What defines your software supply chain is highly dependent of your point of view. As a healthcare delivery organization (HDO), your supply chain constitutes the vendors from which you buy a variety of products (e.g., clinical software, medical devices, middle-ware, network gear, facilities systems and equipment, business software).
For a medical device manufacturer (MDM), the supply chain consists of the software you buy and integrate (commercial, open source, or contracted), as well as the software and firmware embedded in third-party hardware components. Further down, as a supplier to an MDM, you typically have your own supply chain to deal with as you incorporate elements such as drivers and libraries into your own hardware and software products.
Understanding the full extent of all the ingredients in your final product you buy (as an HDO) or ship (as an MDM or supplier) is a recognized necessity and prerequisite for understanding a device's security posture (how else can you perform risk assessment or threat modelling?), as well as for managing and maintaining it in the field (how else could you identify and mitigate vulnerabilities?).
A good example of the intricacies and complexities of the software supply chain and how it can affect cybersecurity was the record-setting and quite successful (from the attacker's perspective) DDoS (distributed denial-of-service) attacks conducted by botnets operated by the Mirai malware. Mirai's success was based on its ability to exploit vulnerabilities in shared libraries used in similar types of devices (e.g., security cameras and digital video recorders) or, in another variant, exploit code used in routers, firewalls, and network-attached storage devices. In other words, by focusing on a limited number of Internet-of-Things (IoT)-type devices and exploiting their respective underlying, shared libraries, Mirai was very quickly able to infect many devices and string together a large network of bots equaling tens of thousands of nodes. And then there was also the trick of using the default password for these IoT devices, as most had never been changed.
Victims of Mirai-based attacks included security researcher and journalist Brian Krebs' website (September 2016, setting a record at 623 Gbps)1 and domain name system service provider Dyn (October 2016, launched from an estimated 100,000 hijacked devices),2 significantly affecting Internet traffic in the northeast United States and disrupting several well-known Internet companies, including GitHub, Twitter, Reddit, Netflix, and PayPal. A more detailed analysis of Mirai is available for those interested.3
Also of important note, the cyber risks to the healthcare supply chain and its fragility, especially during the current COVID-19 crisis, were highlighted in a recent ransomware attack on a ventilator manufacturer.4
Recognizing the Importance
I'd like to return to my initial point, which is understanding the importance of the composition of your products (i.e., their SBOMs, or software bills of material) and diligently managing the security of your software supply chain.
It is vital that we all pay attention to, and fully appreciate the implications of, the Atlantic Council's recent Breaking trust: Shades of crisis across an insecure software supply chain analysis.5 The report opens with a simple statement: “Software supply chain security remains an under-appreciated domain of national security policymaking.” It is also underappreciated by manufacturers and users of medical devices, I would venture to state.
Regardless of the industry or branch of government, we all are highly dependent on the software supply chain. “Society has a software problem,” and unfortunately, cybercriminals and state actors have recognized that as an opportunity. Compromising commercial or open-source software and injecting themselves into the delivery process enables attackers to select their target industry and fly under the radar of our defenses as they launch an attack via a trusted source or channel.
Supply chain attacks are effective and difficult to detect, and they can cause great financial or even physical harm. Among notable examples are the infection of security software CCleaner in 20176 (with several million downloads of the infected version) and the compromise of the MEDoc accounting software used by Ukrainian companies, resulting in the distribution of the NotPetya Wiper malware (also in 2017).7 Malware distributed via the software supply chain can have significant and harmful consequences to both the receiving and distributing parties and can lead to legal, financial, and reputational damage.
The risk is even higher with embedded systems. The software supply chain can be complex and difficult to monitor, compromised software can be difficult to detect on the target system, and the impact can be significant. There have been reports of medical devices being shipped out of the factory with computer viruses already on them, and MDM download sites have been hijacked to distribute malware.8
Certainly, as medical device systems become more complex and distributed, including use in patients' homes and data services provided via cloud-based infrastructure, this problem will only increase. This is a dangerous combination of devices that are difficult to maintain and update, have limited security detection and protection capabilities, and are now combined with services provided by public networks and hosted services.
The Atlantic Council report, which analyzed 115 software supply chain attacks from the previous 10 years, concluded that “software supply chain attacks provide huge value for attackers and remain popular. These attacks are impactful, giving attackers access to critical infrastructure like electrical power generation and nuclear enrichment systems. States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts.”5
The following is a summary of the key trends identified by the Atlantic Council report5 :
Deep impact from state actors: There were at least 27 different state attacks against the software supply chain, including from Russia, China, North Korea, and Iran, as well as from India, Egypt, the United States, and Vietnam.
Abusing trust in code signing: These attacks undermine public key cryptography and certificates used to ensure the integrity of code.
Hijacking software updates: 27% of these attacks targeted software updates to insert malicious code against sometimes millions of targets.
Poisoning open-source code: These incidents saw attackers either modify open-source code by gaining account access or post their own packages with names similar to commonly used names.
Targeting app stores: 22% of these attacks targeted app stores like the Google Play Store, Apple's App Store, and other third-party app hubs to spread malware to mobile devices. Some attacks even targeted developer tools—meaning every app later built using that tool was potentially compromised.
Recommendations and Key Takeaways
The following is a summary of the report's three main recommendations to policymakers and industry5 :
Improve the baseline. The lynchpin of any effort to improve the security of software supply chains broadly will be what affects the largest number of codebases—not what improves one codebase the most.
Better protect open source. Open-source software is a critical part of most enterprise systems and networks. The security of open-source projects, and the apparent ease with which attackers can introduce insecure code, is a significant issue.
Counter systemic threats. Trust is the critical coin of the realm in software supply chains, and the United States must work with allies to protect against deliberate efforts to undermine software supply chains.
The report specifically calls out the following characteristics of software supply chain attacks5 :
They exploit natural seams between organizations and abuse relationships where users expect to find trustworthy code.
Attacks are impactful and can drive compromise deep into anorganization's technology stack, undermining development and administrative tools, code-signing, and device firmware.
These attacks have strategic utility for state actors and have been used to great effect.
Addressing the Threat
From a cybersecurity perspective, a supply chain attack is the archetype of an APT (advanced persistent threat)9 as it allows an attacker to target and infiltrate specific industries or even organizations, penetrate their network, and remain undetected while conducting their objective—be it information gathering or sabotage. We need to recognize that supply chain attacks are a real and complex threat that can affect MDMs and HDOs alike. Traditional security management processes and technologies typically fall short of (1) ensuring security and reliability of the software supply chain and (2) detecting supply chain compromises and preventing them from doing harm.
Therefore, as organizations implement and develop security-inclusive life cycle management processes,10 including cybersecurity as part of their supplier management is essential. Ensuring that the supplier uses secure development and design processes and actively manages the security posture of their products, including in production and distribution, is critical. Accomplishing this requires a combination of process, technology, and assurance.
Plenty of examples, including those cited in this article, underline the risks and criticality of our software supply chain. Unfortunately, as always in cybersecurity, things are likely to get worse before they get better—so we best heed the warnings sooner rather than later.