Mastering supply chain risks 

Whether for software, products or cloud and other services, organisations depend on suppliers – and their security measures. Philipp Grabher, CISO of the canton of Zurich, and Oliver Jäschke, responsible for supplier relationship security at Swisscom, explain how organisations can deal with supply chain risks.

July 2024, Text Andreas Heer           4 Min.

It was a nondescript software library with the equally nondescript name ‘xz’ that sent shockwaves through the IT world: a sophisticated backdoor would have allowed the – unknown – attackers to gain access to millions of Linux systems. ‘Would have’ being the operative term, because the vulnerability was discovered in time to prevent its inclusion in stable versions of the common Linux distributions.

Whether xz, vulnerabilities in commercial software or malicious packages in software repositories such as the Python Package Index (PyPI) or the npm registry, security loopholes in the software supply chain are a real risk. And that is not the only place where such risks lurk. Suppliers of other products can also be exploited as gateways for cyberattacks or cause a supply interruption due to a security incident.

It’s therefore not surprising that the supply chain has a high priority in risk management and cybersecurity. ‘It’s one of our top issues,’ says Philipp Grabher, CISO of the canton of Zurich. For Oliver Jäschke, Product Owner Security Assurance at Swisscom and thus responsible for supplier relationship security, the issue is also gaining in importance again.

This article sets out how companies can better protect themselves against supply chain risks and what levers can be used.

Discover the latest cybersecurity trends and relevant threats.

‘Supply chain risks are one of our top issues.’

Philipp Grabher, CISO of the canton of Zurich

Create awareness of supply chain risks

The procurement process plays a decisive role in managing supply chain risks. Various departments are involved in sourcing any product, such as Procurement, Purchasing, Legal and Security. ‘Protection against supply chain risks is an interdisciplinary issue,’ emphasises Grabher. ‘It encompasses all of the parties involved.’ Jäschke emphasises that this requires raising customer awareness of the potential risks. Risk management thus begins with in-house awareness. ‘A clean procurement process is therefore important,’ says Grabher. ‘Cybersecurity is one of the pieces in the mosaic.’ 

It is equally important to clarify the responsibilities between the supplier and customer, adds Grabher: ‘There’s an absolute need for transparency as to who is responsible for what. That needs to be sorted out, but it’s often a challenge.’

Include suppliers in risk considerations 

Contractually agreed security requirements contribute to this transparency by setting out what is expected of suppliers. The scope depends on the risk profile and the type of procurement. Different requirements apply to software than, for example, the work of system integrators. ‘Criteria include access to our systems and confidential data,’ says Grabher. ‘Or whether a supplier is relevant to critical business processes.’  

Contractual agreements are one thing, and compliance with them is another. One of the objectives of supply chain management is therefore to regularly audit suppliers to ensure, among other things, that they are complying with technical and organisational measures (TOMs) for data protection and security. ‘Such audits must be a recurring part of risk management,’ says Grabher. Cyber defence teams are also involved in this at Swisscom, says Jäschke: ‘We audit the most important suppliers as part of the cyber threat intelligence process. This allows us to better assess the threat situation and identify any cyberattacks.’

Develop secure software in the supply chain

Back to the software supply chain: the risk of vulnerabilities in the software used must be minimised in order to prevent cases such as xz or Log4Shell (from November 2021) as far as possible. Secure software development is a priority for Grabher and Jäschke in this respect. Both emphasise that audits should examine the following aspects for secure software development:

  • Implementation of the NIST Secure Software Development Framework (SSDF(opens in new tab))
  • Threat modelling (vulnerability detection)
  • Static, dynamic and interactive security testing of applications
  • Ensuring the integrity of repositories, for example on GitHub
  • Established process to fix and patch vulnerabilities
  • Security measures such as bug bounty programmes and regular penetration tests

SBOM: an inventory for software

In case of vulnerabilities in software libraries, companies have to carefully check whether the software they use is affected. Transparency can be created with an SBOM (software bill of materials), a kind of inventory that lists all of the components and libraries used in a software application. If a vulnerability is identified, the SBOM shows whether the application is affected. Grabher and Jäschke are therefore unanimous in welcoming this approach: ‘With SBOMs, we could respond more quickly in the event of an incident.’ But Jäschke admits that SBOMs are still a ‘work in progress’. On the one hand, not all software manufacturers are willing to create transparency about the components used for various reasons. And on the other hand, some libraries have dependencies on other libraries for which there would then also have to be an SBOM – and on and on it goes. 

Audit suppliers regularly

Audits check whether suppliers and their products meet security requirements and comply with contractual agreements. This is the responsibility of the Security department in both organisations. ‘We examine various security aspects,’ says Jäschke. ‘In addition to actual cybersecurity measures, this includes, for example, handling of ransomware attacks, business continuity management (BCM) and data protection requirements.’ It is important to Jäschke that suppliers understand the benefits of an audit: ‘The aim is to be certain that a company can respond effectively to a security incident.’

Given the large number of suppliers, it is not feasible to comprehensively audit each and every one of them. ‘The type of audit depends on the criticality,’ explains Jäschke. To this end, the canton of Zurich is aiming for closer cooperation between administrative units and with the municipalities, explains Grabher: ‘We are trying to create synergies in supplier management, such as by jointly evaluating suppliers or allowing for consideration of the experiences of the different purchasing departments.’

‘An audit is also intended to ensure that a supplier can respond effectively to a security incident.’

Oliver Jäschke, Product Owner Security Assurance at Swisscom

Supply chain management as a balancing act

Not all software suppliers are equally open to audits. ‘How do we check a provider that doesn’t want to create transparency?’ asks Grabher. In addition, audits may reveal that measures have been drawn up, but whether they will actually be implemented is unknown. ‘We want to be informed quickly in the event of a security incident,’ says Jäschke. ‘That’s why a software supplier’s handling of incidents becomes increasingly important during an audit.’

At the same time, security requirements are a balancing act, as Grabher admits: ‘Large suppliers often have better security measures than smaller ones, which can make it harder for those small providers to get contracts.’

The supply chain is gaining in importance

Although there are many benefits of cloud and SaaS offerings, they do increase dependence on suppliers. This makes supply chain security and risk management even more important. ‘The more dependencies, the greater the risk,’ says Jäschke. ‘But awareness of security has also grown. And protective measures have improved.’ 

Everyone benefits from better protection, emphasises Grabher: ‘If we do things better together with the supply chain, we improve security across the board. That means everyone benefits.’

More on the topic