Supply chain cybersecurity is becoming critical as the risk of vulnerabilities threatens integrity as detailed in The Industrial Supply Chain Cyber Security Conundrum. Securing the supply chain is a major way to respond to catastrophic cyber risks.
Securing the supply chain of critical and sensitive cyber components is one of the major and strategic ways to respond to catastrophic cyber risks to the energy, communications, and financial services sectors, a report by the U.S. President’s National Infrastructure Advisory Council (NIAC) said.
The report came after the NIAC examined how the federal government and private industry could collaborate seamlessly to confront urgent cyber risks in the most critical and highly targeted private infrastructure.
To secure the supply chain of critical cyber components, it remains essential to provide liability protection to allow blacklisting and whitelisting of critical cyber products used in private critical infrastructure, similar to the authority provided for the nuclear industry and to the Department of Energy’s (DOE) enhanced procurement authority.
It is also essential to continue and expand programs at the DOE’s national laboratories and other ongoing initiatives to independently test vendor equipment for vulnerabilities and report the results to private companies, the NIAC report said.
Supply chain cybersecurity refers to efforts to enhance cyber security within the supply chain of a product or device. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and APTs. This is usually done by using best practices and industry compliant methods.
The international supply chain used by hardware, software, and service providers sometimes allows nation-states to introduce components and malware into digital equipment used in critical infrastructures.
These types of compromised components could provide adversaries with a foothold into company networks and systems that allows them to map, control, and ultimately disrupt or destroy critical functions. Adversaries could use these compromised networks to hatch malicious conspiracies and plan heinous attacks, according to experts.
“Under the National Defense Authorization Act for Fiscal Year 2014, the Secretary of Energy has the authority to use classified threat information to end contracts or eliminate companies from contract competitions without providing “cause” if it is based on classified information and to our knowledge, the DOE has yet to use this authority,” the report said. This could essentially mean that the DOE has never terminated any contracts due to cybersecurity reasons.
Currently, the federal government has supply chain risk management practices and standards required for federal procurement. Similarly, voluntary efforts and initiatives to improve supply chain security of information and communications technology also exist. However, the report stated that voluntary standards and leveraging federal guidelines were not enough to protect the most highly targeted and at-risk companies.
The ability to share information on components, whether there are issues or if a company can vouch for the security, would be a step toward helping companies shore up the security within the supply chain, the report stated.
Current laws and regulations do not adequately support this type of information sharing between companies, the NIAC report added. Existing reporting requirements for cyberattacks are not supply-chain specific and do not appear to limit the liability of an entity reporting information.
The NIAC also said that it supports the ongoing initiatives by DOE’s national laboratories and encourages the role of the federal government in the independent testing and validating of vendor equipment.
The report also said bold action was needed to prevent the dire consequences of a catastrophic cyberattack on energy, communication, and financial infrastructures
“Escalating cyber risks to America’s critical infrastructures present an existential threat to continuity of government, economic stability, social order, and national security. WE NEED TO ACT NOW,” the report said.