James Steidl - Fotolia
Cyber breach is the top IT audit risk for 2021, according to a recent survey by Protiviti and ISACA, "IT Audit Perspectives: Top Technology Risks in 2021." That risk has been realized in early 2021 with the SolarWinds attack. One key takeaway from this attack is the need to broaden our approach to third-party vendor information technology and security risk management.
Supply chain risk management incidents
The technology field relies on a complex, globally distributed and interconnected supply chain and ecosystem that is geographically diverse and consists of multiple tiers of outsourcing. The supply chain contains many risks that may include counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware and possible poorly manufactured or developed products. Threats and vulnerabilities created by malicious actors (individuals, organizations or nation-states) are often sophisticated and difficult to detect and pose a significant risk to organizations. In October of 2018, Bloomberg Businessweek published an article, "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies." The article detailed a tiny microchip on the servers' motherboards that wasn't part of the boards' original design, noting that U.S. investigators found "the chips had been inserted during the manufacturing process." This seems to be a perfect opportunity for a supply chain attack.
Whether we know the full truth of the aforementioned incident, we cannot deny U.S. businesses rely heavily on third-party suppliers and vendors, contractors and outsourced teams, service providers, alliance partners and subsidiaries. This includes SaaS, PaaS and IaaS. The risk of disruptions from the standpoints of regulatory and legal, reputational damage/impact, financial and operational/business is still the responsibility of the organization.
Regrettably, information security and supply chain security risk management practices have solely concentrated on vendors that are one tier away from the organization. This practice often does not consider the vendors of those vendors, and who are their vendors, and so on, until you reach the beginning of the supply chain. The pandemic has further underscored the urgency of strengthening supply chain resilience and continuity.
Establishing more robust supply chain security risk management
Information security and risk management teams need to think beyond third party and vendor risk management to a more comprehensive approach of supply chain risk management. NIST Special Publication 800-161 offers insights and best practices for supply chain risk management. Supply chain risk management builds on existing standardized practices across many existing risk practices and disciplines. It also requires cooperation and collaborative relationships within all areas in the organization.
The first step to doing a risk assessment of the supply chain is to establish a baseline of current vendors through a criticality analysis. This is similar to current risk practices of identifying the mission-critical functions and associated systems and components (hardware, software and processes). The outcome of the updated criticality analysis needs to be narrowed and prioritized. Depending on the size of your organization, this may be best accomplished by:
- reviewing system architecture based on the key business processes;
- performing a dependency analysis and assessing each of the components that support that key business process; and
- reviewing each system and component for where they are manufactured or developed, understanding both the physical and logical delivery paths.
The next step is to perform a vulnerability analysis. This should look for weaknesses in both systems and components. NIST suggests the principal vulnerabilities to identify are:
- Where in the supply chain is the potential to allow malicious actors to gain information about the system and ultimately introduce components (hardware, software and firmware) that could cause the system to fail?
- Where in the supply chain could malicious actors be granted access to trigger a component malfunction or failure during operations?
- Where are the dependencies on supporting or associated components that might be more accessible or easier in the supply chain for malicious actors to subvert those components that directly perform critical functions?
This all needs to be calibrated in context of the likelihood of damage being inflicted. If the supply chain is compromised, what is the likelihood that the system or component could increase the risk of intellectual property theft or the insertion of malicious code? The threat scenarios that are formulated need to consider all threats, both internal and external. Try to anticipate all the possible ways that a product or service could be misused or abused. Be sure to address all intended and unintended scenarios in the design and architecture, such as:
Hostile cyber and physical attacks either to the supply chain or to information system components traversing the supply chain, including:
- human errors
- geopolitical disruptions
- economic upheavals
- natural or man-made disasters
Next, focus on impact. How will this affect the organization's operations, assets or employees? How would a loss affect the confidentiality, integrity or availability of the organization's systems? Potential impacts may also be understood through reviewing historical data from within the organization or peer organizations. Evidence of a supply chain failure may already be evident within your organization -- for example, a counterfeit part may be causing premature failure of a component. Has a critical part been repeatedly replaced?
When the critical analysis is complete, filter the results once again through the lens of the organization's risk tolerance measures. Establish the assumptions, constraints, priorities and tradeoffs that define the risk appetite for an organization.
Create a plan to mitigate or monitor the risk. Prepare the appropriate course of action for responding to the risk. Sometimes it is appropriate not to take action and to instead monitor the activities and behavior to better understand the tactics to attribute to the risk activities. Monitoring, however, is not a passive activity. The criteria must be established for specific triggers that would cause the organization to change to risk mitigation strategies.
Review the results with decision-makers and senior leadership describing the monitoring and enforcement activities. This information should be presented in a manner appropriate to inform and guide risk-based decisions. This will allow decision-makers to finalize appropriate risk response based on the set of options along with the corresponding risk factors for choosing the various options.
Arguably there is a balance between supply chain risk management and the benefits and cost of mitigation. An important first step is to look across the organization for current activities such as vendor acquisition requirements, supplier self-assessments, vendor management activities and third-party assessments. These activities may not address all the specific needs in a supply chain risk assessment. It may, however, inform critical risks to system architecture based on the key business processes, and hence, may be the best place to start.
About the author
Pamela Nigro, CISA, CRISC, CGEIT, CRMA, is an ISACA board director and vice president of information technology and security officer at Home Access Health Corporation. Nigro is experienced in governance, risk, compliance and cybersecurity focusing on the healthcare and insurance industries. She is a recognized subject matter expert in HIPAA, HITRUST, SOC 1, SOC 2, Sarbanes-Oxley (NAIC-MAR) and IT/cybersecurity controls and risk assessments. Nigro is also an adjunct professor at Lewis University, where she teaches graduate-level courses on information security, ethics, risk, IT governance and compliance and management of information systems in the MSIS and MBA programs.