Management, compliance & auditing

Cyber Security Risks in Supply Chain Management – Part 2

Security Ninja
March 16, 2015 by
Security Ninja

In Part 1 of this article series, I discussed various risks involved in supply chain management with the latest example of a malicious adware named "Superfish" installed by default in Lenovo notebooks. In this part, we will learn how we can control all the inherent cyber risks in supply chain management with the proper strategy.

The below section will illustrate the strategy that organizations should adopt in order to minimize the cyber risks in Supply Chain Risk Management.

Establish Supply Chain Context

The first thing that all organizations should follow is to build up the context for the supply chain. This will help organizations to be clear about the environment in which their supply chain works, what are all the products in use, and what is the connectivity with the outside world, because a less secure path could lead to attacks. It is very important to understand how a particular product is connected to the outside world, and on that basis the various security layers should be decided. Another important factor to look out for is to understand the users who will use the end product of the supply chain. This is an important aspect to look out for because internal users might be aware of best security practices like password management or if the user is a public user where the risky behaviour should be taken into account. Taking these three elements into consideration will provide some context on the risk and impact of a compromising event. This context will, in turn, help establish the level of risk management activity you need to employ when managing the supply chain.

Evaluate Product Life-Cycle

After establishing the supply chain context, the next step which organizations should do is to evaluate the supply chain product life cycle. For example, laptop computers which are usually shipped in with various software and underlying hardware have to be assembled in different locations which will give multiple entry points in the supply chain, thus increasing the threat footprint in the supply chain. Consider the Apple iPhone supply chain, where Apple directly manages sub-component suppliers from design through assembly. Although this supply chain reduces the number of entry points for tampering, it may be easier for an adversary to target specific suppliers.

Another important aspect which organizations should follow is to consider the procurement strategy. Distributors and suppliers can actually increase the cyber risks in the supply chain; for example, how suppliers purchase their components can be a factor in evaluating risks involved in the supply chain. Thus, the procurement practices of every participant in the supply chain can have a profound impact on the risk of a compromised product entering the supply chain.


After establishing the supply chain context and evaluating the product life cycle, the underlying cyber risks will be clear. So now organizations should look out for steps to reduce risk of exposure and provide a more secure system. The very first step in doing that is to map the players in the supply chain, their location, components of supply chain under their control, and if needed, to identify the contract manufacturer. After mapping the supply chain with all the end points, now the actual risks should be identified in the supply chain. Risks can be discovered w.r.t to geographical locations for counterfeit productions, inadequate procurement processes, or products that use insufficiently tested code.

After identifying risks, the next step is to control the risks. Risks should be controlled by reducing the impact, transferring the risks to another party, or accepting the risk and preparing a response plan. The response plan will depend totally on the risk tolerance accepted while identifying risks. Risk control and treatment activities must fit with products in the supply chain. Risk management is a collaboration activity among all players involved in the supply chain. One general action that organizations should take is to have better specifications for the products. Better specifications will help in eliminating any lower grade alternatives from the supply chain and ensuring the product arrives with the security features.

Though maintaining risks totally depends on the type of supply chain, there are some standards like Open Group (Open Trusted Technology Provider Standard [O-TTPS]), ISO (Draft ISO/IEC 27036—Information Technology— Security Techniques–Information Security for Supplier Relationships), and Software Assurance Forum for Excellence in Code (SAFECode) (Software Integrity Framework and Software Integrity Best Practices) that organizations can look up to, but it should be kept in mind that these standards are pre-defined, and organizations have to adjust the guidelines to get the needed level of risk management.

Staying Vigilant

Establishing context for the supply chain followed up by evaluating product life cycle and controlling/treating risks. Organizations should always be vigilant to look out for new cyber risks, especially in short product life cycles. The best way to be vigilant is to establish a management process to review supply chain cyber risks on a continuous basis and keep working to enhance the supply chain process. A secured supply chain can reduce the cybersecurity burden on the network operators.

Thus, as we have seen in the above lifecycle, the supply chain can be secured if there is a clearly defined process and a check at all stages and over all the players involved and at all the entry/exit points of the supply chain.


Security Ninja
Security Ninja