Where Third Party Risk Assessments Are Falling Short

When it comes to measuring risk, third party assessments have long been the standard for deciding which products to add to our networks and critical infrastructure, whether it’s within our organizations or within our power grids, hospitals, and telecommunications networks. But the rapid adoption of connected devices—the internet of things (IoT), operational technology (OT), and other embedded systems—has completely changed the source of device risk. Whereas before, having a deep understanding of our vendors was the primary option for assessing risk, it is now clearer than ever that these third party risk assessments are falling short of where we need to be to prevent our networks and infrastructure from being compromised. Both device manufacturers and asset owners need a scalable solution that takes inherent device risk into account. And while these assessments give us key information, we cannot see the full picture without looking directly into the devices themselves.

WHAT DO THIRD PARTY RISK ASSESSMENTS ACTUALLY MEASURE?

Conventional third party risk assessments are strenuous and broad. Through lengthy questionnaires that evaluate a vendor’s security posture, reputation, privacy risk, and so on, these assessments attempt to answer the question, “should I trust this company with my data?”

On their own, these assessments are crafting an image of risk based on vendor responses and assumptions, and that leave us with a number of problems:

• A lack of hard data means that you must rely on trust. There’s something strange about asking a vendor questions about their own trustworthiness. If you’re worried that you can’t trust a company with your data, why should you trust their responses? This leads to situations where your team may have to rely on gut instinct to know when something just feels off.
  
  
• You must assume that the vendor being assessed understands their products, firmware, and supply chain. Even if you deem a vendor to be trustworthy, you are then relying on their processes and on every member of their team to know what they’re doing and to function flawlessly. The vendor in question may very well believe that their products are secure, but if they don’t understand their own supply chain risk, or if their suppliers don’t understand the security of their components, then how can you trust their answers?
  
  
• Third party risk assessments don’t show the whole picture when it comes to supply chains. Your vendors have suppliers that provide software and hardware components for their products. Those suppliers may have their own suppliers, and so on. Supply chains are complex, multi-leveled, and constantly shifting. Unless your risk assessment is assessing every individual sub-supplier, these assessments cannot reveal the risks being introduced by your supply chain.

Even if we do our best to minimize these issues, what are we actually measuring? Again, we are asking, “should I trust this company with my data?” but that doesn’t help us understand actual product risk. It doesn’t give asset owners the ability to see what vulnerabilities are inside their devices or what issues are introduced by their supply chains. What if in addition, we asked, “should I trust this device on my network?” How would we assess risk then?

DON’T JUST TRUST—VERIFY

If we focus on the right underlying problems, we will no longer have to rely on trust to secure our networks and infrastructure. If we can see the vulnerabilities inside the devices themselves, we no longer have to guess at what may have been introduced at any given stage in a product’s supply chain. In order to do this, asset owners must utilize a supply chain risk model that is focused on real threats and vulnerabilities, including:

• Inherent Product Risk: an analysis of device firmware that provides you with overall device risk, a robust Software Bill of Materials (SBoM), hard coded credentials, cryptographic materials, safety features, code complexity, unsafe function calls, memory corruption, and code analysis.
• Vulnerability and Threat Risk: Information on the presence of known vulnerabilities (CVEs), zero-day vulnerabilities, and known incidents, alerts, advisories, and threats.
• Supply Chain Risk: Information about vendor watch lists, vendor manufacturing location, and FOCI (foreign ownership, control, and influence.)

Third party risk assessments supply only one part of a larger product risk picture. With a more comprehensive product risk approach, both asset owners and device manufacturers can start to take meaningful steps to manage their risk for each of their devices.

COMPREHENSIVE PRODUCT AND SUPPLY CHAIN SECURITY FOR CONNECTED DEVICES

Until now, it’s been a challenge to find scalable solutions for monitoring and managing product risk. With Finite State’s comprehensive product security platform, this entire process is automated, allowing your organization to focus on mitigating those risks, achieving compliance, and ensuring the security of your network.