The US National Institute of Standards and Technology (NIST) has updated its guidance on supply chain cybersecurity.
The revised publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, gives organizations key practices to adopt as they manage cybersecurity risks across their supply chains. In particular, it advises organizations to consider vulnerabilities in the components of a finished product they are considering using, and not just of the product itself. This includes the journey those components took to reach their destination.
The update comes amid surging supply chain attacks, highlighted by recent high-profile incidents like SolarWinds and Kaseya. Last month, research from the NCC Group found that supply chain attacks on global organizations increased by 51% in H2 2021.
The publication was created as part of NIST’s response to President Joe Biden’s executive order 14028: ‘Improving the Nation’s Cybersecurity,’ which included new requirements on security federal government software suppliers.
The guidance is primarily aimed at acquirers and end-users of products, software and services. It aims to help these organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes.
One of the publication’s authors, Jon Boyens, explained: “Managing the cybersecurity of the supply chain is a need that is here to stay. If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately.
“A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store’s data-sharing portal.”
Commenting on the update, Trevor Dearing, EMEA director of critical infrastructure at Illumio, said: “It is encouraging to see NIST releasing updated guidance acknowledging the increase in cyber-attacks targeting the supply chain and the consequent necessity to bolster the supply chain’s cybersecurity.
“We can no longer turn a blind eye to the exponential increase in attacks on the IT systems of manufacturers, logistics companies and organizations that ultimately target the operational part of the business. The truth is threat actors have realized they can increase efficiency and profitability by compromising a single product knowing it will have an impact downstream on companies who use it.
“Moreover, attacks that disrupt the logistics or manufacturing process can have immediate real-world impacts, further increasing the likelihood any ransom demands will be met as organizations flounder to get critical systems back up and running. The result is that supply chain attacks have increased with a vengeance.”