By Mobina Riazi, CTA Intern
The supply chain is often the weakest link in a company’s security posture given the difficult challenge of having visibility into where risks may exist with suppliers, most of whom are far removed from the daily business. For years, few mitigation strategies existed, largely because vulnerabilities were hidden within the “invisible” entry points scattered across the layers of manufacturing and distribution. The adoption of tools and frameworks such as Software Bill of Materials (SBOMs), the Secure Software Development Framework (SSDF), Supply-chain Levels for Software Artifacts (SLSA), and Software Composition Analysis (SCA) has begun to change this, bringing greater visibility into supply chain risks. But visibility alone isn’t enough, especially since many organizations have yet to fully adopt and implement these measures. As digital supply chains grow more entangled and connected, risks become increasingly difficult to see and predict.
One of the most prominent examples of a software supply chain incident occurred in March 2020, when threat actors infiltrated the SolarWinds Orion software build process. They inserted malicious code, later identified as SUNBURST, into a routine Orion platform update. The backdoor was pushed to 18,000 customers, selectively exfiltrating data from U.S. government agencies, critical infrastructure, and Fortune 500 companies, making it one of the most sophisticated espionage campaigns to date.
While the SolarWinds Orion incident was designed to collect sensitive and proprietary data from federal agencies and leading enterprises, other supply chain attacks are often intended for immediate financial gain through ransom. A striking example is the July 2021 Kaseya ransomware attack, in which attackers exploited vulnerabilities in Kaseya’s VSA remote management software to distribute ransomware to managed service providers and their clients. By injecting ransomware through the VSA platform, the attackers were able to push the malicious payload to all connected MSPs and their downstream clients simultaneously. Detecting and stopping the infection was especially difficult, since it spread through the very systems that MSPs and their clients relied on to maintain and update IT environments.
CTA strongly believes that the development and adoption of supply chain security standards and disclosure requirements are essential, but they cannot prevent or mitigate such incidents by themselves. Tools like SBOMs, SSDF, SLSA, and SCA primarily improve visibility and documentation, and they have demonstrated considerable efficacy in reducing supply chain risk by enabling organizations to better understand what risks their suppliers may introduce. They also inform effective mitigation activities. However, slower-than-expected adoption makes it difficult to keep pace with the constantly changing nature of digital supply chains or to provide real-time defense. This point is where CTA steps in.
The ongoing collaboration among industry players and across sectors enabled by these standards remains the most effective line of defense. CTA’s communication networks facilitate this process, enabling rapid information sharing and coordinated responses to support a wide range of organizations, both directly and indirectly through our CTA members and partners. Following the incidents noted above among many others, this collaboration streamlined the creation of threat intelligence reports, which detailed member actions, as well as recommended protections and mitigations that not only supported their own customers but also contributed to strengthening the broader cybersecurity community’s response.
As supply chain incidents continue to pose hidden and evolving threats, advancing the adoption of the tools and frameworks offers the most effective way to reduce their scale and impact. Platforms that enable proactive collaboration and help organizations uphold these standards as supply chains evolve further enhance defenses against supply chain threats. Through our work in these areas, CTA and our partners can make a difference.