In a recent virtual panel hosted by the National Cybersecurity Center of Excellence (NCCoE), Jon Boyens, Deputy Chief of the Computer Security Division at the National Institute of Standards and Technology (NIST), emphasized the importance of incorporating cybersecurity into supply chain risk management. Boyens highlighted that supply chain threats and vulnerabilities can be both adversarial and unintentional, and they often exist at the convergence of traditional information security and logistics-based supply chain management.
NIST identifies several cybersecurity risks in supply chains, including counterfeit products, hardware and software vulnerabilities, insider threats, and shared networks with partners. Non-cyber risks like poor quality control and maintenance also play a significant role. Boyens noted the challenge in distinguishing between a threat and a vulnerability, often dependent on the intention behind it.
Gabriel Davis, Risk Operation Federal Lead at the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency (CISA), pointed out that privileged access often introduces inadvertent supply chain risk. Devices that constantly communicate with vendors for software updates or patches can also be vulnerable. Davis recommended that companies ensure their vendor’s software build cycle is secure and ask for a software bill of materials to support supply chain risk management.
Lawrence Reinert from the National Security Agency (NSA) added that malware can infiltrate at the chip level and advised companies to require secure boot processes in their devices.
To effectively implement a Cyber Supply Chain Risk Management (C-SCRM) program, NIST suggests nine key practices including managing critical suppliers, understanding the supply chain, collaborating with key suppliers, including them in improvement activities, and monitoring supplier relationships.
Boyens warned that the application of these practices would vary across industries and companies, underscoring the need for organizations to understand the unique aspects of their operations and threats. This approach is vital for integrating cybersecurity into existing supply chain risk management strategies effectively.
Stay informed with supply chain news on The Supply Chain Report. Free tools for international trade are at ADAMftd.com.
#Cybersecurity #SupplyChainManagement #NISTGuidelines #SupplyChainRisks #CyberThreats #CISASecurity #NSASecurity #RiskManagement #CSCRM #VendorSecurity #CyberSupplyChain #SecureUpdates #ThreatMitigation #SupplyChainVulnerabilities #CyberAwareSupplyChain
