Reduce Cyber Supply Chain Risks When Integrating New Technology

Reduce Cyber Supply Chain Risks When Integrating New Technology

By Angel Davila

When it comes to integrating the latest technological breakthroughs into supply chain management, we may consider the cost savings, systems efficiency, and profitability, rather than the risks and the need for rigorous vetting. Once in a breach crisis however, typical kneejerk reactions are often met with typical kneejerk solutions, which often become permanent until the next vulnerability is identified. Does this lack of proactivity bring the game “whack-a-mole” to mind?

The National Institute of Standards and Technology (NIST) writes in its Best Practices in Cyber Supply Chain Risk Management guidance that “cybersecurity in the supply chain cannot be viewed as an IT problem only,” and must be addressed across the enterprise. Key risks noted by NIST include third-party vendors, poor security practices by lower-tier suppliers, and compromised or counterfeit software/hardware purchased from suppliers. Every phase of technology integration is crucial and must be closely examined through a security lens. Here are ways to monitor three critical phases of supply chain technology integration – research (conception), development (manufacturing) and fielding (deployment).

Phase 1: Research (Conception)

• Collaboration: Adversaries are constantly seeking personnel with exposure to a product’s research phase in order to develop a competitive edge. Collaboration opportunities in this phase are frequent, therefore, it is expected that researchers might be exposed to would-be adversaries during this time. Organizations should implement effective policies that appropriately account for collaborative environments.
• Travel: Individuals who are involved in research must understand that they are targets while traveling abroad. Foreign state security and intelligence services employ creative methods to obtain sensitive information. Travel light and assume that anything brought abroad can be stolen or tampered with.

Phase 2: Development (Manufacturing)

• Third-party vendors: Several parties are likely to be involved in the development phase of crucial components to said technology, meaning third-party vendors should be deemed just as critical as those spearheading the development effort. Do your vendors’ security practices and policies align with your own standards? Do you have contractual requirements to meet such standards, or notify you of a breach? Are component purchases tightly controlled? Are vulnerability monitoring and mitigation factored into the design?
• Performance: Since cost and savings are often considered ahead of security and integrity, we may overestimate the performance and competence of developers and manufacturers – are their products proven in the marketplace? If so, how do you know this? Not all vendors are obligated to disclose these details, and in some cases, disclosing known product performance issues is voluntary.

Phase 3: Fielding (Deployment)

• Managed services: What is the plan for servicing technology once it is introduced to your systems? In the absence of appropriate contract language, developers may outsource servicing to companies that you may know nothing about, including its personnel and location.
• Liability: Your organization may be held legally liable by U.S. regulatory agencies in the event of a data breach caused by your organization. Depending on the severity of a breach and data compromised, your organization may be assessed fines and suspensions. Organizations should build appropriate contracts that disclose liabilities and outline the responsibilities of every contributor.

NIST advises that supply chain professionals should partner with every team that touches any part of a product during its development lifecycle to ensure that cybersecurity is addressed. Assessing your technology integration process prior to a cyber event will save your organization valuable resources and prevent business interruption. 

Angel Davila is a senior cybersecurity analyst at TSC Advantage, which provides enterprise security assessments, cybersecurity consulting and managed security services to critical infrastructure and Fortune 500 companies.