January 12, 2023
Back in May of 2022, the National Institute of Standards and Technology (NIST) updated their cybersecurity recommendations for supply chains. The revised publication, formally titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1)”, provides guidance on identifying, assessing, and responding to cybersecurity risks throughout the supply chain at all levels of an organization. It forms part of NIST’s response to Executive Order 14028: Improving the Nation’s Cybersecurity, specifically Sections 4(c) and (d), which concern enhancing the security of the software supply chain.
What is NIST saying about supply chains in 2023 and beyond?
According to NIST, the updated publication “offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination.”
Essentially, they’re saying supply chains in general are a major security weak point. And the main reason for this is because a device may have been designed in one country and then built in another, using multiple components from various parts of the world that have themselves been assembled of parts from disparate manufacturers. So, what you might end up with is a single computer that was assembled with parts by 50 different countries, each with their own sets of safety and security standards. From a cybersecurity standpoint, this is less than ideal.
Why is supply chain security so important?
Supply chains are all about getting customers what they need at the right price, place, and time. Any disruptions and risk to the integrity of the products or services being delivered, the privacy of the data being exchanged, and the completeness of associated transactions can have damaging operational, financial, and brand consequences. Data breaches, ransomware attacks, and malicious activities from insiders or attackers can occur at any tier of the supply chain. Even a security incident localized to a single vendor or third-party supplier, can still significantly disrupt the “plan, make, and deliver” process. These chains are becoming increasingly global, and increasingly complex — making security of them exponentially more challenging. Every link in the chain adds an element of risk that needs to be assessed, managed, and mitigated.
How can supply chains be secured?
Supply chain security requires a multifaceted approach. There is no one panacea, but organizations can protect their supply chains with a combination of layered defenses. As teams focused on supply chain security make it more difficult for threat actors to penetrate the maze of security controls, they gain more time to detect nefarious activity and act.
Rimstorm can play a vital role in this process, as we bring needed security and continuous monitoring to every element of the chain that we’re given access to. To learn more about how Rimstorm can protect your organization from supply chain disruption, contact us today for a free consultation.