In today’s globally connected world, organizations are finding themselves at a greater risk than ever of a supply chain compromise. The 2022 Verizon Data Breach Investigations Report (DBIR) details supply chain partners as nearly 60 percent of the vectors for system intrusion incidents they reviewed over the past year, astoundingly up from less than 1% percent the previous year.
As companies strengthen their cyber defenses and mature capabilities to protect assets, evildoers are finding ways to circumvent these protections in the simplest way: infiltrating by means of a trusted third-party partner or supplier. Oftentimes, as organizations press to implement the best defenses, they fail to consider the security risks of their supply chain partners. Threat actors have found it much easier to attack smaller targets with weaker cybersecurity capabilities in order to eventually infiltrate their primary targets. When you think about it, it makes perfect sense. Why waste time and resources to breach the castle’s main gate when you can simply be let in the postern?
The threat of supply chain compromise has garnered the attention of the top officials across the world. In the US, a Presidential Executive Order on Improving the Nation’s Cybersecurity was issued as a result of the need to provide guidance on combating supply chain compromise in both the public and private sectors. The order calls on federal agencies to improve their methods for identifying, protecting against, responding to, and learning from supply chain attacks. Because many federal agencies are at the end of the supply chain, this executive order affects any and all organizations that do business with the federal government, from independent “mom & pop shops” all the way up to massive defense contractors. What the executive order is asking is that organizations develop an effective means for ensuring the integrity of their supply chain through the use of a Cyber Supply Chain Risk Management (C-SCRM) process.
C-SCRM incorporates information security concepts into an organization’s current risk management process. This integration helps identify, assess and mitigate risks associated with the product and service supply chains for information technology (IT) and operational technology (OT). Identifying supply chain risk is a crucial first step to a mature program. To understand supply chain risk, an organization must first have a clear understanding of its assets (e.g., products, services, personnel) throughout the entirety of their lifecycles, including assets the organizations use that are provided to or received from third parties. Additionally, assets should be categorized by their importance to the overall business mission and objectives to help understand priority when assessing risk.
A strong asset identification and management process will provide an avenue for more easily assessing and managing organizational supply chain risks. A good cyber supply chain risk assessment takes into consideration the likelihood of occurrence and impact of all potential risks to the organization and its partners, then prioritizes them by the greatest overall risk. Once risks are identified and prioritized, an organization must designate how to manage and respond (i.e., avoid, transfer, mitigate, accept) to each. Whether it is an internal response or an action to be performed by a supplier, risk responses must be documented and agreed to ahead of time, when possible.
Identifying risks and documenting response actions are only part of the equation. Crucial to the overall C-SCRM process is the communication and education of all parties involved about organizational risks and how to respond. Organizations must ensure that all personnel and third-party partners are trained on supply chain risks, encourage awareness from the top down, and involve partners and suppliers in organization-wide tests and assessments of response plans. Organizations should establish open communications with their supplier partners about risk concerns and encourage partners to do the same in return. The general idea is individual strength through community strength. As an organization matures its C-SCRM (or overall cybersecurity) process, lessons learned and best practices should be shared along the way to help bolster others’ programs.
The concept of C-SCRM is not a new one. In fact, there are many sources that have provided guidance on the topic over the years. The National Institute of Standards and Technology (NIST) has a Special Publication (SP) 800-161 and an Internal Report (IR) 8276 on the subject. The Cybersecurity and Infrastructure Security Agency (CISA) has a website dedicated to Supply Chain Risk Management as well as an assessment guide on managing dependencies. These are just a few of the resources among countless publications, sites, and posts addressing the topic.
For help filtering through the noise and building a more robust C-SCRM program, the CMMI Cybermaturity Platform (CMMI-CP) from ISACA provides not only a resource for organizations to mature their C-SCRM process, but their overall cybersecurity program. The CMMI-CP risk-based solution assists organizations in building cyber supply chain resilience through the identification and assessment of risks based on globally accepted industry standards. The platform includes Practice Areas that target methods for determining organizational dependencies as well as identifying supply chain risks to help organizations develop a robust cyber supply chain risk management program. More information regarding the CMMI-CP is available at http://daijuansen.volamdolong.com/enterprise/cmmi-cybermaturity-platform.
