Supply chain institutions advised to integrate cybersecurity in risk assessment practices, according to NIST.

The National Institute of Standards and Technology (NIST) has identified nine key practices for implementing a Cyber Supply Chain Risk Management (C-SCRM) program. These practices were discussed by Jon Boyens, deputy chief of the computer security division at NIST, during a virtual panel.

According to Boyens, organizations in sectors such as defence and intelligence are particularly adept at integrating cybersecurity into their supply chain risk management. This is because they understand the potential risks and the importance of a secure supply chain.

One of the key practices is ensuring that a vendor's software build cycle is secure by default. This means that security measures are in place from the very beginning of the development process. Devices with constant communication to and from a vendor also introduce supply chain risks, as they can provide a pathway for malware and other threats.

NIST considers counterfeit products, hardware and software delivered with vulnerabilities, insider threats, and networks shared with partners as different types of cybersecurity risks to the supply chain. To mitigate these risks, companies should have an understanding of their supply chain, including a software or hardware component inventory.

Another practice is to include suppliers in improvement activities and to develop protocols for communicating vulnerabilities and incidents. Companies should also monitor supplier relationships and utilize self-assessments in procurement.

Risks in the supply chain are found at the intersection of traditional information security and traditional logistics-based supply chain. Threat actors who target supply chains look for trusted relationships among companies and vendors to exploit. Malware can sneak in at the chip level, making it difficult to detect and remove.

Privileged access risks often come from third-party software that runs with the highest level privileges allowed on the system. To address this, companies should manage critical suppliers and the components used, considering their revenue contribution or the volume of data they host. Secure boot should be required, which is sometimes disabled.

To support their supply chain risk management, companies should ask for a software bill of materials. Collaboration with key suppliers, including the system development life cycle, is also important. It's typically difficult to distinguish between a threat and a vulnerability in supply chain risks.

Gabriel Davis, risk operation federal lead at the Cybersecurity Division, Cybersecurity and Infrastructure Security Agency (CISA), discussed these issues during a webcast. He emphasized the importance of understanding the organization's supply chain and taking proactive measures to manage risks.

In conclusion, implementing a C-SCRM program is crucial for organizations to protect their supply chain from cyber threats. By following NIST's key practices, organizations can take steps to secure their supply chain and reduce the risk of cyber attacks.

Supply chain institutions advised to integrate cybersecurity in risk assessment practices, according to NIST.