Biblio

We need risk management solutions to assess, measure, and mitigate risk in real-time across multi-tier partner and supplier networks to achieve our goal of cost, schedule and performance, as they are only effective in a secure environment.

CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations. An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. This threat actor has the resources, patience, and expertise to gain access to and privileges over highly sensitive information if left unchecked. CISA urges organizations to prioritize measures to identify and address this threat.

Cyber risk is continually evolving, meaning insurers should understand emerging risks in order to keep pace with their clients' exposures. Lloyd’s, CyberCube and Guy Carpenter have conducted an analysis detailing three scenarios which represent the most plausible routes by which a cyber attack against industrial control systems (ICS) could generate major insured losses. All three scenarios have historical precedents. The report describes how more severe events could unfold. This report considers four key industries dependent upon ICS (Manufacturing, Shipping, Energy and Transportation) and assesses precedents and the potential impact on each. The potential for physical perils represents a major turning point for the broader cyber (re)insurance ecosystem. This risk has previously been considered unlikely to materially impact the market, with cyber perils traditionally emerging in the form of non-physical losses. However, crossing the divide between information technology (IT) and operational technology (OT), along with increases in automation and the sophistication of threat actors, means it is paramount that (re)insurers carefully consider how major losses may occur and the potential impacts.

Information and Communications Technology (ICT) supply chain risk management (SCRM) is the process of identifying and mitigating risks in the manufacture and distribution of ICT products and services. While the Information Technology (IT) sector and the Communications sector face different supply chain risks, their mitigation strategies are similar. Both sectors emphasize having an end-to-end Cyber-SCRM program, continuously evaluating risks to vendor networks, and maintaining geographically-diverse and occasionally-redundant supply chains in the event of a manufacturer compromise.

IIoT devices are sourced in many different countries and contain many components including hardware, software, and firmware. Each of these devices and components have a supply chain that can be compromised at many points including by the manufacturer, the software libraries, the shippers, the distributors and more.