of Standards and Technology, February 2022. ^ad “H.R.4346—Chips and Science Act: 117th Congress (2021–2022)”, Congress.gov, August 9, 2022. ^ae The White House, National Cybersecurity Strategy, March 1, 2023. ^af US Food & Drug Administration, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions: Guidance for Industry and Food and Drug Administration Staff, September 27, 2023.

Countries also have certain requirements and regulatory oversight such as the US Food and Drug Administration, as referenced in the previous table, the US Federal Risk and Authorization Management Program (FedRAMP), which we’ll mention in Chapter 8, and the Federal Energy Regulatory Commission (FERC). We can expect there to be more requirements and laws as supply chain security risks increase globally.

You should leverage customers, industry associations, and peer networks to maintain awareness of new supply chain requirements, standards, laws, directives, guidance, and regulations. Industry groups, such as technology alliances, may have sector-specific supply chain guidance, as seen in the North American Electric Reliability Corporation’s (NERC) Supply Chain Risk Management Program.¹²

Summary

Supply chain security is an age-old topic, but it has received significant attention over the past few years as malicious actors have taken advantage of vulnerabilities, suppliers, open source, and supply chains. New concepts, such as software having its own supply chain, raise the importance of understanding how supply chains work for physical and digital products. Software supply chains are being attacked daily by malicious actors, thus leading to business impacts such as data loss, operational downtime, lost revenue, decreased customer trust, and potential violation of regulations or laws. It is vital that organizations understand and comply with global supply chain security laws and regulations before implementing the frameworks, standards, or models that I’ll introduce in Chapter 2.

¹ Marcia Wendorf, “Tamper-Resistant Packaging Began in 1982 with 7 Still Unsolved Murders”, Interesting Engineering, December 16, 2019.

² Katie Balevic, “Colonial Pipeline Ransomware Attack Fuels Gas Price Fears after Russian ‘DarkSide’ Hack Halts Pipeline Between TX and NJ”, The Sun, May 10, 2021.

³ “Supply Chain Risk”, NIST, accessed December 7, 2023.

⁴ “Supply Chain Risk Management (SCRM)”, NIST, accessed December 7, 2023.

⁵ Firmware is software permanently programmed into hardware, and then the firmware can instruct the hardware to perform functions. Firmware is also known as embedded software, though historically firmware was for lower-level functions and embedded software was for higher-level functions.

⁶ Free and Open Source Software (FOSS), which includes open software libraries and source code packages (a collection of binaries, scripts, and data), is free to use, copy, study, and change according to its software license. Popular examples of FOSS are the Linux operating system, MySQL database, OpenSSL secure communication package, and Log4j logging framework.

⁷ “Computer Security Resource Center”, NIST, accessed December 7, 2023.

⁸ Pam Baker, “The SolarWinds Hack Timeline: Who Knew What, and When?” CSO, June 4, 2021.

⁹ Catalin Cimpanu, “Microsoft Confirms It Was Also Breached in Recent SolarWinds Supply Chain Hack”, ZDNET, December 17, 2020.

¹⁰ Eduard Kovacs, “SolarWinds Agrees to Pay $26 Million to Settle Shareholder Lawsuit over Data Breach”, Security Week, November 7, 2022.

¹¹ Menghan Xiao, “Digging into the Numbers One Year after Log4Shell”, SC Media, December 16, 2022.

¹² “Supply Chain Risk Mitigation Program”, North American Electric Reliability Corporation, accessed December 7, 2023.

Get Software Supply Chain Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial