Unravelling the Gordian Knot

By Chris Els • June 26, 2024

The differences between supply chains, data supply chains, cyber supply chains, and software supply chains.

  1. Supply Chains: refer to the network of organizations, people, activities, information, and resources involved in the production, distribution, and delivery of goods or services from the supplier to the end consumer. It encompasses the entire process, including sourcing raw materials, manufacturing, transportation, warehousing, and retailing. Supply chains aim to optimize efficiency, reduce costs, and ensure timely delivery of products or services.
  2. Data Supply Chains: also known as information supply chains, are the processes and systems involved in the collection, transformation, storage, and distribution of data within an organization or between organizations. Data supply chains focus on managing the flow of data, ensuring data quality, and making data accessible to various stakeholders. It involves data acquisition, data integration, data transformation, data storage, data governance, and data delivery to enable effective decision-making and support business operations.
  3. Cyber Supply Chains: Cyber supply chains specifically refer to the supply chains associated with technology products or services that have a digital component. It involves the sourcing, development, manufacturing, distribution, and maintenance of hardware, software, and firmware components that are essential to digital products or services. Cyber supply chains encompass all the stages of production and distribution, including suppliers of hardware components, software developers, third-party vendors, and distributors. Managing cyber supply chains is crucial to ensure the security and integrity of digital systems and protect against cyber threats.
  4. Software Supply Chains: Software supply chains specifically focus on the production, distribution, and maintenance of software products. They involve the processes and activities required to create software applications, including coding, testing, packaging, and deployment. Software supply chains also encompass activities such as version control, documentation, licensing, and updates. Managing software supply chains is important to ensure the quality, reliability, and security of software products throughout their lifecycle, from development to end-user deployment.

In summary, supply chains are broader in scope and encompass the overall process of producing and delivering goods or services. Data supply chains focus on managing the flow of data within and between organizations. Cyber supply chains pertain to technology products or services with a digital component and involve sourcing, development, and distribution of hardware, software, and firmware. Software supply chains specifically relate to the production and distribution of software applications, encompassing activities from development to deployment.

Part 1:

Securing the Supply Chain in an Interconnected World

Software supply chain security is a critical issue discussed extensively in the IT/Cybersecurity industry. Over the past three years, incidents of software supply chain attacks have surged by an astonishing 742%, impacting numerous software vendors, projects, and users worldwide.

Software supply chain security is a critical concern in the IT/Cybersecurity industry, with incidents of attacks rising dramatically in recent years. To tackle this issue effectively, understanding attacker motivations, analysing potential attack scenarios, and using threat modelling techniques are crucial. Learning from past cases that affected proprietary and open-source software vendors and managed service providers can help improve security measures.

Traditional approaches to managing vendor and supply chain risks involve application security maturity models, testing methodologies, and robust tooling. Additional practices like hashing and code signing enhance security and ensure software integrity. Scoring methodologies, provided by vulnerability databases, aid in assessing vulnerabilities and evaluating risks.

The emergence of the Software Bill of Materials (SBOM) is a significant development, offering insight into software components. Vulnerability Disclosure Programs and Reports, along with the Vulnerability Exploitability eXchange (VEX), provide actionable context to SBOMs for software consumers.

Software transparency is essential but complex, involving concepts like firmware, embedded software, and addressing challenges related to secure software transport and data protection. It varies between on-premise and cloud environments, each with its unique considerations, including cloud computing, Containers, Kubernetes, and DevSecOps practices.

Fortunately, reputable sources offer valuable guidance on software supply chain security, including NIST, Google, CIS, Microsoft, OWASP, and others. This collective knowledge empowers organizations to improve their security posture.

While software transparency in IT is well-discussed, Operational Technology (OT) often lacks focus. To ensure overall supply chain security, the potential kinetic effects of software, legacy software risks, and software transparency for industrial control systems (ICS) must be considered.

Software supply chain risks primarily stem from suppliers who need to prioritize transparency and supply chain security. Vulnerability disclosure, dedicated product security teams, responsible use of open-source software (OSS), and automation are essential measures.

Consumers often bear the consequences of security incidents, but they can mitigate risks by using SBOMs, VEX, and vulnerability disclosures. Understanding the software supply chain and suppliers, as well as virtual patching, is crucial. Tools like P3 Audits iTracker provide valuable supply chain mapping and visibility.

Predicting software transparency involves examining emerging regulations, government influence, accelerating supply chain attacks, and risks in interconnected societies. Initiatives like the Cyber Executive Order (EO) and National Cyber Strategy aim to address systemic risks posed by software.

The trend of accelerating software supply chain attacks is concerning. Collaboration between development, security, and operations, along with adopting modernized software supply chain practices and tools, is essential to tackle this challenge.

In closing, given the widespread use of software and the intricate interdependencies between data and traditional supply chain processes, ensuring data supply chain security is like untangling a complex "Gordian knot" with unprecedented systemic risk. Prioritizing data and software supply chain security with a focus on cyber risk safeguards systems, protects users, and maintains customer trust in our digital world.

Author: Chris Els

 Founder of P3 Audit and authority on third party risk in data supply chains

Comment

P3 Audit

P3 Audit announces new Partnership with Croner UK.

By By P3 Audit Marketing Team June 26, 2024
P3 Audit, a specialist managed service provider of Global Third-Party Payroll Business Continuity and Compliance Testing, today announced that it has entered into partnership with Croner , one of the oldest and most trusted employer support services in the UK. Through this partnership, both P3 Audit and Croner bring added value and a connected service experience to their collective clients. Speaking about the partnership, Paul Holcroft, Managing Director at Croner, said: “We welcome the alliance collaboration with P3 Audit whose UK client base can benefit from our HR, employment law, and health & safety services. This cooperation also offers our clients the potential assurance that their third-party vendors are operating compliantly and without risking business continuity.” “ Croner extends compliance and business continuity to our clients who have welcomed work from home as a critical part of their operations, without realising the obligations and risk assumed by employers” said Chris Els, CEO of P3 Audit. “While P3 Audit focus on testing vendor business continuity as well as contract SLA compliance, we are proud of our partner collaborations that ensure extended business resilience for our clients.” To learn more about the P3 Audit expertise in Business Continuity Plan testing, or to discuss how you can maximise and galvanise your third-party vendor relationships, contact us today!
P3 Audit

What you might find in the Shadows of a Supply Chain Compliance Audit

By By Chris Els June 26, 2024
Validating legitimacy of third parties and their own supporting ecosystems
P3 Audit

Change

By By Chris Els June 26, 2024
Change is certain. If we can accept the certainty of change then we can be open to its predictability. If we can predict change, we can prepare for it. If we are prepared for change then we will no longer resist it, but rather anticipate it and take advantage of it. In outsourced relationships our success depended on collaborating with downstream professionals to fulfil functions where we were not the experts. It is rare that a client will have contact with a subcontractor or even be aware their services are outsourced further downstream. Regulatory compliance, especially relating to data security and privacy, is shining a light on the need for greater transparency in supply chain relationships. Accepting responsibility for the success of “change” means also taking accountability for user onboarding, user adoption, and successfully implementing new ways of doing things. This invariably means including new technology to empower new processes. When implementing something new, it is as important to sunsets the "old" as quickly as possible. Measures of success remain strategic business ambitions that initiated the change. Change management has been a critical part of any new technology adoption and, most importantly, in any implementation project. Investments in technology, new processes, and new people/talent are made precisely to effect change. If change is not required, then its simple - do nothing. If one is going to invest in Change, lets ensure Change Management is considered and committed to first. Consider Change Managers the Architects of Success. Controversial maybe, but if Change Managers have ownership of design, then let them be accountable for what technology, processes and people will be required to achieve the change. At very least ensure they are included in any proposed investments in change and its associated spend – people, processes, and technology. Change Management is a strategic function. A lack of investment in Change Management will lead to projects failing. Look a bit closer and one might find downstream processes and supply partners are left out of the Change Management process, and can be the point of failure of any new technology and processes being implemented. The basic principles of supply chain can be overwhelming. In any one process, there can be hundreds of downstream suppliers of product and services. These “unknown” participants can introduce threats to a program’s success, and ultimately risk a customer’s business continuity. Neglecting to include participating third parties in any change management program will prove costly. I was fortunate to meet up with Michele De Kreek of Up-Time Consulting. This specialist change management consultancy understands third parties’ impact and the importance of including them in any change management process. I asked Michele to demystify the function of change management for me:
P3 Audit

Third-party compliance basics

By By Chris Els June 26, 2024
The term forensic refers to the application of scientific knowledge to legal problems, especially scientific analysis of physical evidence (as from a crime scene). Third-party process forensics looks to discover legitimate partnerships, their process practices and industry compliance to protect everyone in the shared supply chain.
More Posts