Biblio
The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are mature in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices.
The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are mature in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices.
The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are leaders in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices. This case study is for the Mayo Clinic.
NISTIR 8179 describes a Criticality Analysis Process Model – a structured method of prioritizing programs, systems, and components based on their importance to the mission and the risk that their ineffective or unsatisfactory operation or loss may present to the mission. The Criticality Analysis Process Model presented in this document adopts and adapts concepts presented in risk management, system engineering, software engineering, security engineering, privacy engineering, safety applications, business analysis, systems analysis, acquisition guidance, and cyber supply chain risk management publications. The Criticality Analysis Process Model can be used as a component of a holistic and comprehensive risk management approach that considers all risks, including information security and privacy risks. The Model can be used with a variety of risk management standards and guidelines including the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 family of standards and the suite of National Institute of Standards and Technology (NIST) Special Publications (SPs). The Model can also be used with systems and software engineering frameworks. The need for criticality analysis within information security emerged as systems have become more complex and supply chains used to create software, hardware, and services have become extended, geographically distributed, and vast
Many recent data breaches have been linked to supply chain risks. For example, a recent high- profile attack that took place in the second half of 2018, Operation ShadowHammer, compromised an update utility used by a global computer manufacturer.1 The compromised software was served to users through the manufacturer’s official website and is estimated to have impacted up to a million users before it was discovered. This is reminiscent of the attack by the Dragonfly group, which started in 2013 and targeted industrial control systems.2 This group successfully inserted malware into software that was available for download through the manufacturers’ websites, which resulted in companies in critical industries such as energy being impacted by this malware. These incidents are not isolated events. Many recent reports suggest these attacks are increasing in frequency. An Incident Response Threat Report published in April 2019 by Carbon Black highlighted the use of “island hopping” by 50 % of attacks.3 Island hopping is an attack that focuses on impacting not only the victim but its customers and partners, especially if these partners have network interconnections. Symantec’s 2019 Security Threat Report found supply chain attacks increased by 78 % in 2018.4 Perhaps more worrying is that a large number of these attacks appear to be successful and cause significant damage. A November 2018 study, Data Risk in the Third-Party Ecosystem, conducted by the Ponemon Institute found that 59 % of companies surveyed experienced a data breach caused by one of their third parties.5 A July 2018 survey conducted by Crowdstrike found software supply chains even more vulnerable with 66 % of respondents reporting a software supply chain attack, 90 % of whom faced financial impacts as a result of the attack.
Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. The publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM- specific approach, including guidance on assessing supply chain risk and applying mitigation activities.
Organizations are concerned about the risks associated with products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the cyber supply chain. These risks are associated with an enterprise’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the security, resilience, reliability, safety, integrity, and quality of the products and services. This publication provides guidance to organizations on identifying, assessing, and mitigating cyber supply chain risks at all levels of their organizations. The publication integrates cyber supply chain risk management (C-SCRM) into risk management activities by applying a multi-level, C-SCRM-specific approach, including guidance on development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and C-SCRM risk assessments for products and services.