Key Message: Mitigating risks in the global value chain requires a full lifecycle view that encompasses the ecosystem of all participating service providers.
Executive Summary
Organizations “are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the organizations’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.”
In this podcast, Edna Conway, Chief Security Officer, Global Value Chain and Cisco, and John Haller, a member of the CERT Cyber Assurance team, discuss the global value chain for organizations and critical infrastructures and how this expanded view can be used to improve ICT supply chain management, including risks to the supply chain.
Defining the Global Value Chain
The global value chain is the end-to-end lifecycle that delivers value for tangible and intangible products, for example, electronic software or cloud services.
The value chain stages for an information communications technology company such as Cisco are as follows:
For the information and communications technology industry, some foundational threats include:
Companion exposures include: [1]
Seek to identify risks that focus and limit investment – “doing the right security in the right place at the right time in the right way across the value chain.”
Consider developing a value chain security architecture. Cisco has identified 11 categories or domains that compose this architecture, as follows:
CERT works with the US Department of Homeland Security to assess how US critical infrastructure organizations identify and manage risks to the value chain. The scope is typically the purchase and use of information and communications technology as well as the service relationships with third party suppliers.
This effort helps in
US defense organizations are very concerned about the unauthorized disclosure of sensitive information, as well as service availability.
It is critical that business leaders understand how technology directly enables the business or mission functions. This is particularly critical if the technology is no longer supported or available, for example, in SCADA (Supervisory Control and Data Acquisition) equipment.
Key Practices to ConsiderBefore asking about key practices, it is more effective to have practice selection be driven by risk and to consider approaches such as the use of a security architecture domains as described above.
Talk to key personnel involved in all aspects of the value chain and leverage the already robust existing operational practices that they are using and knowledge that they have.
Integrate security practices into the value chain stages; don’t try to bolt it on at the end.
Identifying and managing key assets (people, information, technology) are key foundational practices. Others include:
Using a risk-based approach helps align business concerns with the value chain.
ISO 20243 Information Technology -- Open Trusted Technology ProviderTM Standard (O-TTPS) -- Mitigating maliciously tainted and counterfeit products
NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations
C-TPAT Customs Trade Partnership Against Terrorism
US Department of Homeland Security Cyber Resilience Review (CRR)
The global value chain is an ecosystem, so active collaboration is
critical for success.
Resources
[1] Conway, Edna. “Here, There and Everywhere – How to Harness Your Value Chain Security Beast!” RSA Conference 2016.
[2] NIST Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015.