Best Practices for Managing Supply Chain Risk

Driven by increasing instances of cyber-compromised industrial supply chains, the National Institute of Standards and Technology (NIST) last month issued new guidance for Cyber Supply Chain Risk Management (C-SCRM).

“With more and more businesses becoming digital, producing digital products and services, and moving their workloads to the cloud, the impact of a cybersecurity event today is greater than ever before and could include personal data loss, significant financial losses, compromise of product integrity or safety, and even loss of life. Organizations can no longer protect themselves by simply securing their own infrastructures since their electronic perimeter is no longer meaningful; threat actors intentionally target the suppliers of more cyber-mature organizations to take advantage of the weakest link,” the authors of the NIST report Key Practices in Cyber Supply Chain Risk Management: Observations from Industry.

As one example of the threat, the authors cite an Incident Response Threat Report published in April 2019 by Carbon Black, which highlighted the use of “island-hopping” by 50% of attacks. Island hopping focuses on impacting not only the victim but its customers and partners. The NIST authors also cite a 2019 Symantec Security Threat Report that found supply chain attacks increased by 78% in 2018 and that attacks appear to be successful and cause significant damage.

Key to the NIST approach was prioritizing suppliers based on the criticality of their product to company success, including assessing:

• Contribution to business revenue
• Ownership of information e.g. is regulated data (e.g., PII, PHI) or intellectual property
• The volume of data to which the supplier has access
• Accessibility of the supplier to company systems and network infrastructure
• Potential for supplier or products to become attack vectors

The report suggests tools and techniques that are becoming available to help quantify the criticality of the supplier to their business, but most companies probably have a good sense of that already. If that is the case, the bigger challenge is in evaluating the threat level surrounding those critical suppliers.

Most suppliers have limited cyber visibility into their supply chains. The NIST solution is for suppliers and end-users to essentially acknowledge that they share an ecosystem that is potentially under threat and collaborating on practices to keep it secure, which includes some of the following recommendations:

• Maintaining close working relationships through frequent visits and communications.
• Mentoring and coaching suppliers on C-SCRM and actively helping them improve their cybersecurity and supply chain practices.
• Investing in common solutions and requiring the use of common standards, which, among other things, simplifies communications about cybersecurity risk and mitigations and helps achieve a uniform level of quality throughout the ecosystem.
• Upstream propagation of the end user’s security requirements within the supply chain to sub-tier suppliers.
• Service-level agreements (SLA) with suppliers that state the requirements for adhering to the organization’s cybersecurity policy and any controls required of the supplier.

These are just a few of the more than 20 best practices that companies can take to protect themselves from cyber threats in the supply chain and avoid becoming a cyber spreader. They provide great content, for example, for a CSO building a Cyber Supply Chain Risk Management (C-SCRM) program.

Underwriters Laboratory (UL) has also issued guidelines for ensuring that their systems are cyber secure. These can also be used as a checklist of characteristics essential to any critical technology purchase. it includes:

• Authenticate remote access and interfaces to system management functions with session and time-out limits.
• Be certain that methods used to generate or negotiate cryptographic keys ensures that these keys are sufficiently random.
• Implement a cryptographic chain of trust from the hardware during boot where possible.

These are the kind of requirements that your suppliers can share with their suppliers, and so on.

For more information on best practices that can keep your critical processes safe see: “Can a Tool Reduce Cyber Risk Across the OT Supply Chain?”