Supply Chain Risk Management

by Jerry Beasley, CISM, CISSP

If you've have your ears to the ground, you may have heard a growing rumble about Supply Chain Risk. Not that this is a new subject, but its importance is being emphasized increasingly. This was punctuated by updates in 2018 of the National Institute of Standards and Technology (NIST) Cybersecurity Framework Core, a model for protecting critical infrastructure. One major category of controls was added to the framework consisting of controls and practices for Supply Chain Risk Management. Why the new emphasis? Let's examine the subject more closely.

The use of information technology continues to explode throughout all industries. By necessity, the practical development of technology solutions requires building on existing components and technologies. This includes everything from individual integrated circuit chips, to motherboards, to fully assembled devices, along with the firmware and software that run on them. The integrity of these pieces and parts is usually taken for granted. Unfortunately, threat actors on the world stage know this and are beginning to take advantage of global supply chains to "build in" malicious software, firmware, or hardware. Think about it, why try to break into a system from the outside, when with a little planning, you can have your own backdoor, or surveillance mechanism built right in to the components that your victims use? This is one of the concerns that has driven the expansion of the NIST Cybersecurity Framework to include new controls to address Supply Chain Risk Management.

The threat is real. You don't have to look far to find real world examples of supply chain attacks. The purpose of such an attack is usually to insert some means of control or access into components or processes employed by multiple end users. Recent examples include the insertion of malicious code into legitimate industrial control software (ICS) by a cyber-espionage group. The group, dubbed "Dragonfly" among other names, compromised the websites of the ICS suppliers, then replaced legitimate files with their own malware infected versions. In another example, a large third party data storage provider was infiltrated by a botnet that infiltrated users data from the third-party data store. While supply chain attacks like these often involve surreptitiously modifying software, there have also been cases of suspected hardware/firmware attacks. In one described attack, manufacturing subcontractors in China were purported to insert tiny microchips on the circuit boards of of a major motherboard supplier. Since these server boards were used by many technology companies, it was estimated that as many as 30 U.S. companies may have unknowingly installed equipment with built-in back doors.

While nothing can guarantee your organization won't be affected by a supply chain attack, there are things every organization can do to address the risk. The first is to acknowledge the risk and develop an overall strategy. Does your organization employ systems or software that are critical to business operations? Do these systems store or process confidential or sensitive data? The answers to these questions allow you to prioritize your assets by the potential impact to the organization. Given these priorities, the organization can evaluate contracts and service agreements with third party providers to determine if they provide assurances of the security of the provider's own supply chain integrity. If one vendor provides you with an integrated system, where do they get the system components and software? How to they themselves ensure the protection and integrity of the components from their suppliers? If the supplier can provide these assurances, the organization would want to verify that independent audits or tests have been performed on the suppliers products to ensure their integrity and compliance. Finally, it is important to know what recourse the organization has should a supply chain attack be discovered? How will the organization continue to operate, or recover if it loses a capability due to compromised systems or processes? Does the threat of supply chain attack need to be addressed in response and recovery plans? The answers to these inquiries may become the organization's Supply Chain Risk Management strategy, and in time, a sustainable process.

While it may sound simplistic, the steps described above are the essential guidance provided by the NIST Cybersecurity Framework. The implementation details of each process step must be tailored to an organization based on its size, complexity, unique processes and threat exposure, or its position in the supply chain. Fortunately, additional guidance is available from various standards and frameworks including, but not limited to, NIST Special Publication 800-53, ISO/IEC 27002, COBIT5, and the Center for Internet Security's (CIS) Critical Security Controls. These are great sources, but each must be applied in the context of your organization's operating environment. In my role at TraceSecurity, I work with many clients that are subject to supply chain risk, but not all have established a framework to address the risk. Given this new emphasis, I would recommend that any organization examine (or reexamine) their risk management strategy to ensure it adequately addresses supply chain risk.

With market experience that spans over 2,000 customers, TraceSecurity offers the insight, products, professional services and partners to support the security and risk management efforts of organizations of all sizes across all industries. To learn more about TraceSecurity, call 877-275-3009 or explore our site.