Cybersecurity Supply Chain Risk Is Not a Zero-Day Threat

With an increasing number of public supply chain attacks, it's important to remember that there are established frameworks that can significantly reduce risk.

Supply chain attacks are big news in 2021, impacting the daily lives of people around the world.

There has been no shortage of supply chain security incidents in 2021. The SolarWinds attack that was first publicly reported in December 2020 spread to thousands of organizations. The Colonial Pipeline was attacked in a ransomware incident that affected the fuel supply across the East Coast of the US. There even was a ransomware attack against meat supplier JBS, and at the beginning of July there was the Kaseya attack that hit more than 1,500 businesses around the world.

Supply chain security is not a new topic, but with the intensity of attacks that have affected the real world in 2021 there has been renewed focus on the issue. While there is new attention being paid to supply chain security, there are some well-established frameworks and best practices that organizations can take advantage of today to help minimize supply risks now.

Supply Chain Security Is Not a New Topic
The National Institutes of Science and Technology (NIST) has issued lots of guidance over the last decade that has a direct impact on supply chain security. In 2013, as a result of President Obama's executive order 13636, the NIST Cybersecurity Framework was created in a bid to help improve critical infrastructure security.

NIST also has a specific set of guidelines and recommendations, known as Cyber Supply Chain Risk Management (C-SCRM), that have been available since at least 2016. The C-SCRM guidelines benefit from multiple efforts, including NIST SP-800-161, titled "Supply Chain Risk Management Practices for Federal Information Systems and Organizations," which was released in 2015. NIST SP 800-53, published in 2020, goes a step further, defining security and privacy controls. More recently, NISTIR 8276, released in February 2021, identifies key practices in cyber supply chain risk management.

So, with all that guidance already available, why do supply chain cybersecurity incidents continue to occur? There are many possible reasons, including a lack of awareness around the proactive steps that organizations can take to reduce risk. What also could be happening is some organizations might just believe that they aren't at risk and the guidance is not applicable to them.

The reality is that software runs the world, and all software is built with a supply chain. It's time that organizations of all sizes recognize that supply chain security is a risk that affects us all.

Challenges of Supply Chain Management
While there are established frameworks and guidance, cybersecurity supply chain management is often not a simple task.

It can be difficult for organizations to understand the whole supply chain, as suppliers often rely on other suppliers. As supply chains get increasingly more complex, there is a corresponding decline in the amount of visibility many organizations have.

Cyber supply chain risk management in a lot of ways isn't really a technology discussion at first. Rather, it's about acknowledging that there is a need to implement a formal program around cybersecurity risk management, actually putting a plan in place and embedding it into the organization's risk plan.

The Path to Cyber Supply Chain Risk Management
At the upcoming Black Hat USA 2021 event this summer, Cisco has a session titled "The Side Door: Don't let your suppliers or partners open it for cyberattacks," where we'll provide some prescriptive guidance on how to limit cyber supply chain risk.

A key part of that guidance is to have a formal supply chain risk management program, as it's critical for organizations to have visibility into their own supply chains. Organizations need to understand who they are doing business with and how suppliers secure data and application development. Visibility into security processes from suppliers should be considered as part of any buying decision.

While process has a key role to play in supply chain risk management, so too does technology.

Implementing network segmentation techniques, such that operational and information technology networks are separated, is a key best practice. The concepts of least privilege access and zero trust are also important because organizations should provide only the access that is needed to enable a service to run. Visibility into network activity via DNS is another core recommendation. Many types of attacks will attempt communicate with external resources and DNS can be leveraged as a control point to limit risk.

Attacks against supply chains are likely to continue, but there are steps organizations can and should take now. Cyber supply chain management should not be a mystery; it should be a well-defined and methodical approach of process and technology to help mitigate risk.

About the Author


Steve Caimi is an Industry Solutions Specialist at Cisco Secure who helps organizations efficiently and effectively manage their cybersecurity programs and achieve compliance goals. He advocates a risk-based approach based on industry standards and best practices that guide organizations to the improvements that matter the most.

Prior to joining Cisco, Steve held various product management, engineering, and solution architecture positions at HP Enterprise Security, CA Technologies, UUNET Technologies, and Citigroup. He earned a Master of Business Administration from Virginia Tech and a Bachelor of Science in Electrical Engineering from Penn State University. He is also a Certified Information Systems Security Professional (CISSP).

Editors' Choice
Amichai Shulman, CTO and Co-founder of AirEye
Biagio DeSimone, Enterprise Solution Architect, Aqua Security