Analecta Cyber Company Blog: Avoid Supply Chain Compromise by using the NIST Cybersecurity Risk Management Process

2019-03-26

Avoid Supply Chain Compromise by using the NIST Cybersecurity Risk Management Process

chain break graphic - Avoid supply chain compromise by using NIST Cybersecurity Risk Management Process Avoid Supply Chain Compromise by using the NIST Cybersecurity Risk Management Process Each level of a business process requires standardized procedures to ensure delivery of quality products and services. The operational successes of these supply chain linkages in business sectors and other entities are also determined by how well they handle and respond to cybersecurity challenges. Some industries have unique strategies, applying principles and guidelines to supply chain partners to maintain integrity, security, quality and resiliency. Here are some powerful solutions that work wonders in casting out threat actors via solid infrastructure defenses throughout the supply chain risk management processes.

Business supply chains relentlessly deal with an enormous amount of cyber threats and vulnerabilities in its interconnected nature. Whether a compromise is malicious or unintentional, the trouble affects the integral business activity.  All parties involved may be compromised depending on where in the chain the breach occurs.

The NIST Cyber Supply Chain Risk Management (C-SCRM) guides businesses in identifying, assessing and mitigating the risks associated with information technology and operational technology (IT/OT) product and service supply chains. The System Development Life Cycle (SDLC) process design includes development, distribution, deployment, acquisition, maintenance and destruction.

Here are key points to NIST’s approach to C-SCRM:
  • Foundational Practices. An effective C-SCRM program envelops around the current implementation of cybersecurity and the supply chain’s best practices.
  • Organization-wide. The C-SCRM should be implemented across all organizational levels, functions and throughout the SDLC.
  • Risk Management Process. A C-SCRM should be incorporated in the company’s overall risk management activities. While cyber supply chains differ in every organization, a tailor-fit C-SCRM plan should be implemented. Determine what risks are involved and get a total picture of your organization’s threats and vulnerabilities to effectively manage your cyber supply chain.
  • Critical Systems. If a cyber attack is occuring now, what systems/components need priority intervention? Having an inventory of vulnerable systems will greatly impact your organization’s function if and when they are compromised.
chain break graphic - Avoid supply chain compromise by using NIST Cybersecurity Risk Management Process

What makes third-party vendors a cybersecurity concern to your supply chain?


The last decade has seen numerous major companies that were victims of a third-party data breach, as well as major supply-chain compromises in computer hardware that surfaced in the last 12 months. Target, Home Depot, Best Buy, Delta, Sears… the list goes on. These breaches were made possible when a third-party vendor was compromised.

Consumers often see third-party vendors as a company extension. Thus, when these supply chains suffer an attack, your company’s brand reputation also shares the trouble. A breach in one of the key third-party partners could cause delay, interrupt or halt your company’s business operations.

Working with several business intermediaries undoubtedly exposes companies to greater cyber risk of an in-between transit of information. These are some hazards that may be present when dealing with third-party vendors:
  • Limited operational control over security issues
  • Data security managed externally
  • Threat actors specifically target weak links in the supply chain.
  • Monitoring vendor’s security practices is a burden when they are miles away.

The NIST Cybersecurity Framework identifies these Cyber Supply Chain Risks: “Insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain.”

Fist bump image for article - Avoid Supply Chain Compromise by using the NIST Cybersecurity Risk Management Process

Protecting your company’s best interest and its supply chain


While you are in full throttle at managing your business, nothing can be more aggravating than an unprecedented third-party breach. How can you ensure security in all channels of your supply chain? Are each link in the chain achieving their intended security requirements? The following approaches address this issue and make recommendations on how to get everyone on the same page:
  • Stringent policy. Require suppliers to be explicit on security capabilities, procedures and processes. These requirements should be reflected on their contract. Request an industry-specific compliance standard certification.
  • Perform a security audit. The hardware and software used in maintaining necessary operations should match your criteria in fulfilling business necessities.
  • Testing. Is the supplier capable of responding and recovering from an unexpected disruption? This will evaluate how prepared they are during an emergency.
  • Find out your supplier’s risk level. Have them answer a questionnaire to determine their effectiveness on risk management.
  • Compromise violation. Let it be known to partner vendor upfront that you are ready to withdraw, should there be any kind of compromise due to negligence on their part.

Analecta is here to help


Understanding your supply chain and where compromises can occur is only half the battle. Talk to us if you have questions on how to maintain your business’s security posture. We can help explain factors or risks that can affect your bottom line. Contact us at info@analecta-llc.com or visit our Cybersecurity website. Our experts can walk you through everything that you need to know to stay protected. 

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives. 

Analecta Cyber Logo





Further Resources

No comments :

Post a Comment