Addressing Supply Chain Risk with an NIST Security Framework

Addressing Supply Chain Risk with an NIST Security Framework

In our increasingly interconnected world, businesses are highly dependent on the dynamic mesh of digital links with customers, partners, suppliers and service providers. While these connections help drive efficiency and productivity, they can also create a conduit for unwanted intrusions.

Malicious actors are actively exploiting such connections for the widespread delivery of malicious software. The SolarWinds and Kaseya hacks are noteworthy examples of attacks in which criminals compromise a single weak link in a supply chain to spread malware to hundreds or thousands of victims.

In both the SolarWinds and Kaseya attacks, cybercriminals planted malicious code into IT management software products the companies sell. Tens of thousands of their customers were then infected when they installed or updated their software.

Such one-to-many attacks have increased substantially in the past two years. In a recent global survey of IT security officers from large companies, 93 percent reported they have suffered a breach directly resulting from weaknesses in their supply chain.

Trust, but Verify

These attacks are particularly menacing because they exploit the inherent trust in supply chain models. As Nick Weaver, a security researcher at UC Berkeley's International Computer Science Institute, noted in a recent interview with Wired magazine: “You're trusting every vendor whose code is on your machine, and you're trusting every vendor’s vendor.”

To minimize supply chain risks, organizations must vet their suppliers and partners to ensure they meet certain security standards. Recommendations from The National Institutes of Science and Technology (NIST) provide a solid framework for improving supply chain security. NIST security guidelines help organizations create a structured approach to identifying vulnerabilities, detecting threats, assessing risk, controlling access and recovering from any attack.

The NIST’s Special Publication (SP) 800 series offer particularly valuable guidance. NIST SP 800 is a database of hundreds of publications that address security and privacy best practices for government IT systems, but they are widely used in the private sector as well.

Recommended Actions

Several NIST SP 800 publications provide the basis for the NIST’s Cyber Supply Chain Risk Management (C-SCRM) program, a framework that all organization can use to manage risks associated with the vendors and suppliers in their distribution channels. For example, NIST SP 800-161 outlines organizational, training and information-sharing processes that should be integrated with an organization’s broader risk-management program. Meanwhile, the recently updated NIST SP 800-53, goes into more detail about specific security and privacy controls.

The NIST says its recommended controls are meant to reduce the probability of adversaries successfully targeting the supply chain. Recommendations include:

  • Avoid purchasing hardware and software with custom or non-standardized configurations.
  • Develop and maintain lists of approved vendors with standing reputations in industry.
  • Create and follow maintenance schedules for the delivery of updates and security patches.
  • Develop a contingency plan in the event of a supply chain issue.
  • Identify multiple suppliers for replacement components.
  • Employ a diverse set of developers and logistics service providers.
  • Include controls in contracts with third-party suppliers and vendors, and ensure they are also included in the contracts of their subcontractors.
  • Create a system of labeling or tagging systems and components for tracking through the supply chain.

A security framework built on NIST guidelines helps ensure a coherent and repeatable approach. That is particularly important now that organizations must rely on widely distributed resources and workforces.

However, organizations with limited IT staffs may find it difficult to wade through all the NIST publications and develop an effective and comprehensive plan. Partnering with a managed services provider such as Verteks can help streamline the process. Contact us to learn how we can help you develop and implement robust supply chain security.

Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload