NIST offers providers tips for protecting complex cyber supply chains
The National Institute of Standards and Technology is offering strategies for healthcare organizations and other industries to better secure their cyber supply chains.
NIST computer experts have developed a set of risk management techniques into a guidebook, available here.
The guidebook gives ideas to address cybersecurity issues posed by modern information and communications technology products that are built using components and services supplied by third-party organizations.
Consequently, the nature of these devices and systems makes them difficult to secure effectively against malware, placing manufacturers, service providers and end users at risk, according to Jon Boyens, one of the report authors at NIST.
“The seed of the problem is that everything is interconnected today,” he explains. “Products are very sophisticated, and with a globalized economy, companies often outsource the tasks of developing components and code to other companies, involving multiple tiers of suppliers.”
The cyber supply chain is a complex network of connections that include microchips, the internal codes, as well as the support software for a device, and the other companies that have access to its components. “Put them all together and it can be a daunting task to anticipate every system weakness that an adversary might exploit,” Boyens notes.
The bottom line, according to NIST, is that supply chains are a frequent and favorite target for hackers and a big headache for those attacked. For example, an attack in late 2018 known as Operation ShadowHammer was estimated to affect as many as one million users.
The NIST report on supply chain cybersecurity includes a 27-page section that offers eight important practices, informed by case studies that have been proven to be effective. These case studies include establishing a formal risk management program in close collaboration with key suppliers. Each case study includes recommendations with guidance from authors on how to apply the recommendations of each type of practice case studies.
The case studies and a summary of findings are available here.