Visible to the public Biblio

Filters: Keyword is Supply chains  [Clear All Filters]
2021-10-27
Derek Johnson.  2019.  NSA official: 'Dumb' software supply chain attacks still prevalent. The Business of Federal Technology. 2021

While much of the discussion around supply chain security has focused on the parts, components and gear that make up an organization's physical IT assets, a growing number of experts are making the case that vulnerabilities in the software supply chain may represent the larger cybersecurity threat over the long haul.

Peter Champion, Rachel Bruenjes, Michael Cohen, Jade Freeman, Ryne Graf, Moh Kilani, Caroline O'Leary, Christopher Pashley, John Ryan, Genevieve Shannon et al..  2018.  Cyber Resilience and Response. :1-45.

Another risk posed by the limited number of available vendors is the threat of supply chain attacks. According to researchers at CrowdStrike on June 27, 2017 the destructive malware known as NotPetya was deployed using a legitimate software package employed by organizations operating in Ukraine. The attack used an update mechanism built into the software to provide updates and distribute them to the vendor’s customers. This same mechanism had been used a month earlier to deploy other ransomware attacks. Supply chain attacks exploit a trust relationship between software or hardware vendors and their customers. These attacks can be widespread targeting the entire trusted vendor’s customer base and are growing in frequency as well as sophistication.

2021-10-26
Kay Mereish, Andrew Alvarado-Seig, Hubert Bowditch, Jenifer Clark, Michelle Danks, George Guttman, Andrew K., Monique Mansoura, Nathan L., Kay M. et al..  2018.  Threats to Pharmaceutical Supply Chains. :1-18.

In the digital age, drug makers have never been more exposed to cyber threats, from a wide range of actors pursuing very different motivations. These threats can have unpredictable consequences for the reliability and integrity of the pharmaceutical supply chain. Cyber threats do not have to target drug makers directly; a recent wargame by the Atlantic Council highlighted how malware affecting one entity can degrade equipment and systems functions using the same software. The NotPetya ransomware campaign in mid-2017 was not specifically interested in affecting the pharmaceutical industry, but nevertheless disrupted Merck’s HPV vaccine production line. Merck lost 310 million dollars in revenue subsequent quarter, as a result of lost productivity and a halt in production for almost a week.

Raymond Richards.  2021.  Vetting Commodity IT Software and Firmware (VET) .

Government agencies and the military rely upon many kinds of Commercial Off-the-Shelf (COTS) commodity Information Technology (IT) devices, including mobile phones, printers, computer workstations and many other everyday items. Each of these devices is the final product of long supply chains involving many vendors from many nations providing various components and subcomponents, including considerable amounts of software and firmware. Long supply chains provide adversaries with opportunities to insert hidden malicious functionality into this software and firmware that adversaries can exploit to accomplish harmful objectives, including exfiltration of sensitive data and sabotage of critical operations.

[Anonymous].  2021.  AI Next Campaign.

AI technologies have demonstrated great value to missions as diverse as space-based imagery analysis, cyberattack warning, supply chain logistics and analysis of microbiologic systems. At the same time, the failure modes of AI technologies are poorly understood. DARPA is working to address this shortfall, with focused R&D, both analytic and empirical. DARPA’s success is essential for the Department to deploy AI technologies, particularly to the tactical edge, where reliable performance is required.

James Gimbi, Jon Boyens, Nadya Bartol, Celia Paulsen, Kris Winkler.  2020.  Case Studies in Cyber Supply Chain Risk Management: Palo Alto Networks, Inc..

The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are mature in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices.

Jon Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi.  2020.  Case Studies in Cyber Supply Chain Risk Management: Seagate Technology.

The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are mature in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices.

 

Jon Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi.  2020.  Case Studies in Cyber Supply Chain Risk Management: Mayo Clinic.

The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are leaders in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices. This case study is for the Mayo Clinic.

[Anonymous].  2021.  Cyber Risk: The emerging cyber threat to industrial control systems. :1-34.

Cyber risk is continually evolving, meaning insurers should understand emerging risks in order to keep pace with their clients' exposures. Lloyd’s, CyberCube and Guy Carpenter have conducted an analysis detailing three scenarios which represent the most plausible routes by which a cyber attack against industrial control systems (ICS) could generate major insured losses. All three scenarios have historical precedents. The report describes how more severe events could unfold. This report considers four key industries dependent upon ICS (Manufacturing, Shipping, Energy and Transportation) and assesses precedents and the potential impact on each. The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem. This risk has previously been considered unlikely to materially impact the market, with cyber perils traditionally emerging in the form of non-physical losses. However, crossing the divide between information technology (IT) and operational technology (OT), along with increases in automation and the sophistication of threat actors, means it is paramount that (re)insurers carefully consider how major losses may occur and the potential impacts.

[Anonymous].  2019.  NCSC SCRM Best Practices.

Supply chain exploitation, especially when executed in concert with cyber intrusions, malicious insiders, and economic espionage, threatens the integrity of key U.S. economic, critical infrastructure, and research/development sectors.

[Anonymous].  2021.  Energy: National Counterintelligence and Security Center Factsheet.

Before contracting with a supplier, vendor, manufacturer, or any other third-party organization, it is essential to review their security practices. The third-party must have a supply chain risk management program as well as a robust risk-based approach to cybersecurity and supply chain security.

[Anonymous].  2021.  Manufacturing and Production Sector.

The manufacturing and production industry must address physical, human, and cyber threats in order to secure their supply chains. Physical threats include climate change/natural disasters that may reduce the supply of raw materials and disrupt production of final products. Facility flaws – “guards and gates” – also present a physical threat that may allow penetration points at manufacturing sites. Malicious human actions (e.g., crime, sabotage, and terrorism) and non-malicious human actions (e.g., accidents and negligence) also threaten “just in time” manufacturing schedules. Finally, cyber threats including ransomware attacks, software supply chain exploits a means by which threat actors may compromise industrial control systems as well as corporate networks and information systems bringing production to a standstill.

Peter Champion, Rachel Bruenjes, Michael Cohen, Jade Freeman, Ryne Graf, Moh Kilani, Caroline O'Leary, Christopher Pashley, John Ryan, Genevieve Shannon et al..  2018.  Cyber Resilience and Response. 2018 Public-Private Analytic Exchange Program. :1-45.
Another risk posed by the limited number of available vendors is the threat of supply chain attacks. According to researchers at CrowdStrike on June 27, 2017 the destructive malware known as NotPetya was deployed using a legitimate software package employed by organizations operating in Ukraine. The attack used an update mechanism built into the software to provide updates and distribute them to the vendor’s customers. This same mechanism had been used a month earlier to deploy other ransomware attacks. Supply chain attacks exploit a trust relationship between software or hardware vendors and their customers. These attacks can be widespread targeting the entire trusted vendor’s customer base and are growing in frequency as well as sophistication.
Chris Bonnette, Jason Carnes, Tim Leaf, Hannah Lensing, Kristie Pfosi, David Sasaki, Jeff Stewart, Lisa VanSlyke.  2019.  Identifying Risks to Vehicle Technology Advancements. Automotive Cybersecurity: More Than Technical Risks . :1-32.

The supply chains for advanced automobiles will continue to become increasingly complex. Furthermore, automotive OEMs will experience decreased control over the components and software implemented into their vehicles. These issues create risks to advanced vehicle technologies that must be addressed by a comprehensive and coordinated approach to end-to-end cybersecurity across the automotive supply chain.

[Anonymous].  2021.  America's Supply Chains. 86(38):1-6.

The United States needs resilient, diverse, and secure supply chains to ensure our economic prosperity and national security. Pandemics and other biological threats, cyber-attacks, climate shocks and extreme weather events, terrorist attacks, geopolitical and economic competition, and other conditions can reduce critical manufacturing capacity and the availability and integrity of critical goods, products, and services.

2021-10-22
Sandor Boyson, Thomas Corsi, Hart Rossman, Matthew Dorin.  2011.  Assessing SCRM Capabilities and Perspectives of the IT Vendor Community: Toward a Cyber-Supply Chain Code of Practice. :1-73.

This project developed a tool to assess cyber-supply chain risk management capabilities by consolidating the collective inputs of the set of public and private actors engaged in supporting Initiative 11. The Department of Commerce (NIST and Bureau of Industry and Security, BIS), the Department of Homeland Security (DHS); the Department of Defense (DOD/CIO and DOD/NSA); and the Government Services Administration all provided formal inputs to design the assessment tool.

[Anonymous].  2015.  Cyber Security Risk in Supply Chain Management: Part 1. 2021

Cyber security is generally thought of as various types of security devices like firewalls, Web Application Firewall (WAF), IDS/IPS, SIEM, DLP etc. to safeguard network, applications and data. But what if, for example, the deployed security solutions have a bug inside? The latest example of this is exposing of a vulnerability in Lenovo notebooks. Lenovo notebooks are shipped with a program named “Superfish-Visual Discovery”, and recently a vulnerability known as Man-in-the-Middle (MITM) has been discovered in this software, so all the security controls installed in the notebooks like antivirus etc. cannot catch it, because it is the default shipped in the software. This is an example as to how important is to take not only networks but also each component of a supply chain into consideration.

Cyber security in the supply chain is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the Advanced Persistent Threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

Adam Stone.  2020.  GovCons Weigh in on ODNI Supply Chain Warnings. Washington Exec: Federal Government News. 2020

In a recently published document addressing supply chain risk, the Office of the Director of National Intelligence warns against “foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector.”

Attacks on the supply chain represent “a complex and growing threat to strategically important U.S. economic sectors and critical infrastructure,” the agency notes. Foreign adversaries are attacking key supply chains at multiple points: From concept to design, manufacture, integration, deployment and maintenance.

GovCon leaders say the government does well to take the risks seriously, and they point to ways in which the contracting community can work hand-in-glove with federal officials to mitigate the threat.

[Anonymous].  2020.  NCSC Unveils New Supply Chain Risk Management Guidance.

Exploitation of supply chains by foreign adversaries is a growing threat to America.

The National Counterintelligence and Security Center (NCSC) today released a new tri-fold document, Supply Chain Risk Management: Reducing Threats to Key U.S. Supply Chains, to help private sector and U.S. Government stakeholders mitigate risks to America’s critical supply chains.  As part of Cybersecurity Awareness Month, NCSC is working to raise awareness of supply chain attacks, including those that are cyber-enabled.

The tri-fold highlights supply chain risks, introduces a process for supply chain risk management, and establishes three focus areas to reduce threats to key U.S. supply chains.  The document also outlines key tools and technologies to protect each stage of the supply chain lifecycle, from design to retirement.

William Claycomb, Joe Bradley, Matthew Butkovic, Ken Mai, Carol Woody, Mark Sherman.  2020.  Implementing Cyber Security in DoD Supply Chains.

Video presentation from Carnegie Melon University "Implementing Cyber Security in DoD Supply Chains," 2020.

Zac Rogers, Victor Benjamin, Mohan Gopalakrishnan, Thomas Choi.  2018.  Cyber Security in Supply Chains, CAPS Research.

Video presentation "Cyber Security in Supply Chains, CAPS Research", 2018.