Image generated with AI (DALL·E 3)
If cybersecurity risk in the supply chain is the potential for harm or compromise that arises from the cybersecurity risks posed by suppliers, their supply chains, and their products or services, Cybersecurity Supply Chain Risk Management – or C-SCRM for short, is the process of identifying, assessing and mitigating risks in an organization's supply chain for Information and Communications Technology (ICT) products and services that could impact the security and integrity of an organization's products, services and operations.
As per the National Institute of Standards and Technology, Cybersecurity Supply Chain Risk Management is at the intersection of information security and supply chain management:
Long story short: because risk factors continue to increase and are more diverse.
These include external malicious actors of course, but also internal personnel threat, vulnerabilities in product and component development, gaps in physical security, influence from foreign ownership that may not align with the company’s best interest, compliance and legal requirements in relations to counterfeit or non-conforming products, but also evolving sanctions or lists of prohibited suppliers just to name a few.
As a matter of fact, there is a strong realization that root causes for this risk are significant:
Increased dependency on 3rd party vendors, complexity of supply chains & lack of transparency | 98% have been affected by a cybersecurity breach in their supply chain (BCG, 2023) |
Sophistication of attackers and compromised partners | 90% believe they are at risk of a supply chain attack and think vetting software suppliers is a critical activity, but only 33% actually do (NIST, 2021) |
Vulnerable code and implanted backdoors | 633% year on year increase in malicious software supply chain attacks in 2022 (BCG, 2023) |
To protect companies and customers many countries and economic regions decided to release guidance to be followed and, in some cases, to give an extra “push”, to issue regulatory requirements. And 2024 will be an eventful year for Cybersecurity Supply Chain Risk Management on that front!
Illustration of select C-SCRM requirements in Australia, Europe and United States
Let’s start answering this question by the industries in scope of Cybersecurity Supply Chain Risk Management recommendations.
And there are many!
| In no particular order, the following industries have been namely mentioned in at least one of the sources listed at the bottom of this blog: Energy, Education, Transport, Financial Services, Health and Medical, Space Technology, Grocery and Food (production, processing and distribution), Water (drinking and waste/sewage), Defence, Communications, Digital Infrastructure (DNS, data centres, storage, Cloud computing), Information and Communications Technology Service, Public Administration, Postal Service, Chemicals, Manufacturing (medical devices, computer and electronic products, electrical equipment, motor vehicles), Research… and more! In essence, every industry where there is an ICT component in the product or service being delivered is in scope. Just think of your wearable device or your connected coffee maker! |
Contrarily to a widespread misconception, Cybersecurity Supply Chain Risk Management isn’t restricted to large companies. Small and medium-sized enterprises are increasingly becoming the target of supply chain attacks.
If your company is in an industry listed just above – or if you just want to ensure the integrity, security, quality and resilience of your supply chain and your products and services, you may decide to implement a Cybersecurity Supply Chain Risk Management approach.
Stakeholder engagement
For it to be successful, representatives or at least 3 stakeholders should be involved in designing the approach:
Best practice framework
Once the Governance is defined, then comes the choice of the standard. There are of course different frameworks that can be leveraged, but the 2 major ones have been issued by the National Institute of Standards and Technology (NIST) and by the European Union Agency for Cybersecurity (ENISA):
NIST:
ENISA:
| “Blended” summary: Context and Scope o Identify suppliers & assess criticality o Identify business objectives, risk appetite, and risk tolerance o Document threat sources and vulnerabilities
Assess o Assess supply chain cybersecurity risks o Determine exposure of enterprise operations o Prioritizing risks for mitigation
Respond o Make and document decisions o Implement management, operational, and technical controls o Document contingency plans
Monitor and Review o Monitor risks against appetite and tolerance o Monitor effectiveness of risk responses o Document and track incidents (and resolution) o Screen suppliers o Audit for compliance
|
Key benefits that organizations implementing a Cybersecurity Supply Chain Risk Management approach can achieve include:
In summary, a sound Cybersecurity Supply Chain Risk Management would help strengthen the supply chain and address risks that can occur at all steps:
Examples of risks in the Design-to-Operate process
What about you, has you company already implemented a Cybersecurity Supply Chain Risk Management approach? If so, what insights would you share with peers looking at doing the same? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!
Additional sources:
Should you want to read more about this topic, I would suggest the following sources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |