- Supply chain threats and vulnerabilities are adversarial and unintentional, so companies have to be cognizant of both, said Jon Boyens, deputy chief of the computer security division at the National Institute of Standards and Technology (NIST), during a virtual panel hosted by the National Cybersecurity Center of Excellence (NCCoE) Thursday.
- Risks in the supply chain are typically found at an intersection of traditional information security and traditional logistics-based supply chain. "The nexus between those is the area we're looking at," Boyens said. "When we're talking about an organization, it's the products and services that they use to support their mission." It's also the products and services companies use to "send down" the supply chain.
- NIST considers counterfeit products, hardware and software delivered with vulnerabilities, insider threats, and networks shared with partners as different types of cybersecurity risks to the supply chain. Other risks that are less directly related to cyber include poor quality control and maintenance in products and services.
Threat actors who target supply chains look for trusted relationships among companies and vendors to exploit. Supply chain risk management isn't a new concept, however. The present challenge is looping cybersecurity into existing plans.
The organizations best at incorporating cyber into their supply chain risk management are technology developers, technology providers, or "heavily in industry sectors that rely on technology," Boyens said.
But with supply chain risks, it's typically difficult to "tell the difference between a threat and a vulnerability," said Boyens. "If there's a backdoor in our product, it could be a very legitimate reason why there's a backdoor there, right?" Intention differentiates threats from vulnerabilities.
One of the ways inadvertent, or unintentional, supply chain risk is introduced is through privileged access, according to Gabriel Davis, risk operation federal lead at the Cybersecurity Division, Cybersecurity and Infrastructure Security Agency (CISA), during the webcast. Privileged access risks often just "come out of the box" because they have elevated privileges to run the third-party software. This software includes antivirus, road access, IT management, all running with the "highest level privileges that are allowed on the system," he said.
Devices with constant communication to and from a vendor, through software updates or patches, also introduce supply chain risks. If companies want to avoid a SolarWinds-like attack, they want to ensure their vendor's software build cycle is secure by default. Companies should also ask for a software bill of materials to support their supply chain risk management, Davis said.
But malware doesn't only slip in through software updates; it can also sneak in at the chip level, said Lawrence Reinert, computer systems researcher at the National Security Agency (NSA), during the webcast. Reinert recommends companies require secure boot, which is sometimes disabled.
Because of the interconnectedness of the supply chain, NIST has nine key practices for implementing a cyber supply chain risk management program (C-SCRM), including:
- Manage critical suppliers and the components you're using, consider their revenue contribution or the volume of data they host
- Have an understanding of the organization's supply chain, like a software or hardware component inventory
- Collaborate with the most key suppliers, including the system development life cycle
- Include those suppliers in improvement activities, develop protocols for communication vulnerabilities and incidents
- Monitor the supplier relationships, utilize self-assessments in procurement
However, Boyens warns that NIST's tips and how they are implemented will vary from industry to industry, and even company to company.
"It gets difficult because [companies] need to know the uniqueness about a lot of these things, including varying threats and operating environments," Boyens said.