Lesson 2.4 Supply chain risk management considerations.
In this lesson, the objectives will be one learned what supply chain risk management is and how it impacts cybersecurity and I are, and two will identify threats, risks and vulnerabilities associated with the supply chain
supply chain. Risk management is defined here as the discipline that addresses the threats and vulnerabilities of commercially acquired information and communications technologies, and that's from miter.
So we're going to talk just very briefly in this lesson about how supply chain risk management applies. Toe I are and some things that you should be aware of when you're making your I are planning, Uh, and just for the whole life cycle of incident response, how supply chain risk management can fit into that.
On the slide, you see a graphic that is, from Nest 800 won 61 that talks about
specific things to supply chain
on the left hand side. You see the threats. So here's some examples of threats within the supply chain
from an adversary insertion of counterfeits. So there's organizations and government agencies out there that have full time people that reverse engineer products that they get so for example, they'll taken order of 100 Cisco switches. They'll take apart a couple of them out of that order.
They'll make sure there's no implanted hardware that's taking the data and sending it to a different country,
or there are no other counterfeit devices inside. And there's been a lot of stories of this kind of thing happening where they didn't have a known supplier or that supplier was getting counterfeit things from other
fake businesses or criminal enterprises, and they were selling them is legitimate. So being able to look at circuit boards and components and things like that can identify this.
Also, tampering or theft could be another problem. And the insertion of malicious software like I mentioned some sort of compromise internally to the device that has firmware that's got malware as part of it.
Other non adversarial threats are a natural disaster, poor quality and products. So
having poor quality is not the result of an attack, but certainly can impact the organization and is a threat because maybe it doesn't stand up to the bandwidth requirements that it said it could, and that impacts the ability to do I. D. S. I. P s monitoring and prevention
of militias, signatures or things like that because it
can't handle the throughput.
Also, poor practices and engineering and manufacturing and acquisition and management.
On the right hand side, you see the vulnerabilities. So these air weaknesses to the supply chain our weaknesses to the entities in the supply chain or dependencies on power and telecom. So vulnerability could be that you have. You get one really important component
from a very small business. And that business has no disaster recovery plans, no coupe continuity of operations.
And they're susceptible to all sorts of problems because of maybe physically, geographically, where that business is located. So that could be a vulnerability to the supply chain.
Internal vulnerabilities can include things like information systems and components, organizational policies and processes, maybe a lack of governance or poorly written procedures.
And you take those threats and vulnerabilities and you go down to the likelihood What's the probability of a threat explode? Exploiting the vulnerability
eso an adversarial example is what's their capability and intent.
And maybe they have discovered that the Palo Alto firewalls that you use are vulnerable to a exploit that we know our adversaries. Air currently using
on the non adversarial side. What's the occurrence likelihood based on history? Do we know? Even though that small business I mentioned, that's in a poor location in the country? As faras natural disasters go, maybe they're susceptible to tornadoes
or things like that. And they also have no backup plans whatsoever if they get hit by one, although
in the last 10 years has never actually happened. So those are things to think through as well, and then the impact. So you have the likelihood and then what's the impact? And this should look familiar to you because it's what we went over with the risk register.
So if it does happen, how is it going to affect you? What's the impact to the mission or the business from data loss or modification or ex filtration of data from unanticipated failures or loss of system availability or from availability of components?
So if you've identified that you need a really important
piece of manufacturing equipment for your business, but it comes from an unreliable source,
then you might have some additional impacts to the organization if the risks that you've identified actually were to happen and when you boil all of this down. It's your overall risk to the organization, and that's where you come up with your risk mitigation strategies.
Do you simply accept that risk? Do you come up with a way to mitigate it? Do you transfer it to somebody else through insurance or other things?
And those are the conversations that you have to have at the executive level? But I would just wanted you to get an idea of supply chain risk management
and think through it from a cyber perspective. Most places can't afford to have someone reverse engineer every fifth switch on their network or look at the routers or look at the computers that you're buying.
So because of that, you may have to think about how it would impact your organization if something was found to be counterfeit. But also who are your suppliers, and is there any type of vetting that goes on? Do you just buy the allow people to buy things off eBay? I've seen that before,
allow people to use their personal computers on the corporate network.
Do you allow people to buy used equipment from different vendors? So think through that from a risk perspective. What are all the possible things that could happen, and is it something worth being worried about? But supply chain is a huge issue for especially organizations that
by a lot of things from external people
and making sure that you can follow the chain of supply from the manufacturer all the way to you is really important, especially for critical components to the organization.
So quick question here. What is not a threat associated with supply chain risk management? So it's not a threat
miss configuration of a device, insertion of malware or counterfeit devices?
The answer here is a mis configuration of a device that may be a vulnerability and cause you to be open to something. But it's not a threat. It's not an action that's taken against you. So insertion of malware and counterfeit devices would both be considered threats where Miss Configuration would be considered, Ah, vulnerability
So in summary, we looked at why supply chain risk management is important and how it impacts cybersecurity and I are, and how to identify threats, risks and vulnerabilities associated with the supply chain