The latest version of the NIST Cybersecurity Framework was created in April of 2018. It is comprised of 108 requirements, and one notable addition are 5 requirements to evaluate Technology Supply Chain Risk. For many organizations, especially those in the SMB space, addressing Supply Chain Risk has been a bit more of an abstract concept.
While conducting assessments using the NIST CSF, clients would smile a bit when these questions would arise. When maturing a Cybersecurity practice, we tend to think of tactical strategy like technical controls such as configuration management, patching, and perimeter protections. Policy and governance are what usually make up the strategic part of the journey. The idea that the technology supply chain could be impacted and then be disruptive to your business might seem out of the scope of a Cybersecurity assessment. While it is not an unimaginable scenario for most, classic risks such as malicious hackers, insider threats, and ransomware seem to dominate our thoughts. In terms of risk management, we tend to be drawn to risks that have a high likelihood. Those risks that have a very low likelihood remain outliers since the chances of them happening are, well, low.
The global economy has become more intertwined over time, and the nations of the planet act as the “functions” of a large organization. Engineering being conducted in India, design in the United States, and manufacturing in China for example. A major incident or disruption to one of these functions could be disruptive to the entire process. While the likelihood of this happening is low, the impact is high. When practices such “just in time” manufacturing and limited stock dominate, supply chain risk has the potential for its largest impact.
Enter the COVID-19
The beginning of 2020 has ushered in a new virus that has had a devastating impact upon the people and economy of China. Centered within the city of Wuhan, the outbreak has led to the quarantine of a large amount of people, which in turn has led to an impact on the global supply chain for many industries including technology and healthcare. There stories that supplies of everyday items ranging from hockey sticks to video games have been impacted.
As of February 2020, there have been reports that many companies that supply the U.S. market with technology are going to have extended lead times to deliver products due to labor impacts and closures within China. Currently there isn’t a true understanding of the impact to the supply chain, and ultimately the bottom line for companies throughout the world. (This is not to state that human lives are not the most critical of the impacts, but we are focusing on supply chain risk.)
Risk and Business Impact
Cybersecurity risk management needs to include the risks to the supply chain of the technologies that you run your business with. Systems that process data or move packets around the network can fail from time to time and spares need to be available. The present situation in China is starting to affect the supply chain. Large corporations like Apple and Samsung are already warning that supply and sales may be affected. The impact from this, and potential future events, needs to be considered and a strategy to mitigate it to an acceptable level needs to be devised. This risk also needs to roll up into the overall risk management program (RMP) and dovetail with the business impact analysis (BIA) for your organization as well.
Not every company is a multinational entity with business processes that are highly dependent on a global supply chain. If this is the case for your organization, then the level of effort to conduct an analysis of this risk can be tailored so that stakeholders feel it is addressed. The goal is to have a plan and a strategy that can be leveraged in the event of the unlikely. Reading through the 5 of the NIST CSF Supply Chain requirements and coming up with a reasonable response may be enough due diligence for your organization, or it may be the start of a long conversation if the risk is greater than expected. While the NIST CSF requirements focus on just the technology supply chain, they will allow you to participate in the larger organizational risk conversation. Ideally, having a prepared response to these risks should be your desired outcome.