Securing the Digital Frontier: Navigating Software Supply Chain Risks with the EU's Cyber Resilience Act

Software supply chains and supply chain attacks have grown in importance in recent years and have become a major risk for companies and organizations.

man in digital world

A supply chain attack is not an attempt to hack networks directly, but to attack a third party with access to an organization’s systems. For example, the attackers target suppliers, such as software vendors. The vulnerable third-party software provides a backdoor through which the hackers can access users and accounts of the victim organization. 

The well-known examples in this context are: 

  • The case of SolarWinds, when hackers used the supply chain attack method and inserted malicious code into the Orion system to distribute a malicious update to thousands of customers. It is estimated that the attack infected more than 18,000 systems worldwide and caused billions of dollars in irreparable damage. 

  • Or the Air India data breach when hackers attacked the Passenger Service System provider SITA. The attack compromised the personal data of around 4.5 million customers worldwide, including passport and credit card details, dates of birth, names and ticket information. 

  • Many will remember the Log4j case. It involved a zero-day vulnerability called Log4Shell. This vulnerability allowed attackers to inject malicious code into systems and take control of them. The attack affected millions of systems around the world. 

What is the origin of this challenge and how to tackle it? 

The challenge is twofold:  

  • software supply chains are full of known vulnerabilities that companies are failing to fix. 

  • attackers exploit the lack of attention to security in software projects to deliberately add backdoors and other malicious components. 

The architecture of a product with digital elements is very complex today. Modern software applications are no longer based on a monolithic stack of isolated software components. Developers build applications from many components that can come from many sources. Typically, a software contains open-source and third-party components, as well as self-developed and self-configured components.  

Each of the components that make up an application can pose a risk. And there is a threat in place, if the component contains an unpatched, unfixed vulnerability. Imagine a huge tower with Lego bricks. We have different types of bricks, different sizes, different colours, that are built together. Everything is connected, the pieces are interdependent and must fit together to form a solid structure. In the context of software, the security of each piece is crucial to the integrity of the whole product. If one piece of software is produced and maintained by some unknown person in some unknown place, and if that piece has a vulnerability that no one fixes or takes care of, then your whole structure collapses. The more components a product contains, the more effort it takes to verify that each part is up to date.  

It is therefore vital for developers, organizations, and end users to be aware of all the components that make up an application. If the users or the manufacturers do not know what their products contain in detail, the possibilities to detect the vulnerabilities are very limited or at least very complicated. 

This approach is known as a Software Bill of Materials (SBOM). SBOM is a formal record containing the details and supply chain relationships of various components used in building software. The SBOM can be compared to a 'nutrition label' on packaged food, which provides consumers with a clear indication of what is in a product. 

The main purpose of a SBOM is the clear and explicit identification of components and their relationships to each other. It’s all about dependences.  

In the context of the software supply chain security, the SBOM is an important risk management tool. It helps organizations to identify vulnerabilities in the components and dependencies they use and to take appropriate measures. 

Responses of the Authorities 

The software supply chain risk calls attention of the authorities of course. In May 2021, the Biden administration issued an executive order mandating that U.S. government agencies work only with software vendors that offer SBOMs. Mandatory certification schemes for certain digital products have also been introduced in Brazil, China and Japan. 

The Cyber Resilience Act of the European Union has essentially the same goal - to secure and protect software supply chains. The law will affect any digitally connected software or hardware sold or used in the European Union in the future, irrespective of where they’re manufactured. The overall goal of the act is to create the necessary conditions to achieve two main objectives: 

  1. to ensure that manufacturers prioritise the security throughout the lifecycle of a product so that it comes to market with fewer vulnerabilities. This means that manufacturers must effectively manage the vulnerabilities in their products and maintain clear documentation. They must conduct regular testing and demonstrate comprehensive patch management. 

  2. that users can more easily take cybersecurity into account when selecting and using products with digital elements. The idea is, that the end users should be able to rely on the security of the product, provided by the manufacturers. The law makes different economic operators responsible for the security of a product. Here Manufacturers, Importers and Distributors have different obligations to fulfil.  

To filter out the weak points in the supply chain, the legislator envisages a number of measures.  

  • One is the mandatory security checks for products with digital elements.  

  • Another measure is the requirement that the Software-Bill-Of-Materials has to be made available for every product with digital elements. 

How we can support you

As vendors are held accountable for effectively managing vulnerabilities in their products throughout the product lifecycle, the need for vulnerability testing is increasing. 

SEC Consult is your strongest partner in this field. Since 2002 we have specialized in testing of software, firmware and hardware applications, the development of security information management processes and certification processes (ISO 27001), cyber defense, secure software development and sustainable improvement of security levels. With one of the largest white-hat hacker teams, SEC Consult provides the necessary environment to analyze current threats and develop appropriate solutions. 

Furthermore, with our own research unit, the Vulnerability Lab, we deepen our knowledge through yearly launched special research projects in future-oriented areas. For example, we focus strongly on:  

  • IoT equipment and cloud (e.g. IP cameras, monitors, routers, CPE devices for internet service providers, printers) 

  • SCADA, automotive, smart home, mobile, security products, SAP, e-government, etc. 

The Vulnerability Lab also serves to support high-quality penetration tests and the evaluation of new technologies and is at the service of our customers. The customer thus receives the latest information about security vulnerabilities and valid statements about the risk profile of new technologies. 

About the author

Anna-Maria Praks
Anna-Maria Praks
SEC Consult
R&D Lead Vulnerability Lab

Anna-Maria is a professional with over 25 years’ experience in the security industry. Her areas of expertise include cyber security, defence and security policy, international relations and government affairs. Anna-Maria has worked in politics, academia and the private sector throughout her career. Since 2015, she has been working as a research and development manager at SEC Consult.