Cybersecurity Supply Chain Risk Management – Deconstructing the root causes behind the Spectre and Meltdown vulnerabilities
Dan Phillips – Director of Cyber Risk Engineering

It has been nearly two weeks since the disclosure of the Spectre and Meltdown vulnerabilities. Here at Axio, we have been quietly monitoring the research community’s discussions about the severity of these vulnerabilities as well as user experiences in applying mitigation measures to fix the issues. Make no mistakes folks, these are serious vulnerabilities that impact nearly every computer and device with a modern computing processor; and there is a particular concern for virtualized or cloud based systems because of their ability to bypass memory isolation controls. In the coming weeks, many security leaders will be asked to make decisions about when or whether to patch the vulnerabilities on company assets. When we consider that the patches are degrading performance of certain software functions anywhere between 5 to 25% causing unwanted reboots, and the vulnerability is present in billions of devices, it seems likely that we will be living with components that are vulnerable to Spectre and Meltdown for quite some time.

Several of the articles and blog posts that I have been reading touch on the reasons that these vulnerabilities were overlooked for such a long period of time. But what I find missing from these discussions is a really honest conversation about why we keep having major hardware/software vulnerabilities like these pop up every few years. If we are being honest with ourselves, we should acknowledge that as consumers, we are often complicit in creating these vulnerabilities. Too often, we fail to recognize the true cost of rapid product development in the value chain; we don’t ask the right questions during product design and procurement, we don’t recognize the hidden costs of remediation, and we often make value judgements that emphasize lowest cost over security.

I have been working on cybersecurity supply chain issues for years, and I have yet to discover an easy solution to this problem. We have had tools at our fingertips for some time now that would help the community to better manage cyber supply chain concerns – Common Criteria Standard, NIST SP-800-161, and DOE procurement language.  But the problem with these tools, is that there is often not enough appetite or cohesion at the consumer level to leverage them effectively. To focus product improvement efforts, large portions of the customer base need to be on the same page about their expectations for disclosures, security features, and security testing. We also need mechanisms to discourage free riders. There are ways of dealing with the scalability and free rider problems through regulation such as FERC’s recent notice of proposed rulemaking on cyber supply chain standards and DFARS regulations. However, most industries lack an appropriate vehicle to coordinate consumer and vendor behavior.  

At Axio, we find that education is often the best tool for managing cyber security risks. Our experience has shown that to manage cybersecurity supply chain risk effectively, organizations must:

  1. Understand the nature of their exposure to supply chain and third-party cyber security incidents and,
  2. Understand their security program’s capabilities to address these types of risks.

Using tools such as the Cybersecurity Capability Maturity Model (C2M2) the NIST Cybersecurity Framework (CSF), and peer benchmarking data, we have been helping our clients to develop roadmaps to mature their cyber supply chain risk management practices.  The best solutions often involve a combination of the following:

  • Procedural controls (e.g. secure patch delivery processes, contractual obligations)
  • Technical controls (e.g. technology enforced vendor enclaves, functional testing)
  • Financial controls (e.g. insurance policies)

It is my belief that we can greatly reduce the number/severity of critical vulnerabilities in the future by encouraging technology consumers to use simple, risk informed strategies during the procurement, design, and system integration stages of the product lifecycle. By articulating our security expectations early and often to our suppliers, we can ultimately incentivize suppliers to give equal weight to performance and security as they design and integrate new products. 

Summary

It has been nearly two weeks since the disclosure of the Spectre and Meltdown vulnerabilities. Here at Axio, we have been quietly monitoring the research community’s discussions about the severity of these vulnerabilities as well as user experiences in applying mitigation measures to fix the issues.