Creating the Standard for Supply Chain Risk
In this episode, host Paul Roberts chats with Robert Martin of MITRE and Cassie Crossley of Schneider Electric about their session at this year’s RSA Conference. They explained how MITRE’s System of Trust can serve as a standard for software supply chain risk. The two also chatted with Paul about the greater issues facing software supply chains today, such as standardization and transparency.
WHAT IS MITRE’S SUPPLY CHAIN SYSTEM OF TRUST (SOT)?
It's basically a catalog of the risks that you may need to assess from your supply chain, whether that be from the supplies, the services, or the supplier themselves. And the idea is a shared catalog of these. That you can then get a subset that you apply to any particular business's decision you're trying to make.
CAN YOU SPEAK TO YOUR EXPERIENCE IN FACILITATING SUPPLY CHAIN SECURITY AT SCHNEIDER ELECTRIC, AS WELL AS HOW THE COMPANY RELIED ON SOT?
We actually have a very advanced enterprise and supplier risk management process, and we're using the System of Trust as an evaluation and to be able to support and provide information and metrics, be able to provide guidance when we have thousands of suppliers that don't have their own let's say advanced supply chain risk management process.
And this will help them be able to better identify. So we'd like to assist with providing profiles, working with MITRE and other companies that are partnering and standards organizations. And we'll use it to evaluate where we might want to modify or especially look at some of the ways we can automate data collection.
And also we're looking to get their insights from their years of experience. What are we missing, what's a better way to measure some of these things, so that we can all make the, shared set of things better.
CAN YOU TELL US MORE ABOUT MITRE’S CONTENT MANAGEMENT SYSTEM?
It's new in that people didn't know about it, but we've been using it all along. It basically is our content management system at one, in one way. It's how we're building the System of Trust corpus, mapping all the different categories, the subcategories down to a measurable risk, and then how defining what data sources you could use for that assessment, and then capturing how you actually interpret that data and decide, oh, it's high risk, it's low risk. Today a lot of people do that with subject matter experts. We're trying to capture that insight and get it into the tool. So the risk model manager is how we build this, but as I said, you can't deal with all of the risks we'll have. So it also is a way of actively picking and basically radio button a subset and building a profile.
So that's then what you would extract and do an assessment against. Whether you do that in a spreadsheet or whether you do that on a future to be available online version of the tool.
HOW DO PHYSICAL SUPPLY CHAINS COMPARE TO SOFTWARE SUPPLY CHAINS? ALSO, HOW ARE THESE TYPES OF SUPPLY CHAINS CONNECTED, AND WHAT CHALLENGES DO THEY BRING?
Software supply chain was not even much of a term when I first started using it many years back. They're like, what's the software supply chain? There's a lot of risk that we need to consider in that. So from a supply chain level, we've looked at suppliers' IT security, other types of security.
But when you're looking at hardware components and really being able to assess your suppliers of if you're building products there's a lot that we need to take into consideration all the way through, whether it be how they're flashing components, who has access to it, are they signing, are there integrity checks?
There's so much happening and so much movement within the supply chain that we're used to from a physical product standpoint. But when you think about, the binaries being shipped around and who has access and where are they being stored and how are you validating that as it goes through?
And we work a lot with the distributors and configurators and engineering firms. How are they verifying it before they start their configuration process with large systems? Because, we're just one. And there could be, six or many more upstream level suppliers. So it's a new conversation that we're having.
And also when you take a look at supply chain risk, software supply chain, you're open source, all of it that you need to take in consideration. And that's, when you're evaluating a commercial supplier. A lot of the things that I, that are in this System of Trust you can use, even if you don't have the answers to think about the process that you should be looking at for inspection and understanding as it goes through the whole supply chain.
And if you don't have an answer, that means it's still maybe a concern you need to manage. Right. So how do you mitigate that? How do you control it in its impact? And the big thing about System of Trust, while we can apply it to the software supply chain, we're doing it in a framework that speaks to the board.
So these are things that need to be managed across the enterprise and not just in the IT shop, in the procurement, in the manpower. All the different pieces of a company need to be in sync about their respective role. And so System of Trust is trying to bring that together. Yes, you can bring all the details about looking at microelectronics or software or you know, in device integrity, but you also need to look at, is that company that you're sourcing from gonna be in business next year.
And what's their financial health? Or are they in a country that, claims that anyone's intellectual property is theirs if it's in their country? Little things like this that often people in the purchasing department may not be thinking about, but yet could really undermine the company.
HOW HAS MITRE’S SOT EVOLVED OVER THE PAST YEAR?
So one big thing is we at MITRE spent a lot of time previous to when we talked first gathering, insights into different risks. So we spent a lot of time in the intervening time, organizing that, harmonizing it, making sure there was some consistency. A lot of things we collected we're talking about the same issue, but a little differently.
And so we combine them so that there's some, a certain perspective that comes now consistently throughout. And then the other part was really what data are you going, information or are you gonna be finding. If something was about a risk and there was no clear way to ever assess it in a defendable way, we put it to the side. And so that's one big thing. And this came out as a release 1.2, right before Christmas that we shared with a lot of our friends that we had started working with that became our System of Trust community. And so getting them to review it, give us feedback.
We actually have a 1.3 that we're rolling out this week. It'll be available next week to people to download, but it reflects the feedback from 21 different organizations. Not all of their feedback, cuz some of them little gnarly to unwrap, but the idea here is to get that flow going. And so we're also gonna be establishing working groups to actually, cuz to date it's been MITRE to companies, MITRE to organizations.
Now we wanna bring them together to the extent they're willing to share. They can still come to MITRE directly. But the risk model management tool, we also re-architected it. It was a prototype, it's still a prototype. But it was not built on a graph database. Now it is. So it's much more flexible to evolve going forward and it's stable enough that we're making it available.
So if people can come to our website, SOT.MITRE.Org, and there's an RMM respond manager pull down and you can ask for an account. They'll see evolution of that going forward. Eventually we want to do things like a standards group. Come get an account, build out their standard, all the paragraphs and sub paragraphs, and then link this requirement, answers this risk, and have them do that, and then we verify it.
And so when somebody comes in to do an assessment and they say, yes, this product follows this standard, the requirements that are relative to a risk would show up. And they can get that insight. So measurement beyond going, getting something from Interros or Exiger.
WHAT ARE SOME OF THE IMPEDIMENTS TO UPHOLDING SOFTWARE SUPPLY CHAIN SECURITY? IN WHAT WAYS CAN THIS EFFORT BE STREAMLINED?
In some areas, you don't have the same language. So for example, when I speak with suppliers and ask them about the risk management process, most of them would not be able to say, oh, I follow this NIST model, or this or that, because they may not be, depending on where they're located from a supplier standpoint.
But with the MITRE's System of Trust, having that same language and saying, okay, if you haven't developed something on your own, here's a profile that we think would be a best fit. You can use it for your other upstream suppliers. I think that'll make a large difference because we do not have a common language, when speaking about risk and it's not only cyber risk. We are facing so much business risk with resilience and, how does everything affect it? What happens? As we've seen way too often, what happens when the supply chain is disrupted or we've had nth party vulnerabilities or anything like that.
But all of this is much more than just cyber. And I think that we've had very siloed cyber risk management and there's a lot of tools that do that. And then you have companies that handle the risk management, but they don't understand cyber because they think there's one set of questions and that's it.
And that's not the case. Every supplier, types, segment, grouping is very different. Even if you're buying it.
Some are regulated, some aren't.
That's what we're calling our profiling. Yeah. So basically anyone can come in and look at the whole corpus and go say nope. Do it once. And say, this defines what I want to focus on for my contracts and my relationships. Or I can turn around and say, as a supplier of this kind, here are the risks I think I need to make of my customers aware of.
So they can do that ahead of time and just then use it over and over. Now, when it comes to doing assessment against these things, I talked about mapping standards to this. There's also gonna be all kinds of, from a cybersecurity point of view, all kinds of tools that could be used and the results from those tools could be used as the evidence.
HOW DO YOU MAKE SOFTWARE SUPPLY CHAIN SECURITY RELEVANT AND SPECIFIC TO DIFFERENT INDUSTRIES AND PRACTICES? IS SOT BUILT TO HELP WITH THIS?
So the System of Trust tool, RMM, and the framework is meant to leverage all of the commercial and open source assessment capabilities out there and bring them together. It's, in itself is just, that a framework. It's not, trying to compete with anybody, it's trying to leverage everybody cuz there's a lot of smart people out there.
And the trouble is, as Cassie was saying, the people in corporate risk management, they have a standard approach, and yet there's all this rich data that the cybersecurity people have for their piece. But how do you bring those together? So we're trying to do that.
And with the other tools, the third party tools that do risk management, usually it's based off of their criteria.
If if they allow customization, that's great to say, here's where we feel the risk. But with a System of Trust being able to set, you know this, especially this type of supplier, this is the risk that I wanna more focus on. I wanna weight it this certain way. You're not taking just a generic report, even however detailed it is.
And that's really important. I think anybody, financial risk for different companies is it's gonna be different for a mid-size company versus a larger company because of what you're willing to take on as a risk profile.
And some of those offerings, they basically are looking for negative evidence.
Things that are going bad and they'll report them in some, slot of their dashboard. The trouble is you don't know which things they didn't find any evidence, positive or negative, and therefore, that's a big question mark still, right? So by putting together the risk questions, by looking at the underlying risks you care about, if you don't get data for something, you know it, and you can say, okay, there's an uncertainty here, and how do I manage that?
Do I do something exceptional and try to get the data? Or do I just, understand the how, what the range of possibilities are and deal with that. But today you get some of these dashboards and oh, it looks great. And then you find out for the companies that were private, they couldn't get the financial data, therefore it's not part of it.
And there's a whole bunch of instability, or at least unknown stability. So we're trying to. Bring that into a more transparent measurement approach.
WHAT LESSONS CAN WE TAKE AWAY FROM THE RECENT CASCADING SOFTWARE SUPPLY CHAIN ATTACK ON 3CX? AND COULD A TOOL LIKE MITRE’S SOT HELP DEFEND AGAINST THIS TYPE OF ATTACK?
I think the risks that attack reveals are already within the scope of System of Trust, whether we had the specific risk factors that would've popped that out of the background. That's an open question. We'll be looking at that. There's, the bottom line is what happened is something somebody was worried about.
Whether or not they understood that was a path for that to manifest. As a whole community, we need to be better at it. And, if somebody wasn't even contemplating that risk and they see System of Trust, hopefully they'll say, oh look, somebody wants to know about this kind of risk.
They think that may be something, maybe I should look at that. So we think the overall catalog will also be an educational thing. We had one of our customers very interested in supply chain. Very schooled in looking at it. They offered up here's the 13 things we look at, and we mapped that to a nascent version of system of trust at the time and shared with them where we mapped in their ideas and they were looking at the kind of surrounding things and now they have 42 things they look at. Even the, no matter how well you are into this, you know there's other people thinking about it as well. And together we can have a much more holistic look at where these risks manifest and how we can measure for.
HOW CAN WE RELY ON SOFTWARE BILLS OF MATERIALS (SBOMs) IN A WAY THAT IS SCALABLE FOR ALL KINDS OF COMPANIES?
I think having, we've mentioned it in the presentation, having sort of an exchange language. There's many different working groups working right now it's like, how do I get this information? It's hard to do the end to end. It is, we are very mature from a, global area on physical end to end.
But when it comes to binary, the ones and zeros, the risk that we're seeing, it's not there. The beat reason, part of it is because that one and zero, that binary, that, that line of code can exist for decades, right? Code I wrote back in 1988 still exists today. So you know what, we are having these conversations when it ties in the physical or just software only.
We've got a long way to go. We're gonna always have unknowns because open source libraries, other areas. There's always that risk.
Legacy, definitely. And what essentially those that have the responsibility for delivering and software publishing, that they should have good practices for secure development, but they're not gonna have a literal, hear exactly as every, where every single piece came from.
They're not gonna be able to do the traceability cuz you can't go invent things that were created many years ago. So the challenge will be how do you convince teams: I want you to do this, from now on going forward, capture this information. Let's be transparent.
When they know that there's the lack of transparency for the legacy and other items. But overall , just cuz you can't get to 100% doesn't mean it shouldn't be done.
It doesn't mean it can't be very useful.
And I think the transition that's going on right now is that the whole software tooling industry is getting on board with creating SBOMs, managing with SBOMs, whether it's your source code SBOM, your actual, deliverable installable SBOM, right. The SBOM of what's running as you get runtime dependencies. So there's different SBOMs here. Some of them we can do now.
Some of them more and more tools just generate them automatically. That's right. And it's gonna be a question of what don't you share, rather than what do I need to create and decide to share? So I think there's a lot of rich information that could be coming from these tools that would actually help businesses make decisions.
And so I think there's gonna be a sea change as people look at this no longer as an imposition, but rather as an opportunity. And we'll see where that goes. But, the bottom line is there's risk. What kind of insight do you need to manage those risks and how can you get it? And this is a new source, is the SBOM and things around it from the Executive Order, the whole attestations... that's a depth of information that you didn't get before. And so that can help you. And I think everyone in the supply chain could actually be helped, not just the end consumer.
I think that it will definitely, five, 10 years from now, the level of technical debt we have will drop, because, there's so many other industries where you're optimizing all the time.
The process, the things if you look at just any kind of packaging, they've optimized the packaging over the years. Code bloat is a significant issue that has not been addressed. And I think that transparency of saying, do I really need that library, what am I using it for?
It's going to really level up a certain, I think software publishing.
The trouble we got such faster and faster CPUs, more and more memory and better, better bandwidth. So nobody ever looked at what's in there. When I learned to code you were in there optimizing everything.
And people aren't trained to write code that way nowadays. And we need a little bit going back on that.
ANY CLOSING THOUGHTS YOU WOULD LIKE TO SHARE?
I'll just invite the audience to get involved. We think we have something pretty good, but it can be much better. And I'm sure someone out there has a perspective that we've overlooked or we haven't quite recognized. And get involved. It's open to everyone.
I wanna comment that, I think that there's commercial vendors that are worried about this space and this discussion that's being had.
And I don't think that its stops anyone from, finding value in vendors that specialize in risk management because there are companies that really want to be able to share the responsibility with someone who's got that skillset. They may not have a full risk management program.
So those vendors provide a lot of value, and I think that everybody should be having this conversation so that, the suppliers especially that do not have the, let's just say the pocketbook, the budget, to be able to afford risk management. They need to be looking at their supply chain just as much. And so providing that capability to those that cannot afford it or be able to manage it on their own is very important. And we should do whatever we can to improve the supply chain in general.
Yeah. I was in Tokyo giving the talk on this to, for the symposium there. And one of the questions was, what about small businesses?
And I said if you go down to the corner to that three stool, Lunch Wagon, you do not expect to get a deathly, poisoning from the food. There's some minimal things that they need to manage. Even when they're only doing that. Think of that. It's what is the minimum they need to do to be their role in the overall ecosystem?
Not asking to do what the top tier people do.