Visible to the public Biblio

Filters: Keyword is Information and Communication Technology Supply Chain Risk Management  [Clear All Filters]
2021-10-26
Jon Boyens, Celia Paulsen, Nadya Bartol, Kris Winkler, James Gimbi.  2021.  Key Practices in Cyber Supply Chain Risk Management: Observations from Industry. Key Practices in Cyber Supply Chain Risk Management. :1-31.

Many recent data breaches have been linked to supply chain risks. For example, a recent high- profile attack that took place in the second half of 2018, Operation ShadowHammer, compromised an update utility used by a global computer manufacturer.1 The compromised software was served to users through the manufacturer’s official website and is estimated to have impacted up to a million users before it was discovered. This is reminiscent of the attack by the Dragonfly group, which started in 2013 and targeted industrial control systems.2 This group successfully inserted malware into software that was available for download through the manufacturers’ websites, which resulted in companies in critical industries such as energy being impacted by this malware. These incidents are not isolated events. Many recent reports suggest these attacks are increasing in frequency. An Incident Response Threat Report published in April 2019 by Carbon Black highlighted the use of “island hopping” by 50 % of attacks.3 Island hopping is an attack that focuses on impacting not only the victim but its customers and partners, especially if these partners have network interconnections. Symantec’s 2019 Security Threat Report found supply chain attacks increased by 78 % in 2018.4 Perhaps more worrying is that a large number of these attacks appear to be successful and cause significant damage. A November 2018 study, Data Risk in the Third-Party Ecosystem, conducted by the Ponemon Institute found that 59 % of companies surveyed experienced a data breach caused by one of their third parties.5 A July 2018 survey conducted by Crowdstrike found software supply chains even more vulnerable with 66 % of respondents reporting a software supply chain attack, 90 % of whom faced financial impacts as a result of the attack.

2021-10-22
Jon Boyens, Celia Paulsen, Rama Moorthy, Nadya Bartol.  2015.  NIST Special Publication 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations. :1-282.

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. The publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM- specific approach, including guidance on assessing supply chain risk and applying mitigation activities.