Every organization relies on software and hardware from another organization for their work. Those technologies also pose risks for all aspects of conducting their operations. Awareness of this cyber supply chain risk has been amplified by recent high-profile attacks, such as SolarWinds, Kaseya, and NotPetya, which have disrupted business operations and daily lives around the globe. 

Supply chain security poses a major challenge because bad actors can infiltrate systems through a third party, such as a partner or provider that has access to or runs programs on a company’s systems. With more outside partners and software touching systems than ever before, the attack surface has drastically increased while attackers are increasingly sophisticated in their tactics. 

“Just-in-time delivery capabilities that have become table stakes for modern operational environments can be disrupted by software and hardware supply chain cybersecurity risks, shattering public trust in many organizations, as we have seen with recent high-profile software component and service compromises,” said Beau Woods. 

I Am the Cavalry’s Beau Woods founded the Supply Chain Sandbox and led their interactive events at this year’s RSA Conference. This included games like Supply Chain Sprint, QuadBlocks Quiz, SupplyChainSandbox Jeopardy, and SBOM Mixology, which engage participants in simulations to improve supply chain security skills, development, and teamwork. 

The hands-on experiences illustrate the supply chain issues and offer approaches to arrange them more effectively. “Communicating through games started as something that was a way to get a bunch of people to all visually see the problem together when gathered at a physical event and then when things went virtual, it was easy enough with the skillsets of the folks supporting the Sandbox to help develop the games,” said Alyssa Feola, a cybersecurity advisor who served as deputy lead of the Sandbox. 

“We got to take people’s ideas and figure out what made the most sense to do in the near term and we’re really excited for some longer-term games for future events.” 

The sandbox also featured live demonstrations, “birds of a feather” talks, and resources on supply chain risk.

For sFractal Consulting’s “chief cyber curmudgeon” Duncan Sparrell, the Supply Chain Sandbox is a post-retirement passion. After a career in government and private sector security work, he’s been deeply involved in security standards and understanding open source software vulnerabilities, serving as a member of the Department of Commerce’s National Telecommunications and Information Administration (NTIA) Software Bill of Materials (SBOM) multi-stakeholder group, which recently provided guidance for a report on the minimum elements for a Software Bill of Materials.  

As a member of I Am the Cavalry, Sparrell wanted to give back to the community and do something that would make a difference in security. “Cyber is a team sport and bad hackers work together way better than the defense does,” he said.

The game he developed, QuadBlocks Quiz, was so popular at RSA Conference that he’ll be presenting the game and concepts at BSides Las Vegas later this month. Sparrell thinks of games like this as a way to increase awareness and adoption. “The game behaves like security. You need to try to fix the vulnerabilities and the licensing issues. You lose points like you would lose money if the organization is sued,” he said. “One of the concepts the game tries to teach is being prepared for an attack. In the game, you may need ClearBlocks to be prepared, but in real life, you’d need the information you’re answering in the questions.”  

To learn more about the Supply Chain Sandbox, visit supplychainsandbox.org and follow @supplychainsbx on Twitter.