NIST’s Draft Cyber Supply Chain Risk Management Guidance

The Countrywide Institute of Standards and Technology (NIST) has published its most current draft guidance document regarding cyber supply chain risk management. The intent of this guidance is to help providers utilize a reliable cyber supply risk management system.

Businesses nowadays rely on other companies as a source of important products and services, nonetheless, they often overlook their supply ecosystems. Using third parties as a source of products and services has several merits, but there are risks as well. Threat actors could take advantage of vulnerabilities in supply chains, actually, supply chain attacks are growing in number.

In the second half of 2018, the Operation ShadowHammer supply chain was attacked, which affected the software update utility of ASUS. Before the cyberattack was identified, about 500,000 ASUS Live Update utility users were impacted.

The threat group known as DragonFly, also marked as Energetic Bear, attacked the update web page used by several industrial control system (ICS) software makers and installed an ICS software program backdoor. Three ICS software creators were affected, resulting in the malware infection of companies in the energy sector.

Carbon Black shared an Incident Threat Report in 2019, which stated that “island hopping” was involved in 50% of the attacks. This Island hopping expression refers to cyberattacks on a company, its clients and associates.

The Ponemon Institute carried out a Data Risk in the Third-Party Ecosystem study in November 2018, which exhibited that 59% of organizations had data breaches that transpired at a third-party provider. A July 2018 CrowdStrike report revealed that 66% of survey participants were impacted by infiltration on the software supply chain.

Considering the growth in supply chain attacks, it is really important for companies to create and use an effective cyber supply chain risk management system. However, numerous companies do not know where to start and those that have tried using this application do not think of it to be highly effective.

NIST has done research on the process of securing supply chains and has drafted several guidance documents and case studies in the last 10 years to help businesses assess and manage supply chain risks. The goal of the most current guidance paper is to help institutions get started with Cyber Supply Chain Risk Management (C-SCRM).

The guidance document includes a basic set of C-SCRM critical procedures, which are based on market case studies performed in 2015 and 2019. That was prior to having NIST research and guidance, and industry best practices information. The moment the basic critical procedures were adopted, more complex standards, suggestions, and best practices can be employed to further reinforce the supply chain security.

The most current guidance report entitled “Key Practices in Cyber Supply Chain Risk Management: Observations from Industry (Draft NISTIR 8276)” can be downloaded here. https://csrc.nist.gov/publications/detail/nistir/8276/draft NIST would like to receive comments until March 4, 2020 regarding the draft guidance document.