Supply chain entities should incorporate cybersecurity risks into their risk management strategies, as suggested by NIST.

In the rapidly evolving digital landscape, the importance of securing the supply chain has never been more critical. Constant communication between devices and vendors, often through software updates or patches, can potentially introduce supply chain risks, as seen in the SolarWinds attack. To prevent such incidents, companies must ensure that their vendor's software build cycle is secure by default.

Threat actors targeting supply chains seek to exploit trusted relationships among companies and vendors. These risks often intersect traditional information security and traditional logistics-based supply chain. Organizations best equipped to incorporate cybersecurity into their supply chain risk management are technology developers, technology providers, or heavily industry sectors that rely on technology.

The National Institute of Standards and Technology (NIST) has outlined nine key practices for implementing a cyber supply chain security program (C-SCRM). These practices include defining supply chain cybersecurity requirements, identifying critical suppliers and service providers, assessing supply chain risks, implementing risk mitigation strategies, monitoring supply chain security continuously, establishing incident response plans, promoting information sharing, training personnel on supply chain cybersecurity, and reviewing and updating security practices regularly. However, these practices may vary by industry and company based on specific risks, regulatory requirements, and organizational size.

Privileged access risks are often introduced unintentionally in the supply chain, according to Gabriel Davis from the Cybersecurity Division, Cybersecurity and Infrastructure Security Agency (CISA). These risks can come from third-party software with elevated privileges. Other risks include poor quality control and maintenance in products and services, counterfeit products and software delivered with vulnerabilities, insider threats, networks shared with partners, and malware slipping in at the chip level.

To support supply chain risk management, companies should ask for a software bill of materials, as suggested by Gabriel Davis. Lawrence Reinert, a computer systems researcher at the National Security Agency (NSA), recommended companies require secure boot, which is sometimes disabled, to prevent malware from entering at the chip level. Companies should also be aware of both adversarial and unintentional supply chain threats, as stated by Jon Boyens, deputy chief of the computer security division at NIST.

It's challenging to distinguish between a threat and a vulnerability in the context of supply chain risks. NIST's tips for implementing a C-SCRM program may vary from industry to industry, and even company to company, according to Jon Boyens. The present challenge is looping cybersecurity into existing supply chain risk management plans, a concept that isn't new but increasingly crucial in today's digital world.

Supply chain entities should incorporate cybersecurity risks into their risk management strategies, as suggested by NIST.