Supply chain attacks threatened the interconnectedness of global markets. It is common for multiple customers to rely on the same supplier. Therefore, a single cyberattack could potentially have a large-scale national or cross-border impact. Suppliers are at a disadvantage because they are becoming the weakest link on the supply chain. Because of this, they need to be better protected against the risk of cyberattacks. However, customers also need to practice increased due diligence with selecting and vetting their suppliers and manage the risk that can stem such relationships.
In our first article- Understanding Supply Chain Attacks - What You Need to Know, we provided an outline of the supply chain and the classification of supply chain attacks.
Managing Supply Chain Cybersecurity Risk
To manage supply chain cybersecurity risk, customers should:
- Identify and document types of service providers and suppliers
- Understand the risk criteria for different types of services and suppliers
- Assess their supply chain risk
- Define guidelines for risk treatment based on good practices
- Monitor supply chain threats and risks
- Make their teams aware of the risk
Managing the Relationship to Suppliers
To manage supplier relationships, customers should:
- Manage suppliers over the entire lifecycle of a service or product
- Classify what information and assets are to be shared or made accessible to suppliers
- Define obligations of suppliers to protect customers’ assets
- Define security requirements of acquired products and services
- Monitor performance and conduct routine security audits
- Receive assurance of service providers and suppliers that no hidden features or backdoors exist
- Ensure regulatory and legal requirements at considered
- Define processes for managing changes in supplier agreements
What About the Responsibilities of Suppliers?
Suppliers are tasked with the responsibility of ensuring the secure development of products and services according to commonly accepted security practices by:
- Ensuring that cybersecurity practices are followed for infrastructure used to design, develop, manufacture and deliver products, services and components
- Implementing processes for product development, maintenance and support that is consistent with commonly accepted product development processes
- Basing product category and risks according to applicability of technical requirements
- Providing conformance statements to customers for known standards, such as ISO/IEC 27001, IEC 62443-4-1, and IEC 62433-4-2
- Maintaining accurate and up-to-date data on software code and applying controls to internal and third-party software components, services, and tools
- Perform regular audits to ensure compliance to the above measures are met
Suppliers Should Implement Good Practices for Vulnerability Management
As with any product or service built with components and software present in software development processes, suppliers should:
- Monitor internal, external and third-party components for security vulnerabilities
- Conduct risk analysis of vulnerabilities
- Maintain processes for secure patch delivery
- Inform customers of processes
What Can Be Learned from ENISA’s Report
The cost to directly attack a well-protected organization continues to increase. Therefore, attackers are focusing their efforts on supply chains instead. The number of security threats and failures facing supply chains also continues to increase.
Supply chain attacks are often complex and require careful planning over months or years. Attacks on suppliers can have far reaching consequences. Suppliers should continue establishing good practices regarding cybersecurity.
About the author
Dawn M. Turner is a professional author with a passion for technical regulations and standards, as well as for their relevance and impact on corporate operations and industry in general. Dawn has more than 10 years of IT industry experience in hardware, programming & systems & network engineering. Her educational background includes a Certificate in computer operations & programming, CompTIA and Microsoft certifications, including A+, MCSE and MCP, Associates degree with major in business & minor in computer science, Bachelors of Science degree with major in business forensics & minor in accounting and an MBA with concentrations in finance & economics.