The post-IT/OT convergence era has blurred traditional security boundaries, creating new challenges for interconnected IT and OT systems. With OT networks now linked to cloud platforms and IT systems directly interfacing with industrial controlsโthrough data pipelines, remote access tools, or even unsecured maintenance portalsโattackers are finding ways to move between these environments. Recent data shows that 75% of manufacturing cyber incidents target converged IT/OT systems.
Within this post-convergence era, software supply chain vulnerabilities are a critical threat vector. High-profile breaches like SolarWinds, Equifax, and Colonial Pipeline show how compromised third-party tools can disrupt IT and OT environments. Attackers are frequently leveraging vulnerabilities in IT systems to compromise OT environments, or vice versa, disrupting critical operations and causing significant financial and reputational damage.
There are several ways CIOs can take charge of addressing these risks.ย
Also Read:ย How Network Tooling Impacts IT Professionalsโ Job Performance and Satisfaction
Software Supply Chain Attacks on the Rise
For todayโs CIO, understanding and securing the software supply chain is a strategic imperative. Every application in your environment incorporates code from multiple sourcesโinternal development teams, commercial vendors, open-source communities, and various third-party libraries and frameworks. The reliance on third-party and open-source software components creates cascading risks. A single compromised dependency can propagate across converged IT/OT networks, disrupting critical operations and enabling lateral movement.
While the Equifax breach is one example, today the risks are becoming more severe. The CircleCI incident in 2023 demonstrates how attackers hijack build pipelines to inject malicious code into software updates. Meanwhile, AI-driven attacks are changing the playing field entirely.
Many CIOs donโt directly oversee OT infrastructure, but they can play a key role in bringing IT and OT security together. As these areas converge, a unified approach to securing software supply chains is a must. A vulnerability in one can seriously impact the other.
Strategic Actions for CIOs: Securing the Modern Software Supply Chain
1. Request and Implement Software Bill of Materials (SBOMs)
A Software Bill of Materials (SBOM) is an essential tool for managing software supply chain risks. An SBOM provides a comprehensive inventory of all software components in an application or system, including third-party and open-source elements.ย In recent years, SBOMs have become a regulatory requirement, born in response to two major software supply chain attacks, the SolarWinds attack of 2020 and the Log4Shell vulnerability in 2021.
By requiring detailed SBOMs from vendors and suppliers, CIOs gain critical visibility into what’s actually running in an environment. This transparency enables:
- Identification of vulnerable components across both IT and OT systems
- Understanding of dependencies between applications and infrastructure
- The ability to quickly determine exposure when new vulnerabilities are disclosed
- Prioritization of remediation efforts based on business risk and operational impact
- The ability to make informed decisions about software acquisition and deployment
Implementing SBOMs is straightforward, yet transformative. Begin by incorporating this requirement into your procurement processes and vendor management practices.
2. Adopt Risk-Based Assessment and Prioritization
SBOMs provide visibility into your software, the next step is to use them effectively to address and prioritize risk. To evaluate the security posture of systems that operate across IT/OT boundaries, start by assessing risk based on factors like:
- Prevalence of known vulnerabilities in software components and severity
- The criticality of affected systems to business operations
- Potential for exploitation across IT/OT boundaries
- Exposure to external threats
- Business impact of compromise
- Remediation complexity and operational disruption
Analyzing risk helps prioritize remediation efforts and security investments where they deliver the greatest risk reduction. By focusing on systems with both high vulnerability scores and significant operational impact, you can allocate resources more effectively.
3. Strengthen IT/OT Security via Secure by Design Principles
While SBOMs and risk scoring provide visibility and prioritization, itโs also important to emphasize security from the ground up by adopting Secure by Design principles. Secure by Design embeds security considerations into every stage of the software lifecycle, from requirements gathering through deployment and maintenance.
As a CIO, you can drive this transformation and protect the software supply chain by:
- Establishing clear security requirements for all software acquisitions, whether developed internally or purchased from vendors, including requesting SBOMs
- Implementing automated security testing throughout the development and deployment pipeline
- Requiring security certifications and compliance attestations from vendors
- Creating secure configuration baselines for all deployed software
- Implementing a vulnerability management program that spans both IT and OT environments
CISA, The Cybersecurity and Infrastructure Security Agency, offers guidance on assessing the maturity of software from vendors and evaluating whether a manufacturer follows Secure by Design principles.
4. Mitigate Risks Using Threat Intelligence and Vulnerability Management
CIOs can improve software supply chain security by adopting proactive security solutions and following vulnerability management practices to mitigate risks early.
- Regularly cross-reference SBOMs with global vulnerability databases (e.g., NVD, CVE)
- Update patch management workflows to prioritize vulnerabilities with the highest risk of lateral movement between IT and OT domains
- Use runtime defenses to safeguard OT systems when patching is impractical
5. Foster Relationships with Suppliers and Partners
Collaborating with software vendors and OT suppliers is essential for the long-term security of the software supply chain. When engaging with suppliers, asking specific questions about their security practices is a good way to build transparency and trust. Ask questions like;
- How do they identify and mitigate vulnerabilities in their supply chain?
- What security testing do they perform before releasing software?
- How quickly do they respond to vulnerability disclosures?
- What security certifications or attestations do they maintain?
- Can they provide timely, accurate SBOMs for their products?
Establishing open lines of communication and setting clear security expectations can reduce risks across both IT and OT systems.
Also Read:ย Why Cybersecurity-as-a-Service is the Future for MSPs and SaaS Providers
The Software Supply Chain: The CIO’s Strategic Priority
The role of a CIO has evolved into that of a protector of enterprise resilience as the boundaries between IT and OT have dissolved, creating shared risks that demand integrated approaches to security.
With forward-thinking strategies and a commitment to securing software supply chains, CIOs can transform risks into opportunities for innovation and growth. Understanding software supply chain vulnerabilities, implementing SBOMs, analyzing risk, and following Secure by Design practices and collaborating with vendors is the path forward toward a more secure and resilient future that acknowledges and addresses the reality of interconnected IT/OT systems.
