In the fast-paced world of industrial equipment manufacturing, ensuring robust software supply chain security has become imperative. However, in our State of Critical Infrastructure Security 2023, we found that the prioritization of software supply chain security remains low, with only 17% of companies considering it a top priority for their 2023 device security roadmap.
In this blog post, we’ll delve into the current state of supply chain security practices. Read on to uncover key strategies to enhance supply chain security and safeguard the industrial equipment manufacturing industry against evolving threats.
Importance of Software Supply Chain Security in the Industrial Equipment Manufacturing Industry
The importance of supply chain security in the industrial equipment manufacturing industry cannot be overstated, particularly in light of the rising security risks originating from the supply chain itself. Recent high-profile incidents, such as Solarwinds, Log4shell, and others have brought to the forefront the vulnerabilities within supply chains that can have far-reaching consequences.
To address these product security concerns, regulatory measures like Executive Order 14028 and the EU Cyber Resilience Act have been introduced. These regulations aim to enhance supply chain security by increasing requirements for transparency, accountability, and resilience.
A recently conducted survey further underlined the significance of supply chain security challenges within the industry. Approximately 24% of respondents identified “software supply chain security” as a top product security challenge. Moreover, the survey revealed that 24% of respondents cited the “increase in security risks originating from the supply chain” as a primary influencer for increased investment in device security.
Notably, among those who identified supply chain security risks as an influencer for increased investment, 47% were C-suite executives. This underscores the elevated level of concern among high-level decision-makers regarding supply chain security, as they understand the potential impact on their organizations’ operations, reputation, and bottom line.
Current State of Supply Chain Security Practices
Despite the growing recognition of supply chain security challenges, our survey findings indicate that only a small percentage of companies prioritize enhancing control over supply chain security issues. As mentioned above, a mere 17% of respondents cited this as a top priority for their 2023 device security roadmap.
One of the key areas where improvement is needed is in the adoption of Software Bill of Materials (SBOMs) and vulnerability tracking. Requesting SBOMs from suppliers emerged as the most prevalent supply chain security practice, with 57% of respondents implementing it. While this is a positive step, there is still room for improvement as, surprisingly, 60% of companies fail to generate and share their own SBOMs with customers, hindering the exchange of critical information and impeding the overall visibility into software supply chain risks.
Furthermore, a significant number of companies lack effective tracking of security-related key performance indicators (KPIs) to monitor supplier performance. Approximately 59% of respondents do not track these KPIs, further underscoring the need for a more proactive approach to supply chain security management.
Another concerning finding is that 53% of companies do not maintain an up-to-date SBOM database. This lack of currency and accuracy in tracking the components and vulnerabilities within the supply chain can have serious consequences, as it limits the ability to identify and address potential security risks promptly.
How to Improve Supply Chain Security
The above statistics paint a concerning picture of the current state of supply chain security practices in the industrial equipment manufacturing industry. While there is some adoption of practices like requesting SBOMs, there is a pressing need for companies to prioritize generating and sharing their own SBOMs, tracking security-related KPIs, and maintaining up-to-date databases. Below, we discuss several options for improving supply chain security.
SBOMs play a crucial role in enhancing supply chain security by providing comprehensive visibility into the components and dependencies within the software supply chain. By leveraging SBOMs, organizations gain a deeper understanding of the software supply chain and can identify potential security vulnerabilities more effectively.
The benefits of implementing SBOMs in supply chain security practices include:
- Enabling organizations to assess the security posture of their products by identifying known vulnerabilities associated with the software components.
- Allowing for timely patching and remediation, reducing the risk of exploitation by cyber threats.
- Providing transparency and visibility into potential risks introduced by third-party software components.
However, having a repository of SBOMs is not enough. With each iteration, the SBOM must be updated and shared with stakeholders so it reflects the absolute latest software components. What’s more, living SBOMs can be broken into stages, helping companies align with CISA’s 6 various SBOM types.
Vulnerability Exploitability Exchange (VEX)
The Vulnerability Exploitability Exchange (VEX) is another powerful tool that can greatly enhance supply chain security by facilitating the exchange of vulnerability-related information and improving incident response capabilities. VEX serves as a platform for sharing information about known vulnerabilities, their exploitability, and associated mitigation measures.
VEX’s functionalities include:
- Centralizing and standardizing vulnerability information
- Enabling organizations to respond to emerging threats more quickly and effectively, reducing the amount of time that suppliers and customers are exposed to risk
- Providing a comprehensive view of the threat landscape, enabling organizations to identify patterns, detect emerging trends, and proactively mitigate potential risks
CISA’s minimum VEX requirements encourage automation to manage the large swaths of data that come with each vulnerability, such as dependents, OS requirements, and potential mitigations that may have already applied– all necessary to better understand SBOMs.
Tracking Supplier Security Performance
Monitoring and evaluating supplier security practices is a critical aspect of ensuring supply chain security. By actively tracking and assessing the security measures implemented by suppliers, organizations can make informed decisions about their partnerships and take proactive steps to mitigate potential risks.
The importance of monitoring and evaluating supplier security practices is particularly evident for companies seeking to work with the US government, which requires suppliers to complete an attestation form, which includes providing detailed information about their security practices.
To effectively track supplier security performance, it’s essential to establish metrics and benchmarks that can serve as indicators of the suppliers’ security posture. These metrics can include criteria such as:
- Adherence to industry standards
- Implementation of secure coding practices
- Regular vulnerability assessments
- Incident response capabilities
- Service Level Agreements (SLA)- ensuring that suppliers are holding up to their product security expectations such as providing impact analysis and mitigations in a timely manner
Wrapping It Up
The current state of supply chain security practices in the industrial equipment manufacturing industry highlights the urgent need for improvement and prioritization. Despite the growing risks, software supply chain security receives limited attention, and the adoption of critical practices like SBOMs and vulnerability tracking is lacking.
However, organizations can enhance their supply chain security by leveraging SBOMs, utilizing documentation like VEX, and tracking supplier security performance.
For more insights into the maturity of industrial device cybersecurity processes and the main challenges faced by today’s industrial organizations, download our full 2023 Industrial Device Security Survey Report today.