Visible to the public Biblio

Filters: Keyword is supply chain risk management  [Clear All Filters]
2021-10-26
Jon Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi.  2020.  Case Studies in Cyber Supply Chain Risk Management: Seagate Technology.

The Case Studies in Cyber Supply Chain Risk Management series engaged with several companies that are mature in managing cyber supply chain risk. These case studies build on the Best Practices in Cyber Supply Chain Risk Management case studies originally published in 2015 with the goals of covering new organizations in new industries and bringing to light any changes in cyber supply chain risk management practices.

 

[Anonymous].  2021.  Energy: National Counterintelligence and Security Center Factsheet.

Before contracting with a supplier, vendor, manufacturer, or any other third-party organization, it is essential to review their security practices. The third-party must have a supply chain risk management program as well as a robust risk-based approach to cybersecurity and supply chain security.

[Anonymous].  2021.  Information and Communications Technology Sector.

Information and Communications Technology (ICT) supply chain risk management (SCRM) is the process of identifying and mitigating risks in the manufacture and distribution of ICT products and services. While the Information Technology (IT) sector and the Communications sector face different supply chain risks, their mitigation strategies are similar. Both sectors emphasize having an end-to-end Cyber-SCRM program, continuously evaluating risks to vendor networks, and maintaining geographically-diverse and occasionally-redundant supply chains in the event of a manufacturer compromise.

Celia Paulsen, Jon Boyens, Jeffrey Ng, Kris Winkler, James Gimbi.  2020.  (Withdrawn) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. Withdrawn NIST Technical Series Publication. :1-64.

As awareness of cybersecurity supply chain risks grows among federal agencies, there is a greater need for tools that evaluate the impacts of a supply chain-related cyber event. This can be a difficult activity, especially for those organizations with complex operational environments and supply chains. A publicly available tool to support supply chain risk analysis that specifically takes into account the potential impact of an event does not currently exist. This publication de- scribes how to use the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool that has been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.

Jon Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi.  2021.  Key Practices in Cyber Supply Chain Risk Management: Observations from Industry. Key Practices in Cyber Supply Chain Risk Management. :1-31.

Many recent data breaches have been linked to supply chain risks. For example, a recent high- profile attack that took place in the second half of 2018, Operation ShadowHammer, compromised an update utility used by a global computer manufacturer.1 The compromised software was served to users through the manufacturer’s official website and is estimated to have impacted up to a million users before it was discovered. This is reminiscent of the attack by the Dragonfly group, which started in 2013 and targeted industrial control systems.2 This group successfully inserted malware into software that was available for download through the manufacturers’ websites, which resulted in companies in critical industries such as energy being impacted by this malware. These incidents are not isolated events. Many recent reports suggest these attacks are increasing in frequency. An Incident Response Threat Report published in April 2019 by Carbon Black highlighted the use of “island hopping” by 50 % of attacks.3 Island hopping is an attack that focuses on impacting not only the victim but its customers and partners, especially if these partners have network interconnections. Symantec’s 2019 Security Threat Report found supply chain attacks increased by 78 % in 2018.4 Perhaps more worrying is that a large number of these attacks appear to be successful and cause significant damage. A November 2018 study, Data Risk in the Third-Party Ecosystem, conducted by the Ponemon Institute found that 59 % of companies surveyed experienced a data breach caused by one of their third parties.5 A July 2018 survey conducted by Crowdstrike found software supply chains even more vulnerable with 66 % of respondents reporting a software supply chain attack, 90 % of whom faced financial impacts as a result of the attack.

2021-10-22
[Anonymous].  2011.  Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust.

This paper introduces Microsoft’s perspective on supply chain risk and the relationship of such risk to global trade in ICT products. It reviews the considerations that lead governments to express concerns about supply chain security and discusses the implications of some approaches to “solving the problem.” It points out the importance of having national approaches to supply chain risk management that are risk-based, transparent, flexible and reciprocal or standards-based.