Analecta Cyber Company Blog: The Cyber Supply Chain Risk Management Processes: Bringing Everyone On Board


The Cyber Supply Chain Risk Management Processes: Bringing Everyone On Board

Supply chain risk management processes graphic - Analecta LLC Cyber Supply Chain Risk Management Processes - Analecta LLC Graphic banner
Cybersecurity should never be viewed as only an IT issue. Every department needs to consider what it can do to make the organization more cyber secure. And with a supply chain, even more cyber risks are posed due to its multifaceted design. If a cyber supply chain is compromised, some of the devices that were meant to protect your business from harm may be the exact ones that cause the most damage.

Global cyber supply chain concerns

Threats to the cyber supply chain are not unique to the United States. Countries around the world are concerned that an adversary may tamper with products during development, manufacture or delivery. As far back as 2011, Microsoft reported that the U.S, India and China were so concerned with threats to the cyber supply chain that each of those governments created policies to restrict cyber supply chain orders from certain countries or significantly promote the use of technology from their own country.

Even if your organization does not work with any government entity, it is likely that some of these decisions will shape the availability of products that you use for business. In early 2018, the CIA, FBI and NSA warned U.S. consumers not to purchase or use smartphones from the Chinese tech companies Huawei or ZTE. One lawmaker even introduced legislation that would prohibit the U.S. government from working with companies that used those company’s products.

Supply chain risk management processes graphic - Analecta LLC

Principles to consider

If the world governments are concerned with the severity of cyber supply chain risks, what is are small or medium-sized businesses to do?

The NIST Cybersecurity Framework now includes a new category that focuses on supply chain risk management. NIST recommends that businesses develop their defenses based on the idea that their systems will be breached at some point. If you think about cyber supply chain security this way, you no longer are focused on how to prevent a breach, rather how to mitigate damage and recover from a breach quickly.

As mentioned previously, another important principle to remember is that cybersecurity is never just a technology problem. Most breaches tend to be a result of human error instead of technology failure. Your supply chain will be more secure if all employees throughout the supply chain use sound cybersecurity practices and processes.

Finally, remember that security is the essence of being secure in both the physical sense and the cyber sense. Do not leave a gap between physical security and cybersecurity. Each should be addressed with the same amount of effort. A criminal may use a weakness in physical security to cause damage with a cyber attack on your supply chain. Likewise, they can exploit a cyber vulnerability to gain access to a physical location.

The way ahead

Sound cyber supply chain risk management needs to involve partners at every link in the supply chain. When working with suppliers, ask them about their working partners and sourcing practices. NIST recommends conducting a supplier review before entering into contracts. This can give you increased visibility on how your supplier fits in the system development life cycle. You may elect to have third-party analysis performed on your supply chain process to identify any additional risks. This way, you can get a comprehensive picture of where everyone fits. If there are any hidden security issues with a supplier, a third-party contractor may be able to identify them more accurately.

Keep in mind that risk management is about risk mitigation - not risk elimination. Adopting sound business practices throughout the process can reduce the opportunity for compromise. This, in turn, reduces the residual risk that needs to be placed on the end user. Here are several more examples of cyber supply chain best practices from NIST:

  • One strike and you’re out! Adopt zero-tolerance policies with respect to vendor products that are counterfeit or that unexpectedly do not match specification.
  • Component purchases are tightly controlled. Components purchased from approved vendors can be pre-qualified. Parts purchased from other vendors must be unpacked, inspected and X-rayed before being accepted.
  • Secure Software Life Cycle Development. Programs and training for all engineers in the life cycle are established.
  • Mandate source code.  Require that all purchased software is delivered complete with source code.
  • Software and hardware security handshake. Secure booting processes look for authentication codes and the system will not boot if codes are not recognized.
  • Automation of manufacturing and testing regimes. Reduce the risk of human intervention by following and requesting automated manufacturing and testing of software and hardware.
  • Supply chain cybersecurity partnering. Personnel in charge of supply chain cybersecurity partner with every team that touches any part of the product during its development life cycle. They also ensure that cybersecurity is part of all supplier and developer employee experiences, processes and tools.

How Analecta can help

Small and medium-sized businesses benefit from adopting sound cyber supply chain risk management processes. We can walk you through evaluating supply chain risks and how to mitigate these risks to protect your cybersecurity posture. Contact us at or visit our Cybersecurity website, and our industry experts can tailor a solution specific to your business.  

Analecta Cyber is a Maryland-based cybersecurity firm providing cyber risk assessments for small and medium sized businesses. Analecta is a trusted partner to help companies achieve their cybersecurity objectives.

Further Resources

No comments :

Post a Comment