An SBOM is only half the battle: Supply chain security needs contextual information on threat situations and to prioritise defensive measures.
Cybersecurity needs context
At the beginning of June 2023, the German IT Security Association (TeleTrusT) published the guideline “Cloud Supply Chain Security“. As a TeleTrusT member, we were involved in its creation in terms of content and editing. And gladly so. Because supply chain security is and remains the top issue for operators of critical infrastructures. In this respect, we were particularly keen to contribute asvin’s expertise in visualising and prioritising vulnerabilities on the software supply chain and in cloud environments.
The intransparency of the software supply chain, long a negligible security risk, has become a high-risk factor since the start of the Ukraine war and the increase in attacks by state cybercriminals. In the meantime, it has been proven that especially assemblies and their software from smaller, often little-known suppliers serve attackers as an entry point into the otherwise mostly well-protected OT (Operational Technology). The attacks are carried out via trusted third-party components and IT services and are therefore difficult for users to prevent.
To solve this problem, asvin has a novel method for identifying and prioritising risks in OT systems: “Risk by Context“. The corresponding product “Eagle Eye” makes operational factors and cyber security factors visible via contextual relationships and thus enables a weighting of risks. Mathematical methods for evaluating topological relationships are used here. The method also makes it possible to include unknown cybersecurity risks (e.g. zero-day exploits, firmware states) in the risk assessment. This enables CISOs to extend risk assessments beyond the horizon of known CVEs and attack paths. In addition, risk states can be simulated in a complex system, for example to predict the risk impact of adding or removing participants. Through the optimised processing of risks, the use of resources (personnel and material) can be significantly optimised in risk minimisation.
The now published TeleTrusT guide describes a number of protection measures such as provider assessment or setup and maintenance of a Software Bill of Materials (SBOM). With Eagle Eye and Risk by Context, asvin now directly enables the next step after the availability of an SBOM. For although a software bill of materials provides all elements of the supply chain, it initially only presents OT security managers with a number of additional problems: Which elements are affected or threatened? Which vulnerabilities are critical and should be prioritised for remediation?
Those who can answer these questions minimise risks. Take the Challenger disaster in 1986: it could have been prevented if the technology of the time had already been able to correlate the parameters that did exist, draw valid conclusions and derive consequences. All the circumstances that led to the explosion were known before the launch. But because no one could recognise their deadly combination, launch clearance was given. Seven astronauts died, NASA’s shuttle programme had to be stopped for two and a half years. Today we have this contextual information, info here: https://asvin.io/risk-by-context/