Cyber%Supply%Chain%Best%Practices%
%
In%a%Nutshell:!!Cybersecurity!in!the !s u pp ly !ch a in !can not!be!view ed!as!an!IT!problem!only.!Cyber!supply!chain!risks!touch!
sourcing,!vendor!managem en t,!supply!chain!continuity!and!qu ality,!transportation!security!and!many!other!functions!
across!the!enterprise!and!require!a!coordinated!effort!to!address.!!
%
Cyber%Supply%Chain%Security%Principles:%%
1. Develop%your%defenses%based%on%the%principle%that%yo ur %systems%will%be%breached.!!When!one !sta rts!fro m!the!
premise!that!a!breach!is!inevitable,!it!changes!the!decision!matrix!on!next!steps.!The!question!becomes!not!just!
how!to!prevent!a!breach,!but!how!to!mitigate!an!attacker’s!ability!to!exploit!the!informatio n!th ey!h ave !acce ssed !
and!how!to!recover!from!the!breach.!!
2. Cybersecurity%is%never%just%a%tech n o log y%p ro b le m ,%it’s%a %pe o p le,%p ro c es se s%a nd %k n owledge%pr ob le m.!Br ea ch e s!
tend!to!be!less!ab ou t!a!techno log y!failure!a nd !mo re!a bo ut!h um a n!erro r.!IT!secu rity!systems!won ’t!secure!critical!
informa tio n !an d!intelle ct u al!p ro p e rty !unless!employees!throughout!th e!su pp ly!cha in!use !secu re!cy be rsecu rity!
practices.!
3. Security%is%Security.!There!should!be!no!gap!between!physical!and!cybersecurity.!Som etimes!the!bad !guys!
exploit!lapses!in!physical!security!in!order!to!laun ch !a!cyb er!atta ck.!By !the!sa m e!tok en ,!an!atta cke r!lookin g!for!
ways!into!a!physical!location!might!exploit!cyber!vulnerabilities!to!get!access.!!
!
Key%Cyber%Supply%Chain%Risks:!Cyber!supply!chain!risks!covers!a!lot!of!territory.!Some!of!the!concerns!include!risks!
from:!!!
• Third!party!service!providers!or!vendors!–!from!janitorial!service s!to!so ftw are !eng ine erin g! JJ!with!physical!
or!virtual!access!to!information!systems,!software!code,!or!IP.!
• Poor!information!security!practices!by!lowerJtier!suppliers.!
• Compromised!software!or!hardware!purchased!from!suppliers.!
• Software!security!vulnerabilities!in!supp ly !ch a in !m a n a ge ment!or!su pp lie r!s ys te ms.!
• Counterfeit!hardware!or!hardware!with!embedded!malware.!
• Third!party!data!storage!or!data!aggregators.!
!
Examples%of%Cybersecurity%Questions:!Companies!are!using!the!following!questions!to!determine!how!risky!
their!suppliers’!cybersecurity!practices!are:!
• Is!the!vendor’s!software!/!hardw are!design!process!documented?!Repeatable?!Measurable?!
• Is!the!m itig a tio n !o f!k n o wn!vulner a b ilitie s!fa c to re d !in t o !p ro d u c t!d e s ign !( th ro u g h !p r o d u ct !ar ch it e ctu r e ,!ru nJtime!
protection!techniques,!code!review)?!
• How!does!the!vendor!stay!current!on!emerging!vulnerabilities?!What!are!vendor!capabilities!to!address!new!
“zero!day”!vulnerabilities?!
• What!controls!are!in!place!to!manage!and!monitor!production!processes?!!