SCITT: Supply chain integrity, transparency and trust

Supply Chain

Jon Geater, chief technology officer at RKVST, introduces SCITT and discusses the need for a new approach to trust in increasingly digital or digitised supply chains

As if we haven’t already got enough, here’s another information security acronym for you – SCITT.

SCITT stands for ‘Supply Chain Integrity, Transparency, and Trust’. It’s a relatively new term and there is still discussion over its scope and definition. However, the core is very simple: risk sits with the operator of equipment, but it originates at every point in the supply chain.

If an organisation is going to take control of and responsibility for its own cyber physical risk, then it must know what it is dealing with. This involves questions such as, how was this machine made? Who has touched it along the way? What sensitive components are inside it? And crucially, how do I prove to my own and my auditor’s satisfaction that it is safe and secure to operate?

The answers to all these questions are much easier to find if supply chain partners collaborate and share data about shared assets and processes in a spirit of transparency, accountability, and trust.

Why now?

There have been a number of high-profile security breaches and ransomware attacks in recent years including the likes of SolarWinds and Kasaya that have raised the visibility of supply chain vulnerability as a top cyber issue. Governments have now started to take supply chain attacks more seriously than ever before, while companies are beginning to drown under the weight of managing threat exposure.

According to the UK National Cyber Security Centre (NCSC) in its Annual Review of 2021, the compromise of software company SolarWinds and the exploitation of Microsoft Exchange Servers highlighted the threat from supply chain attacks. These sophisticated attacks, which saw actors target less-secure elements such as managed service providers or commercial software platforms in the supply chain of economic, government and national security institutions were two of the most serious cyber-intrusions ever observed by the NCSC.

Whitehouse Executive Order

Another driver for SCITT is the recent US Whitehouse published Executive Order 14028. In common with moves from other governments in recent years, the order highlights the need to transition to a Zero Trust mindset with supply chain transparency and trust a major pillar of that.

The first flurry of activity around 14028 was concerned specifically with Software Bills of Materials, or SBOMs, but it quickly evolved to recognise that generating SBOMs is not enough. You also need secure ways of sharing them with the right stakeholders, of analysing them with the right risk information and ultimately, using them to make strong, confident zero trust decisions based on data from your now very digital supply chain.

National Cyber Security Centre of Excellence

Alongside its efforts to promote and improve implementation of Zero Trust Architectures, NCCoE is running a project to improve supply chain assurance, which focuses on many similar themes. The project aims are stated as: ‘Technologies today rely on complex, globally distributed and interconnected supply chain ecosystems to provide highly refined, cost effective, and reusable solutions.

Organisations currently lack the ability to readily distinguish between trustworthy and untrustworthy products. Having this ability is a critical foundation of cyber-security supply chain risk management (C-SCRM).’

The Internet Engineering Task Force (IETF) SCITT Working Group

Finally, in March 2022, SCITT started as an IETF ‘birds of a feather’ (BoF) and recently became a fully-fledged Working Group to tackle this exact problem. In the exchange of artifacts across end-to-end supply chains, receiving entities often require evidence to verify the suitability of artifacts for an intended use.

Key questions are how the authenticity of entities, evidence, policy, and artifacts can be assured and how the evidence provided by entities can be guaranteed to be authorised, transparent, immutable and auditable.

This problem statement from the March IETF BoF meeting clearly lays out the need for a new approach to trust in increasingly digital or digitised supply chains:

The increasing size, scale and complexity of supply chain digitalization challenges traditional pre-and post-audit methodologies exposing gaps in essential primitives. A minimal, simple, and concise set of building blocks could guarantee long-time accountability and interoperability for software components and their metadata through their life-cycles across architecturally diverse systems.

What are the root causes?

- Lack of legally meaningful and persistent supply/value chain data needed to automate the system
- Insufficient standards of tamper proof and independently verifiable data stores
- Absence of decentralized globally interoperable transparency services

The way forward for SCITT

All four of these clear industry proof points have strong common themes around the so-called Trust Gap. Trust gaps are certainly nothing new, but when it comes to supply chains, traditional processes lock data away in silos and can’t keep pace with the speed of digital transformation in today’s highly connected supply chains.

To move forward from here we require standards and services for ensuring the fast, trustworthy exchange of digital evidence in industrial cyber-security supply chains.

There needs to be a shift in mindset from bullet proof security and silver bullets toward a spirit of zero trust, shared intelligence, and resilience in the face of emergent threats. Things are only secure until they’re not, and trust is contextual, so it’s not enough to do an audit or security report once then rely on that for months later.

Security and trust posture needs to be continuously verified in near real time. Assume breach, and then quickly deal with problems when they arise.

This isn’t just about the fear, uncertainly and doubt around cyber-attacks or Advanced Persistent Threats (APTs). Many seemingly innocent or accidental things can also affect security and trustworthiness between organisations, including different risk exposure, different personnel capabilities, different training regimes or different practical operating constraints. And of course, everyone has different commercial motivations.

The only way to cope with all of this is to move from the impossible task of trying to make cheating and threats impossible, to the more tractable one of detecting and mitigating threats as they arise.

An extreme but essential aspect of this to understand is that SCITT does not prevent attacks or bad actors, but it does hold them accountable through the principle of transparency. If someone cheats or messes up too many times, then they will be ostracised by the group. If someone refuses to act transparently, they will struggle to gain business. And in the end the result of this is market forces that incentivise everyone to hold themselves accountable and accept responsibility for their own informed risk.

As all of the expert organizations quoted above state, we cannot stop authorised supply chain actors from making false claims. But we can make them accountable by requiring their claims to be registered and in a verifiable and transparent data store.

Once this principle and the idea of attestation is internalised, the security benefits of SCITT suddenly become clear. The goal is to have and maintain a tamper-proof, transparent record of who did what, when, to underpin trustworthy supply chain operations.

Jon Geater is chief technology officer at RKVST

Main image courtesy of iStockPhoto.com