BrightScan #ThreatIntelThursday | Cyber Supply Chain Risk Management (C-SCRM)
This article is part of #ThreatIntelThursday @OpenAVN, an ongoing series that offers readers authoritative, but easily digestible, information about different malware, how they might be vulnerable to attacks, and what they can do to protect themselves. To read past Threat Intel Thursdays articles, click here. (We suggest starting from Week 1: Malware.)
Cyber Supply Chain Risk Management
Cyber or computer supply chain attacks represent a significant risk to organizations. Attacks on supply chains can disrupt operations, increase cost, reduce service levels and harm the organization’s reputation, often causing a disastrous effect on an organization’s bottom line.
According to the United States Government National Institute of Standards and Technology (NIST), “Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT [information technology / operations technology] product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.”
What are some of the risks?
Cybersecurity typically entails protecting systems and information. Cybersecurity professionals deploy a defense-in-depth strategy that includes intrusion detection/prevention, firewalls, secure network architectures, access controls, least privilege, and training personnel amongst a litany of other practices. But components of an organization’s infrastructure may have hidden embedded security flaws. Traditional information security practices often don’t protect against components that exfiltrate sensitive information or leave back doors for potential intruders. Such flaws are obfuscated by proper performance of normal system activity.
According to NIST, “Cyber supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, or poor manufacturing and development practices. Information technology supply chain risks can compromise data, IT infrastructure, or operations.”
The Gartner group indicates Cyber or Computer Supply Chain Risk Management, or C-SCRM includes the following categories:
- Data and IT which can include data, programs, systems, networking and devices;
- Product(s) which can include embedded code and logic-bearing elements; and
- Operations which can include Internet of things (IoT), and physical technology.
According to Gartner, “[a]ll of these components are susceptible to security breaches, so the question becomes how we secure them.”
Information and communication technology (ICT) are critical elements of information security because such systems are global in nature and thus malicious or counterfeit systems can have catastrophic consequences. Computer systems composed of dozens, hundreds or even thousands of components complicate the determination of compromised components. These vulnerabilities are further complicated as the supply chain may involve multiple organizations with vast numbers of components. Additionally, short product life cycles means that supply chains are ever changing.
Additional Complications
Hardware complexity is difficult enough to detect and mitigate and manage vulnerabilities, but software may further contain additional threats. This implies that C-SCRM may further entail determining the source of software, the author and the path the software took from creation to destination. Software analysis can determine vulnerabilities but can be costly and time-consuming.
Managing your ICT suppliers is critical, and so is who your supplies your suppliers and who supplies your suppliers suppliers is part of C-SCRM. As ICT supply chains are extraordinarily complicated and dynamic, managing those risks is extraordinarily complicated.
Other Considerations
Other considerations include to which other systems a given system or component is connected. Systems connected to the internet are more easily exploited and can more easily exfiltrate sensitive information. Individuals who use, connect to or who are otherwise associated with a given system are part of C-SCRM risk assessment analysis.
Securing Cyber Supply Chains Risks
Organizations must identify technologies, tools, techniques, practices, and standards to secure the information technology supply chain. Where do security professionals look or even start and how will these concerns change over time? First, organizations must identify vulnerabilities and keep current with the latest threats, and the risk (the probability and impact that each threat poses). As C-SCRM is the confluence of cybersecurity and SCRM, organizations must combine practices from both of these disciplines. Additionally, procurement, legal and engineering functions must be included in C-SCRM planning. Organizations must start with a plan to document policies, identify risks, mitigation measures and monitoring to determine whether the implemented plan actually reduces the risk to acceptable levels.
Governance
As supply chain encompasses risks to supply chain can include cybersecurity, procurement, supplies, research and development, engineering and product management, organizational governance must comprehensively coordinate all relevant areas. Organizations must understand threats to supply chain, the areas that are critical to supply chain security, and which tools can be cross deployed to protect data and IT, products and operations. Organizations must understand what the threats are and fully understand the probability and impacts of each threat.
The Bottom Line
To maintain cybersecurity, organizations must understand and manage their supply chain. Preventing compromised components from entering your network will improve security and reliability.
In a future article, we will discuss provenance, which NIST defines as, “the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data.”
To defend your system from supply chain attacks and other digital threats, a lightweight but heavy-duty EPP is imperative. BrightScan is a cloud-based, blockchain-powered endpoint protection platform that can be customized to fit your needs and is user-friendly enough for the home office and powerful enough to protect large enterprises.
Contact our Head of Sales, Jourdan Parkinson, to schedule a free demo of our cloud-based EPP, BrightScan, or just to chat about how our products can work for you.
For more of the latest in cybersecurity, subscribe to OpenAVN’s blog right here on Medium. In addition to Threat-Intel Thursdays, we also write about breaking news, thought leadership, and deep-dives into cyber intel.
About the Author: Ted Udelson, PMP, CISSP, Security+, Network+, A+ is the chief learning officer and cofounder of Succinctive Training, LLC. Ted uses his over 35 years of experience in information security and technology to inform his writing for #threatintelthursday.
