Reducing cybersecurity risk in global supply chains is the goal of a new publication by the National Institute of Standards and Technology (NIST), whose computer security experts have condensed a set of effective risk management techniques into a draft guidebook for businesses. NIST is seeking public comment on the draft for the next 30 days, it said in a release.
Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276) provides a set of strategies to help businesses address the cybersecurity threats posed by modern information and communications technology products, which are commonly built using components and services supplied by third-party entities. The variety of suppliers and various components making up these devices and systems makes them difficult to secure effectively against malware and other threats, placing manufacturers, service providers and end users at risk, NIST said.
“The seed of the problem is that everything is interconnected nowadays,” said NIST’s Jon Boyens, one of the draft report’s authors. “Products are very sophisticated, and with our globalized economy, companies often outsource the tasks of developing components and code to other companies, involving multiple tiers of suppliers.”
The cyber supply chain is really a complex network of connections rather than a single strand. Weaknesses involve not only microchips and their internal code, but also the support software for a device and the other companies that have access to its components. Put these various complex pieces together, it becomes nearly impossible to anticipate every systemic weakness that an adversary might exploit.
NIST requests feedback on Draft NISTIR 8276, Key Practices in Cyber Supply Chain Risk Management: Observations from Industry. This publication is based on an analysis of interviews with companies in 2015 and 2019, which led to the development of 24 case studies prior NIST research in cyber supply chain risk management; and a number of standards and industry best practices documents. NISTIR 8276 is intended to provide a high-level summary of those practices, which are deemed by subject matter experts, to be foundational to an effective cyber supply chain risk management program.
Acknowledging that companies in different economic sectors might manage supply chain risk differently, the authors developed the 24 case studies in a variety of businesses ranging from aerospace and IT manufacturers to consumer goods companies. These case studies, along with a summary of the findings, are available at NIST’s Cyber Supply Chain Risk Management Key Practices page.
“Many companies share the same suppliers, but their overall supply chains are still very different,” Boyens said. “To supplement our report you can look for the case studies that are relevant to your industry.”
The April 2018 update to the NIST Cybersecurity Framework added a new section about supply chain risk management, and the new report cross-references the framework so that organizations can use both sets of NIST guidance together, Boyens said.
Public comments on Draft NISTIR 8276 can be submitted until March 4, 2020, to firstname.lastname@example.org, and NIST will consider them before releasing a final version, planned for spring 2020.
Supply Chain Vulnerabilities Explained
Many recent cyber breaches have been linked to supply chain risks. A recent high-profile attack from the second half of 2018, Operation ShadowHammer, is estimated to have affected up to a million users. A 2013 attack by the Dragonfly group targeted companies with industrial control systems, such as those distributing energy within the U.S. This attack infected companies in critical industries with malware. Symantec’s https://www.symantec.com/security-center/threat-report 2019 Internet Security Threat Report found supply chain attacks increased by 78 percent in 2018.