Whether for software, products or cloud and other services, organisations depend on suppliers – and their security measures. Philipp Grabher, CISO of the canton of Zurich, and Oliver Jäschke, responsible for supplier relationship security at Swisscom, explain how organisations can deal with supply chain risks.
July 2024, Text Andreas Heer 4 Min.
It was a nondescript software library with the equally nondescript name ‘xz’ that sent shockwaves through the IT world: a sophisticated backdoor would have allowed the – unknown – attackers to gain access to millions of Linux systems. ‘Would have’ being the operative term, because the vulnerability was discovered in time to prevent its inclusion in stable versions of the common Linux distributions.
Whether xz, vulnerabilities in commercial software or malicious packages in software repositories such as the Python Package Index (PyPI) or the npm registry, security loopholes in the software supply chain are a real risk. And that is not the only place where such risks lurk. Suppliers of other products can also be exploited as gateways for cyberattacks or cause a supply interruption due to a security incident.
It’s therefore not surprising that the supply chain has a high priority in risk management and cybersecurity. ‘It’s one of our top issues,’ says Philipp Grabher, CISO of the canton of Zurich. For Oliver Jäschke, Product Owner Security Assurance at Swisscom and thus responsible for supplier relationship security, the issue is also gaining in importance again.
This article sets out how companies can better protect themselves against supply chain risks and what levers can be used.
The procurement process plays a decisive role in managing supply chain risks. Various departments are involved in sourcing any product, such as Procurement, Purchasing, Legal and Security. ‘Protection against supply chain risks is an interdisciplinary issue,’ emphasises Grabher. ‘It encompasses all of the parties involved.’ Jäschke emphasises that this requires raising customer awareness of the potential risks. Risk management thus begins with in-house awareness. ‘A clean procurement process is therefore important,’ says Grabher. ‘Cybersecurity is one of the pieces in the mosaic.’
It is equally important to clarify the responsibilities between the supplier and customer, adds Grabher: ‘There’s an absolute need for transparency as to who is responsible for what. That needs to be sorted out, but it’s often a challenge.’
Contractually agreed security requirements contribute to this transparency by setting out what is expected of suppliers. The scope depends on the risk profile and the type of procurement. Different requirements apply to software than, for example, the work of system integrators. ‘Criteria include access to our systems and confidential data,’ says Grabher. ‘Or whether a supplier is relevant to critical business processes.’
Contractual agreements are one thing, and compliance with them is another. One of the objectives of supply chain management is therefore to regularly audit suppliers to ensure, among other things, that they are complying with technical and organisational measures (TOMs) for data protection and security. ‘Such audits must be a recurring part of risk management,’ says Grabher. Cyber defence teams are also involved in this at Swisscom, says Jäschke: ‘We audit the most important suppliers as part of the cyber threat intelligence process. This allows us to better assess the threat situation and identify any cyberattacks.’
Back to the software supply chain: the risk of vulnerabilities in the software used must be minimised in order to prevent cases such as xz or Log4Shell (from November 2021) as far as possible. Secure software development is a priority for Grabher and Jäschke in this respect. Both emphasise that audits should examine the following aspects for secure software development:
Audits check whether suppliers and their products meet security requirements and comply with contractual agreements. This is the responsibility of the Security department in both organisations. ‘We examine various security aspects,’ says Jäschke. ‘In addition to actual cybersecurity measures, this includes, for example, handling of ransomware attacks, business continuity management (BCM) and data protection requirements.’ It is important to Jäschke that suppliers understand the benefits of an audit: ‘The aim is to be certain that a company can respond effectively to a security incident.’
Given the large number of suppliers, it is not feasible to comprehensively audit each and every one of them. ‘The type of audit depends on the criticality,’ explains Jäschke. To this end, the canton of Zurich is aiming for closer cooperation between administrative units and with the municipalities, explains Grabher: ‘We are trying to create synergies in supplier management, such as by jointly evaluating suppliers or allowing for consideration of the experiences of the different purchasing departments.’
Not all software suppliers are equally open to audits. ‘How do we check a provider that doesn’t want to create transparency?’ asks Grabher. In addition, audits may reveal that measures have been drawn up, but whether they will actually be implemented is unknown. ‘We want to be informed quickly in the event of a security incident,’ says Jäschke. ‘That’s why a software supplier’s handling of incidents becomes increasingly important during an audit.’
At the same time, security requirements are a balancing act, as Grabher admits: ‘Large suppliers often have better security measures than smaller ones, which can make it harder for those small providers to get contracts.’
Although there are many benefits of cloud and SaaS offerings, they do increase dependence on suppliers. This makes supply chain security and risk management even more important. ‘The more dependencies, the greater the risk,’ says Jäschke. ‘But awareness of security has also grown. And protective measures have improved.’
Everyone benefits from better protection, emphasises Grabher: ‘If we do things better together with the supply chain, we improve security across the board. That means everyone benefits.’