Why Vulnerability Management and SBOM Alone Can’t Mitigate Supply-Chain Risks

January 18, 2023
Max Cheng
Why Vulnerability Management and SBOM Alone Can’t Mitigate Supply-Chain Risks

Uncovered vulnerabilities and cyberattacks on different sectors of the automotive industry highlight two salient points: Its supply chain is at risk and cybercriminals are geared to exploit it. Last year, the LockBit ransomware group threatened to publicize stolen data from a car parts manufacturing giant. A month before that, European authorities cracked down on a car-theft ring that used a notably more sophisticated method of exploiting the remote keyless entry (RKE) system of targeted vehicles.  

Other similar incidents in 2022 saw the automotive sector being targeted. Early last year, for example, Toyota had to shut down production because of a cyberattack on one of its suppliers. This series of incidents proves that attacks can happen at any point in the automotive supply chain and that risks in one sector can affect its entirety. The nightmare scenario for automotive manufacturers (OEMs) — and the ideal one for cybercriminals — involves finding weak links in the supply chain that, when exploited, would affect cars that are already on the road. 

Signs of more advanced cybercriminal attacks on the vehicle software supply chain

Ransomware attacks on the automotive supply chain have already caused supplier shutdowns. At first glance, these incidents appear as a small-scale risk. However, the true impact of ransomware attacks involves lost production capacity and shipment delays. In our annual threat report, this is exactly the type of attack that we saw in 2022, and we predict that we will see more of the same in 2023. This reiterates the need for the automotive industry to always be prepared in the face of evolving attacks. Case in point, what would happen if cybercriminals began adapting the advanced-persistent-threat (APT) approach in their attacks on the automotive sector? It is possible, after all, that the attacks we are seeing now are just signs of what is to come. 

Another possibility might involve cybercriminals infecting ready-to-ship OEM packages with ransomware — a large-scale risk that would deal heavy consequences on consumers and leave an indelible scar on an OEM’s reputation.  

Notably, other industries have experienced this natural evolution of threats. In 2020, cybercriminals attacked SolarWinds by deploying malicious code in the company’s monitoring and management software. As with the nature of supply-chain attacks, the consequences were extensive. Tens of thousands of companies, both private and public, were compromised because SolarWinds had unknowingly distributed malicious code as part of its update. As for the automotive sector, imagine such a scenario, only with thousands of vehicles on the road running software already infected with malicious code, injected either during the supplier development process or through an over-the-air (OTA) update. 

For an attack similar to the one conducted on SolarWinds to happen, suppliers themselves would have to be infected with ransomware or malicious code. It is therefore a must to learn whether vulnerability management and a software bill of materials (SBOM) are suitable for protection against these threats.

Vulnerability management and SBOM alone don’t eliminate supply-chain risks

We highlighted these two solutions because vulnerability management and an SBOM are well-known and recommended measures against supply-chain attacks for good reason. However, in the face of evolving cyberattacks, the automotive industry needs to reexamine whether these two solutions can address future attacks. Before assessing their capabilities in the face of new threats, however, it is important to know what vulnerability management and an SBOM are and what they can do. Vulnerability management is the process of continuously identifying and remediating vulnerabilities across endpoints, while an SBOM is a list of open-source components in a piece of firmware that is useful in monitoring vulnerabilities. More importantly, both are necessary components of a robust security strategy in a company’s compliance journey to ISO/SAE 21434 and UN Regulation No. 155 (UN R155). In a past entry, we discussed how essential these two are in securing the automotive supply chain.  

Inevitably, the automotive attack surface is growing more complex with time. Vulnerability management and an SBOM can enable OEMs to remove the risk of known vulnerabilities and give them visibility over software components, respectively. Even with these two capabilities, however, OEMs will not be able to address advanced attacks such as ransomware or malicious code injection. Without addressing these two risks, manufacturers can inadvertently carry and distribute malware from their own software provider and software supply chain. 

A supply-chain risk management framework

What then can be done? As Figure 1 illustrates, OEMs should consider specific solutions for each phase of the automotive supply chain. My focus for this entry is the start-of-production (SOP) phase, where vulnerability management and an SBOM play key yet partial roles. Malicious code scanning and dynamic behavior monitoring are also essential to ensure that cars run on secure software components.  

In addition to the visibility afforded by vulnerability management and an SBOM, malicious code scanning and dynamic behavior monitoring help continuously check for and address the malicious code injected in the component software used by OEMs. By addressing these at the SOP phase, OEMs reduce their risk of inadvertently distributing malware potentially carried from their suppliers.

supply_chain_risk_managementFigure 1. The supply-chain risk management framework


Over the years, more efforts that align with this framework have been made to improve security against supply-chain attacks. OEMs can refer, for instance, to the National Cyber Security Centre (NCSC)’s guidance for improving cybersecurity against such attacks, which details more rigorous specifications for choosing and keeping suppliers. Microsoft has also released its framework for securing its software development processes in response to the growing use of open-source software (OSS) by developers — a reality shared by the automotive industry. Meanwhile, the Secure Supply Chain Consumption Framework (S2C2F) uses a threat-based and risk-reduction approach that aligns with our own framework as it identifies the most mature level of security as capable of not only monitoring for vulnerabilities but also mitigating sophisticated attacks. 

It is worth reiterating that we can already see early signs of more serious supply-chain attacks on the automotive industry. The Sirius XM vulnerability, for example, could have exposed millions of cars from different brands had it been exploited in a malicious attack, indicating the far-reaching effects of a weak link in the supply chain. Indeed, supply-chain attacks are designed to bypass traditional security measures and processes. By strengthening defenses in the production phase, OEMs can thus minimize and stop supply-chain attacks in their tracks. Although vulnerability management and an SBOM are necessary measures that certainly help OEMs comply with regulations, these two are simply not enough to prevent sophisticated threats in the near future.

Our News and Views

Gain Insights Into Automotive Cybersecurity

Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us