Supply Chain Security Framework

Supply Chain Security Framework

NOTE: I have been reviewing major supply chain incidents recently; specially security framework around it hence decided to write this exclusive article on Supply Chain Security Framework. I have been deeply engaged in projects that specifically focus on supply chain security for Information Communications Technology, including usage in national security systems, cyber physicals and IoT systems. 

This ORIGINAL article is written by Prakash Padariya, with reference from multiple media sources, quotes from fellow CISOs & MITRE. Please provide credits if you use this article. 

This writing is solely intended to heighten awareness of supply chain cyber security. I have not received any form of remuneration from MITRE or any other companies.

Background

Supply chain attacks occur when malicious actors infiltrate a company's internal operations through a trusted third-party partner, granting them access to a wealth of privileged information in a single breach. The prevalence of these attacks has already surged by over 300% in 2021, with further escalation predicted for 2023. Given that numerous third-party partners now possess unprecedented access to sensitive data, organizations can no longer rely solely on their own cybersecurity expertise to safeguard this information. The far-reaching consequences and efficacy of such attacks are evident in notable instances like SolarWinds, log4j, Spring4Shell, Kaseya, and OpenSSL incidents. Moreover, the infamous NotPetya incident in 2017 initially originated as a supply chain attack, underscoring the gravity of this threat. 

A supply chain attack on a business partner of semiconductor giant Applied Materials will cost the company $250 million. Supply chain attacks purposefully target the smaller organizations first because they’re less likely to have a robust cybersecurity setup, and they can use those companies to get to the bigger fish.

In the realm of open source software libraries, it is crucial to recognize that any vulnerability present or potentially engineered by malicious individuals can have widespread consequences. This holds true for every organization that chooses to utilize such code, as exemplified by the notable case of npm. Malicious actors strategically inject harmful code into open-source repositories patiently awaiting the moment when users acquire these new sources and plugins. To ensure the utmost security within the software supply chain, it becomes imperative to maintain constant and real-time vigilance in monitoring third-party risks and vulnerabilities associated with incoming packaged software and firmware components.

We should never miss potentially more catastrophic physical supply chain threat. The Colonial Pipeline incident, although a financially motivated attack, had an immediate effect on the supply of oil to eastern USA. Today, supply chain and supply chain security topics have received unprecedented attention and coverage on national media. 

Frameworks

After conducting thorough analysis of numerous frameworks, it has become evident that supply chain security has emerged as a subject of great significance, particularly in the wake of prominent cyberattacks like SolarWinds and Log4j. However, it is unfortunate that there is presently no universally agreed upon approach to delineating or appraising supply chain security. In order to address this void, MITRE has successfully devised an initial framework tailored specifically to the realm of information and communications technology (ICT). This framework endeavors to establish precise definitions and metrics for assessing risks and security concerns pertaining to the supply chain, including software. Therefore, I am eager to share profound insights into MITRE's pioneering System of Trust (SoT).

MITRE's SoT

MITRE developed and introduced the System of Trust (SoT™) Framework. This framework is aimed at defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service providers.

The framework offers a comprehensive, consistent, and repeatable methodology — for evaluating suppliers, supplies, and service providers. There is wide diversity across organizations and practitioners in identifying the list of risks and approaches to risk assessment and conveying results of such assessments.

MITRE SoT focuses on identifying and assessing the risks from your supplier, their supply items, and their service offerings. SoT is aimed at collecting, organizing, and sharing a common baseline of the supplier, supplies, and services risks that an organization may need to consider.

The goal of SoT is to offer a comprehensive and consistent methodology that can be tailored to meet industry and company needs to address supply chain security issues, leading to better traceability, reliability, and security of supply chains.

System of Trust Framework

With the introduction and adoption of the SoT vocabulary and concepts, the nature of interactions with others regarding supply chain security will simplify, become teachable, and become more efficient while at the same time the processes and practices surrounding day-to-day supply chain assurance work will be more consistent, automatable, and supported by evidence. 

SoT is the foundation needed for understanding supply chain risks and that it will be the key to securing robust and resilient supply chains, trustworthy partners, and trusted components and systems that are globally manufactured. The SoT Framework is aimed at defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service providers. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology

The SoT Framework builds a basis of trust by identifying the three main trust aspects of supply chain security—suppliers, supplies, and services—then identifying and addressing the 14 top-level decisional risk areas under them associated with trust that agencies and enterprises must evaluate and make choices about during the full life cycle of their acquisition activities. Leveraging the full breadth and depth of our expertise, industry efforts, and government research, the SoT Framework drills down into these 14 top-level risk areas and investigates over 200 risk sub-areas by addressing a combination of over 1,200 risk factors and detailed risk measurement questions.

 SoT Framework Components

The four overarching components of the SoT Framework, which are accessed using SoT’s Risk Model Manager web app (currently in beta), are summarized below. 

1. Body of Knowledge (BoK) – The SoT BoK includes all predefined profiles and the entire set of yes/no questions used in SoT assessments. The profiles or questions that are utilized depends upon the selection(s) of the user. Information sources will be provided for each risk, when known, to help the user determine whether the risk is present or not. A comprehensive and holistic “body of knowledge (BoK)” describing every supply chain risk from suppliers, supplies, and services available to an organization is unworkable. Instead, a more narrowly defined, yet highly relevant, set of supply chain risks can be effectively evaluated to guide operational choices, activities, and decisions. This enables the SoT to scale and be used in a variety of different industries, organizations, and types of supply chain domains.

2. SoT Assessment – Each SoT assessment begins by selecting a predefined profile or with a few scoping questions that will narrow down the SoT content to something appropriate to the product, service, or supplier in question. This subset is then aligned to the assessing organization’s assessment focus, resources, available time, and legal authorities, and to its present acquisition challenge. During the evaluation process, subject-specific questions are posed to establish the presence or absence of individual aspects of concern and to align with best practices from government and industry. SoT assessments are performed using the SoT Risk Model Manager web app prototype that allows users to view, organize, and tailor SoT content, or subset of the content, to an organization’s specific area(s) of concern. SoT assessments are best represented in a series of nested Kiviat diagrams (also referred to as radar charts or spider diagrams) with explanatory text that describes the evidence of risk.

3. Scoring Risk – Risks are scored using a set of contextually driven, tailorable, weighted measurements that are used as inputs into a scoring algorithm. The scoring results are then used to identify supplier strengths and weaknesses against the applicable risk categories, enabling an acquirer to analyze and evaluate one or more suppliers’ relative “trustworthiness” for supplying components or services. Having an explicit methodology for scoring the individual risks, especially one that is supported by evidence, is a critical part of the SoT capability. This includes addressing how risk assessment findings are collected and can reflect incomplete data or missing information. Additionally, it must allow for reflection of the risk tolerance or sensitivity of an assessing organization to the different risk areas. 

A final aspect of the SoT scoring approach is in addressing issues coming from aggregating many individual risk measurements together. There could be strong risk findings in a few items that get diluted by low-risk findings in others. But if strong risk findings point to risks that are critical to the organization then those findings cannot be hidden by a scoring approach that does not account for this use case. 

4. Customization – The ability to customize SoT has been carefully designed to ensure optimal usability. The SoT can be customized for specific use cases and user environments during the assessment and risk scoring activities. Each SoT assessment begins by selecting a predefined profile or with a few scoping questions that will narrow down the SoT content to something appropriate to the product, service, or supplier in question. The interests of a specific assessment may focus on the supplier, a specific item, the legal authorities that the assessing organization is under, or a combination of elements

Risk Model Manager (RMM)

The Risk Model Manager (RMM) is a prototype cloud-native capability that provides the core underpinnings for leveraging the System of Trust (SoT) supply chain security risk framework that is grounded in industry and government best practices, open-source components, cloud-native services, standards, and policy. The RMM web app allows for the repeatable utilization of a comprehensive and consistent BoK of risk concerns structured from top-level risk categories, to risk sub-categories, to specific risk factors, and down to explicit concrete risk measure questions

RBAC enabled - Users interact with RMM depending on their role(s), which are assigned by the user’s organization: Content Editors and Content Readers edit or read SoT BoK content; Profile Editors and Profile Readers edit or read profiles that define subsets of the RMM content to be used for assessments; and Assessors, Assessment Managers, and Assessment Reviewers have the ability to create, execute, and/or review assessments.

Risk Model Manager (RMM) Interface Screenshot

No alt text provided for this image
Risk Model Manager (RMM) Interface


Important Links

SoT

Pilot Results

Risk Model Manager Access Registration Form

Access Risk Model Manager (RMM)

Best Mind Map (Zoom in PDF)

Thank you MITRE for being there for Cyber Security community.

I would love to read your comments on MITRE's SoT. Please do share if you have used any other Supply Chain Security Framework.


Author: Prakash Padariya,

Started career in IT Security & enjoying every bit of it for 20+ years now.

Global CISO, Mentor, Investor, Board Advisor; Deep Interests in Cyber Security, Drones, CleanTech, AgriTech

All views are personal.

#supplychainsecurity #cybersecurity #mitre #framework #supplychain

To view or add a comment, sign in

More articles by Prakash Padariya

Insights from the community

Others also viewed

Explore topics