Biblio
The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are mature in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices.
The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are mature in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices.
The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are leaders in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices. This case study is for the Mayo Clinic.
Information Technology has increasingly been incorporated into every segment of the economy. In manufacturing, the basic technology of Direct Digital Manufacturing (DDM) been around for dozens of years. This involves the creation of a physical object from a digital design using computer-controlled processes with little to no human intervention. With the popularization and advancement of Additive Manufacturing (AM) and 3D printing, it is becoming much more common. These technologies have the potential to significantly change traditional manufacturing and supply chain industries, including information and communications technologies (ICT). During the symposium, speakers and attendees discussed DDM cybersecurity risks, challenges, solutions, and implications for ICT supply chain risk management.
As awareness of cybersecurity supply chain risks grows among federal agencies, there is a greater need for tools that evaluate the impacts of a supply chain-related cyber event. This can be a difficult activity, especially for those organizations with complex operational environments and supply chains. A publicly available tool to support supply chain risk analysis that specifically takes into account the potential impact of an event does not currently exist. This publication de- scribes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.
NISTIR 8179 describes a Criticality Analysis Process Model – a structured method of prioritizing programs, systems, and components based on their importance to the mission and the risk that their ineffective or unsatisfactory operation or loss may present to the mission. The Criticality Analysis Process Model presented in this document adopts and adapts concepts presented in risk management, system engineering, software engineering, security engineering, privacy engineering, safety applications, business analysis, systems analysis, acquisition guidance, and cyber supply chain risk management publications. The Criticality Analysis Process Model can be used as a component of a holistic and comprehensive risk management approach that considers all risks, including information security and privacy risks. The Model can be used with a variety of risk management standards and guidelines including the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27000 family of standards and the suite of National Institute of Standards and Technology (NIST) Special Publications (SPs). The Model can also be used with systems and software engineering frameworks. The need for criticality analysis within information security emerged as systems have become more complex and supply chains used to create software, hardware, and services have become extended, geographically distributed, and vast
Many recent data breaches have been linked to supply chain risks. For example, a recent high- profile attack that took place in the second half of 2018, Operation ShadowHammer, compromised an update utility used by a global computer manufacturer.1 The compromised software was served to users through the manufacturer’s official website and is estimated to have impacted up to a million users before it was discovered. This is reminiscent of the attack by the Dragonfly group, which started in 2013 and targeted industrial control systems.2 This group successfully inserted malware into software that was available for download through the manufacturers’ websites, which resulted in companies in critical industries such as energy being impacted by this malware. These incidents are not isolated events. Many recent reports suggest these attacks are increasing in frequency. An Incident Response Threat Report published in April 2019 by Carbon Black highlighted the use of “island hopping” by 50 % of attacks.3 Island hopping is an attack that focuses on impacting not only the victim but its customers and partners, especially if these partners have network interconnections. Symantec’s 2019 Security Threat Report found supply chain attacks increased by 78 % in 2018.4 Perhaps more worrying is that a large number of these attacks appear to be successful and cause significant damage. A November 2018 study, Data Risk in the Third-Party Ecosystem, conducted by the Ponemon Institute found that 59 % of companies surveyed experienced a data breach caused by one of their third parties.5 A July 2018 survey conducted by Crowdstrike found software supply chains even more vulnerable with 66 % of respondents reporting a software supply chain attack, 90 % of whom faced financial impacts as a result of the attack.
Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. The publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM- specific approach, including guidance on assessing supply chain risk and applying mitigation activities.