Biblio

While much of the discussion around supply chain security has focused on the parts, components and gear that make up an organization's physical IT assets, a growing number of experts are making the case that vulnerabilities in the software supply chain may represent the larger cybersecurity threat over the long haul.

CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations. An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges organizations to prioritize measures to identify and address this threat.

The manufacturing and production industry must address physical, human, and cyber threats in order to secure their supply chains. Physical threats include climate change/natural disasters that may reduce the supply of raw materials and disrupt production of final products. Facility flaws – “guards and gates” – also present a physical threat that may allow penetration points at manufacturing sites. Malicious human actions (e.g., crime, sabotage, and terrorism) and non-malicious human actions (e.g., accidents and negligence) also threaten “just in time” manufacturing schedules. Finally, cyber threats including ransomware attacks, software supply chain exploits a means by which threat actors may compromise industrial control systems as well as corporate networks and information systems bringing production to a standstill.