Draft Cyber Supply Chain Risk Management Guidance Published by NIST

The National Institute of Standards and Technology (NIST) has published a new draft guidance document on cyber supply chain risk management to help organizations implement an effective cyber supply risk management program.

Organizations now rely on other organizations to provide critical products and services, yet they often lack visibility into their supply ecosystems. Using third parties for products and services brings many benefits, but also introduces risks. Vulnerabilities in supply chains can be exploited by threat actors and attacks on supply chains are on the rise.

In the second half of 2018, the Operation ShadowHammer supply chain attack saw the software update utility of ASUS compromised. Up to 500,000 users of the ASUS Live Update utility were impacted before the cyberattack was discovered.

The DragonFly threat group, aka Energetic Bear, compromised the update site used by several industrial control system (ICS) software producers and added a backdoor to ICS software. Three ICS software producers are known to have been compromised, resulting in companies in the energy sector being infected with malware.

An Incident Threat Report published by Carbon Black in 2019 found “island hoping” was involved in 50% of attacks. Island hopping is the term given to cyberattacks on an organization and its clients and partners.

The November 2018 Data Risk in the Third-Party Ecosystem study conducted by the Ponemon Institute revealed 59% of companies had been impacted by a data breach at one of their third party suppliers, and a CrowdStrike report published in July 2018 indicated 66% of respondents to its survey had been impacted by a software supply chain attack.

With supply chain attacks on the rise it is more important than ever for organizations to develop and implement an effective cyber supply chain risk management program, but many organizations don’t know where to start and a significant number that have implemented such a program do not believe it to be effective.

NIST has been conducting research on the challenge of securing supply chains and has published several guidance documents and case studies over the past 10 years to help organizations assess and manage supply chain risks. The aim of the latest guidance document is to help organizations get started with Cyber Supply Chain Risk Management (C-SCRM).

The document includes a basic set of C-SCRM key practices, which are based on industry case studies conducted in 2015 and 2019, past NIST research and guidance, and industry best practice documents. Once the basic key practices have been adopted, more extensive standards, guidelines, and best practices can then be applied to further improve supply chain security.

The new guidance document – Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (Draft NISTIR 8276) – can be downloaded on this link. NIST is accepting comments on the draft guidance document until March 4, 2020.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.