Attacks on supply chains are growing in numbers and complexity. In the last two months since the initiation of the Russia-Ukraine war, inbound attacks from APT groups targeted at shipping, surface transport, retail warehouses, pharma APT supply entities, oil and gas, and coal mining sectors have risen significantly. Spillover attacks on several other enterprises which depend on these entities have also grown. The attacks are coming from known APT groups in South East Asia and Russia and seem to be oriented towards creating a large-scale disruption.
It is therefore no surprise that the National Institute of Standards and Technology (NIST) has updated its foundational cybersecurity supply chain risk management (C-SCRM) guidance to enable enterprises to improve their security measures as they go about acquiring and adding more technology products and services to their infrastructure.
NIST has issued a revised publication called Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1). This publication, according to NIST, offers guidance and inputs on identifying, assessing, and responding to all types of cybersecurity risks spread across all supply chain levels of an organization.
The document acknowledges the challenges in securing supply chains arising from an information asymmetry that exists between acquiring enterprises and their suppliers and service providers. It goes on to say “that acquirers often lack visibility and understanding of how acquired technology is developed, integrated, and deployed and how the services that they acquire are delivered”
Compliance Kit: IoT and OT cybersecurity self-assessment tool using NIST CSF
Here are the highlights of NIST’s new revision:
- The publication outlines key steps that organizations can adopt to manage supply chain risks
- Organizations are encouraged to view vulnerabilities associated with the whole production process of a finished product and its components. This covers the entire development footprint covering the journey these components took individually
- Specific attention is drawn to the possibility of malware ingress or cyberattack from different points across the chain
- The practices and controls described for Cybersecurity Supply Chain Risk Management (C-SCRM) apply to both information technology (IT) and operational technology (OT) environments and is inclusive of IoT
- Recommends integration of supply chain risk management into the overall enterprise risk management process. The enterprise risk management as part of a continuous and iterative process should include:
- Frame risk. Establish the context for risk-based decisions and the current state of the enterprise’s information and communications technology and services and the associated supply chain.
- Assess risk. Review and interpret criticality, threat, vulnerability, likelihood, impact, and related information.
- Respond to risk. Select, tailor, and implement mitigation controls based on risk assessment findings.
- Monitor risk. Monitor risk exposure and the effectiveness of mitigating risk on an ongoing basis, including tracking changes to an information system or supply chain using effective enterprise communications and a feedback loop for continuous improvement
- Enterprises need to aim to infuse perspectives from multiple disciplines and processes (e.g., information security, procurement, enterprise risk management, engineering, software development, IT, legal, HR, etc.)
- Interestingly the document recommends that enterprises should look at managing risks rather than eliminating them as risks are essential for the pursuit of value
- Talks about various models for managing supply chain risks such as centralized, decentralized, hybrid
- Outlines critical success factors
- Lays emphasis on putting in place multidisciplinary foundational supply chain risk management practices to engage successfully with system integrators
- Recommends establishment of explicit collaborative and discipline-specific roles, accountabilities, structures, and processes for supply chain, cybersecurity, product security, physical security, and other relevant processes
- The annexure contains various controls that various types of enterprises (manufacturers, suppliers, users) can use to improve their supply chain security practices
Talk to our cybersecurity experts and find out how Sectrio can help you in securing your supply chain. Contact us
Participate in the CISO Peer Survey 2022 and make your opinion count now, fill up our uniquely designed survey here: CISO Peer Survey 2022
Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo
Try our threat intelligence feeds for free for the next two weeks.