Supply Chain Security: Minimizing the Risks to Public Safety Systems

Software supply chain attacks aren’t new, but the threat to public safety systems remains. Still, organizations can mitigate the risk with a stronger commitment to evaluating third-party solutions and partnering with businesses focused on public safety security.

In the GCN article “Elevate Your Security Posture and Readiness for 2021,” Envisage CEO Ari Vidali, discusses several ways that organizations might be susceptible to compromise—and shifts that might improve the ability to guard against them. Chief among threats to public safety systems are the third-party software vendors your organization connects to its network. You might be doing everything in your power to use security best practices, only to have a less security-minded vendor in your software supply chain expose you to potential security breaches.

A nearly unavoidable aspect of today’s complex technology needs is that organizations are often reliant on hundreds of third-party products. Worse still, each of those products might be composed of additional third-party components, and it quickly becomes impossible for an organization to identify every point of potential attack.

Hackers may be able to exploit vulnerabilities in less secure third-party code (especially when these third parties are not attuned to the security demands of the public safety industry), gaining access to your connected networks, systems, and data. A vulnerability in one such vendor, even one several times removed from your organization, may eventually find its way into your system. And depending on what is compromised and the security measures surrounding that external connection, one small breach might end up compromising your entire system.

Commit to high scrutiny of external software

Public safety organizations must therefore be vigilant in evaluating and securing code integrated from their vendors and other outside sources further up the supply chain. Public safety security needs are far beyond typical software security needs, but thoroughly researching and assessing software makes it possible to find solutions accounting for these needs and nuances.

Some questions to ask when evaluating third-party software integrations include:

  • Are your software vendors familiar with the security needs of public safety organizations?
  • Do your software partners have demonstrable security practices that match the rigor of your own?
  • Do they have security approval from certifying bodies in the public safety space such as FedRAMP?
  • How do your vendors defend against infiltrations, and what are their security breach protocols?
  • What anomalies would indicate the vendor has been compromised, and how can you watch for such anomalies?
  • What measures can you establish to ensure the containment of a third-party breach?
  • What are the bare minimum access or integration requirements for the software to function?
  • Do the benefits of the third-party software outweigh the potential security risks?

While no system is impervious, asking these questions in advance can allow you to make more security-minded decisions when changing your digital ecosystem—and increases your organization’s readiness to act when vulnerabilities or breaches are discovered. The deeper your understanding of your vendor’s systems and processes, the better defenses you can put in place.

Read the full article, “Elevate Your Security Posture and Readiness for 2021,” on GCN for more in-depth security considerations, such as whitelisting rather than blacklisting, the zero-trust model, static code analysis, and stronger two-factor authentication practices.

Posted on Jan 28, 2021