Software Supply Chain Risks: Why Embedded Systems Are More Vulnerable Than You Think
RunSafe Security Inc.
Protecting embedded systems across critical infrastructure with automated vulnerability identification & code protection
Software supply chain attacks have risen by over 700% in the past few years. With incidents like SolarWinds and Urgent/11 making headlines, this issue is more relevant than ever. Why are embedded systems particularly vulnerable? And what steps should organizations take to safeguard their software?
“There are motivated threat groups. There are known vulnerabilities. There's a known complex software supply chain. And we're seeing it in the statistics,” said Joe Saunders, RunSafe Security Founder and CEO.
In this edition of Embedded Security Insights, we’ll cover:
3 Software Supply Chain Risks in Embedded Systems
1) Third-party dependencies and open-source software
A report by Data Theorem found that 91% of organizations experienced a software supply chain attack in 2023, and of those security incidents, 41% involved a zero-day exploit on vulnerabilities within third-party code.
Embedded systems often use third-party software and open-source components to speed up development and reduce costs. While helpful, these dependencies can also introduce vulnerabilities into the software supply chain, as they might include outdated code or security flaws. Organizations can keep ahead of open-source risks through thorough testing, regular updates, and maintaining Software Bill of Materials (SBOMs).
2) Legacy systems and patching challenges
Many embedded systems run on legacy code, often written years or even decades ago. This older code can have hidden vulnerabilities that were never addressed. Updating these systems can be tricky due to compatibility issues or a lack of support from vendors. Unfortunately, this makes them appealing targets for attackers who exploit these weaknesses.
3) Targeted by nation-state actors
Embedded systems in critical infrastructure are increasingly in the crosshairs of nation-state actors looking to disrupt operations or gather intelligence. Recent headlines about Chinese-backed nation-state threat groups like Volt Typhoon and Salt Typhoon put on clear display what is at risk. These attackers take advantage of vulnerabilities to further their geopolitical or economic goals, as seen in recent high-profile cyberattacks.
“China is carefully researching and positioning itself within U.S. critical infrastructure,” Joe Saunders said. “They understand this access could be valuable down the road, not only as a strategic bargaining chip in scenarios like a trade war, but also as the foundation for unleashing a ‘cyber bomb’ at a time and place of their choosing.”
Listen to Joe speak more on the Volt Typhoon threat group.
Strategies for Software Supply Chain Security
Recommended by LinkedIn
As much as we all want an easy button for security, “there is no one magic tool that goes out there and scans a piece of software you're considering and tells you if it's quality or not,” said Andy Kling, VP of Cybersecurity at Schneider Electric.
Where should product manufacturers start to improve software supply chain security?
“You have to think about the supply chain relationships you have upstream and downstream,” Andy said. “It's in those relationships, then, that you can start to have the conversations about what software development practices are you following? What do your support policies look like?
Are you following industry standards? Are you conforming to emerging regulations around cyber security and product quality? All of these things are part of that secure supply chain conversation that needs to take place.”
Here are four areas to consider:
Build Security Into Development
Make security a part of every stage of your development process. Frameworks like the Secure Software Development Framework (SSDF) can guide you in creating consistent, thorough security practices. By designing systems to be Secure by Design, you’ll catch vulnerabilities early and create a stronger foundation for your products.
Work Closely with Suppliers
Team up with your third-party partners to set clear security expectations and ensure compliance. Transparency is essential—ask suppliers to share how they protect their part of the supply chain. By collaborating, you can build trust and strengthen weak points in your security together.
Embrace SBOMs and Available Security Tools
Fuzzing, automated testing, and software composition analysis are a good place to start to get insight into the composition of your software. Even better, fully leverage your SBOMs as more than just a compliance requirement to get a full picture of your software. If you don’t know what components are in your software, you won’t have the visibility and foundation you need to secure it.
Use Runtime Code Protections
Strengthen your defenses by deploying runtime protections like Load-Time Function Randomization, which rearranges code execution to block attackers. These tools remove entire classes of vulnerabilities, making it much harder for bad actors to exploit your systems. Proactively tackling runtime threats ensures your embedded systems stay secure while they’re running.
There’s much more to say on this topic—if you want to hear more from Andy and Joe, listen into their conversation on “Securing Embedded Systems in ICS/OT: Strategies to Defend Against Software Supply Chain Risks.”
A Parting Update!
This month, RunSafe launched our new Risk Reduction Analysis. The tool is within the RunSafe Security Platform and allows organizations to measure their exposure to CVEs and memory-based zero days and see how they can reduce risk with runtime protections applied.
You can view and click around in a sample report here. The findings are quite eye-opening when you see for yourself.
Looking for More?
Keep up with RunSafe. Follow us on LinkedIn for regular news, updates, and expertise. And subscribe to our monthly email newsletter for additional content straight to your inbox.
