Strategies for securing the supply chain
Reducing the cybersecurity risk to the global supply chain is the goal of a new publication by the National Institute of Standards and Technology (NIST). Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276) provides a set of strategies to help businesses address the cybersecurity issues posed by modern information and communications technology products, which are commonly built using components and services supplied by third-party organizations. The composed nature of these devices and systems makes them difficult to secure effectively against malware and other threats, placing manufacturers, service providers and end users at risk.
“The seed of the problem is that everything is interconnected nowadays,” said NIST’s Jon Boyens, one of the draft report’s authors. “Products are very sophisticated, and with our globalized economy, companies often outsource the tasks of developing components and code to other companies, involving multiple tiers of suppliers.”
Vulnerabilities in the cyber supply chain, which is a complex network of connections rather than a single strand, involve not only microchips and their internal code, but also the support software for a device and the other companies that have access to its components. Put them all together, and it can be a daunting task to anticipate every weakness a bad guy could attempt to exploit.
Recent cyber breaches ended up linked to supply chain risks.
One high-profile attack from the second half of 2018, Operation ShadowHammer, is estimated to have affected up to a million users. A 2013 attack by the Dragonfly group targeted companies with industrial control systems, such as those distributing energy within the U.S. This attack infected companies in critical industries with malware. Symantec’s 2019 Internet Security Threat Report found supply chain attacks increased by 78 percent in 2018.
The NIST report is a high-level document intended to be easily understood and applied in managing these risks. Its core is a 27-page section outlining eight key practices that have proven to be useful, from establishing a formal risk management program to collaborating closely with key suppliers. Each key practice is accompanied by a set of recommendations, and because each organization will have its own specific needs, the authors also include guidance on how to apply these recommendations.
Acknowledging that companies in different economic sectors might manage supply chain risk differently, the authors also offer a set of 24 case studies in risk management that feature a variety of businesses ranging from aerospace and IT manufacturers to consumer goods companies.
“Many companies share the same suppliers, but their overall supply chains are still very different,” Boyens said. “To supplement our report you can look for the case studies that are relevant to your industry.”
Public comments will be considered before NIST releases a final version planned for Spring 2020.