In September, the Association for Supply Chain Management (ASCM) announced its top ten 2024 supply chain trends, and we decided to publish a series of posts covering each of the topics on the list and the role they’re playing in supply chain management (SCM). Although some overlap, and we can’t possibly take a deep dive into each, it’s been fun to dip our toes into the various categories to discuss related news and resources that are making a splash in the supply chain world.
So far, we’ve tackled:
This week, we’ll take a look at #8 on the list and an increasingly critical issue: Cyber Security
Over the next two weeks, we’ll discuss the last two that made the top-ten:
-
Green and Circular Supply Chains
-
Geopolitics and Deglobalization of Supply Chains
A growing threat landscape
Across the global supply chain, the use of digital tools often means increased efficiency, productivity, and reduced costs. However, since a single company may have a multitude of cyber connections within multiple tiers of suppliers, Internet of Things (IoT) devices, internal and external systems, and various cloud-based software applications, nefarious actors have plenty of opportunities to make the most of vulnerabilities.
In one of our posts about the growing threat of supply chain cyber attacks, we noted how one expert in a Security Magazine post described it: “If one facility, port, software or database is interrupted due to an attack, countless companies and consumers can be impacted, resulting in great financial loss and compromised data.”
In addition to the potential for weak digital links, hackers who are targeting the supply chain are growing more sophisticated. Combined, these factors underscore the critical importance of optimizing cyber supply chain risk management (SCRM).
The good news is that various public and private organizations provide ongoing support through research and evolving guidance to help organizations keep up with cybersecurity threats. Here, we’ll highlight resources from NIST and CISA that can help supply chain stakeholders address evolving cyber risks.
Updated guidance from NIST
In the introduction to Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, the growing threat atmosphere is captured like this: “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. …”
Within the EO, one of the agencies required to address cybersecurity challenges in the software supply chain is the National Institute of Standards and Technology (NIST).
NIST works across many technology sectors—including cybersecurity. Here’s the intro to NIST’s overview regarding its work in this area: “NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public. Our activities range from producing specific information that organizations can put into practice immediately to longer-term research that anticipates advances in technologies and future challenges. …”
As part of its response to the EO, NIST released its updated publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
“A vulnerable spot in global commerce is the supply chain: It enables technology developers and vendors to create and deliver innovative products but can leave businesses, their finished wares, and ultimately their consumers open to cyberattacks,” NIST said in a summary of the guidance. “A new update to the National Institute of Standards and Technology’s (NIST’s) foundational cybersecurity supply chain risk management (C-SCRM) guidance aims to help organizations protect themselves as they acquire and use technology products and services.”
NIST said the update provides “guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels of an organization.”
“Managing the cybersecurity of the supply chain is a need that is here to stay,” said NIST’s Jon Boyens, one of the publication’s authors. “If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.”
NIST said the guidance helps organizations “build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks.”
Noting that cybersecurity risks can arise “at any point in the life cycle or any link in the supply chain,” the agency said the guidance now considers “potential vulnerabilities such as the sources of code within a product, for example, or retailers that carry it.”
“It has to do with trust and confidence,” said NIST’s Angela Smith, an information security specialist and another of the publication’s authors. “Organizations need to have greater assurance that what they are purchasing and using is trustworthy. This new guidance can help you understand what risks to look for and what actions to consider taking in response.”
CISA’s new SCRM resource
In October, the Cybersecurity and Infrastructure Security Agency (CISA) announced the release of a new resource guide, Empowering Small and Medium-Sized Businesses (SMB): A Resource Guide for Developing a Resilient Supply Chain Risk Management Plan, which provides Information and Communications Technology (ICT) SMBs “with a starting point [to] develop and tailor a supply chain risk management (SCRM) plan that meets the needs of their business.”
CISA said that since SCRM can be both costly and complex, SMBs may not have the dedicated risk management and SCRM expertise to mitigate disruption risks.
“In acknowledging the resource challenges faced by small and medium-sized businesses amidst today’s complex supply chain risks, we’re committed to offering vital support,”
said Mona Harrington, CISA Assistant Director for the National Risk Management Center in the announcement. “Our unique qualifications, along with valuable partner collaboration in crafting this guide, underscore our dedication to these businesses’ role in enhancing ICT supply chain resilience.”
A more recently-released resource from CISA is its Joint Cyber Defense Collaborative (JCDC) Remote Monitoring & Management Cyber Defense Plan.
“Remote Monitoring and Management (RMM) is software that is installed on an endpoint to continuously monitor a machine or system’s health and status, as well as enabling remote unattended administration functions,” CISA said. “As ransomware threat actors continue to use RMM tools in their attacks, exploitation of RMM platforms presents a growing risk to small and medium-sized organizations that support national critical functions.”
The agency said the new resource provides a collective plan for mitigating threats to the RMM ecosystem: “…this plan addresses issues facing the top-down exploitation of RMM software, through which cyber threat actors gain footholds into managed service provider servers and, by extension, into thousands of customer networks.”
The following links provide access to each of the CISA resources in full:
And in case you’d like to check them out, here are a few of the latest reports and recommendations we came across related to cyber SCRM: