Reducing the cybersecurity risk to one of the most vulnerable aspects of commerce — global supply chains — is the goal of a new publication by the National Institute of Standards and Technology (NIST), whose computer security experts have distilled a set of effective risk management techniques into a draft guidebook for businesses. NIST is seeking public comment on the draft for the next 30 days.
Key Practices in Cyber Supply Chain Risk Management (Draft NISTIR 8276) provides a set of strategies to help businesses address the cybersecurity issues posed by modern information and communications technology products, which are commonly built using components and services supplied by third-party organizations. The composed nature of these devices and systems makes them difficult to secure effectively against malware and other threats, placing manufacturers, service providers and end users at risk.
“The seed of the problem is that everything is interconnected nowadays,” said NIST’s Jon Boyens, one of the draft report’s authors. “Products are very sophisticated, and with our globalized economy, companies often outsource the tasks of developing components and code to other companies, involving multiple tiers of suppliers.”
Vulnerabilities in the cyber supply chain — really a complex network of connections rather than a single strand — involve not only microchips and their internal code, but also the support software for a device and the other companies that have access to its components. Put them all together, and it can be a daunting task to anticipate every systemic weakness that an adversary might exploit.
Many recent cyber breaches have been linked to supply chain risks. A recent high-profile attack from the second half of 2018, Operation ShadowHammer, is estimated to have affected up to a million users. A 2013 attack by the Dragonfly group targeted companies with industrial control systems, such as those distributing energy within the U.S. This attack infected companies in critical industries with malware. Symantec’s 2019 Internet Security Threat Report found supply chain attacks increased by 78 percent in 2018.
The NIST report is a high-level document intended to be easily understood and applied in managing these risks. Its core is a 27-page section outlining eight key practices that have proved to be useful, from establishing a formal risk management program to collaborating closely with key suppliers. Each key practice is accompanied by a set of recommendations, and because each organization will have its own specific needs, the authors also include guidance on how to apply these recommendations.
Acknowledging that companies in different economic sectors might manage supply chain risk differently, the authors also offer a set of 24 case studies in risk management that feature a variety of businesses ranging from aerospace and IT manufacturers to consumer goods companies. These case studies, along with a summary of the findings, are available at NIST’s Cyber Supply Chain Risk Management Key Practices page.
“Many companies share the same suppliers, but their overall supply chains are still very different,” Boyens said. “To supplement our report you can look for the case studies that are relevant to your industry.”
The April 2018 update to the NIST Cybersecurity Framework added a new section about supply chain risk management, and the new report cross-references the framework so that organizations can use both sets of NIST guidance together, Boyens said.
Public comments on Draft NISTIR 8276 can be submitted until March 4, 2020, to scrm-nist [at] nist.gov, and NIST will consider them before releasing a final version, planned for Spring 2020.