Looking to Secure Supply Chain

Wednesday, December 17, 2014 @ 11:12 AM gHale

The supply chain ends up being the focal point for too many breaches. Your organization may very well be secure, but how about your partners and suppliers?

Hackers just prey on weaker vendors that have remote access to a larger company’s global IT systems, software and networks.

One case in point is the classic 2013 Target breach where the attackers infiltrated a vulnerable link: A refrigeration system supplier connected to the retailer’s IT system. After that breach, all bets were off.

RELATED STORIES
Deploying IPS to Secure ICS
API: ‘Threat is Bad,’ Solutions Available
Dragonfly: Offense in Depth
Dragonfly: Pharma Industry Targeted

But it doesn’t have to be that way. A counter-measure, via a user-ready online portal, is in development by researchers in the Supply Chain Management Center at the University of Maryland’s Robert H. Smith School of Business.

The portal comes from a new management science called “cyber supply chain risk management.” It combines conventionally-separate disciplines cyber security, enterprise risk management and supply chain management.

Funded by the National Institute of Standards and Technology (NIST), the UMD researchers developed the formula, in part, after surveying 200 different-sized companies in various industries.

“We found that, collectively, the cyber supply chain is fragmented and stovepiped, and companies are ill-prepared to sense and respond to risks in real time,” said research professor and center co-director Sandor Boyson, who collaborated on the study and portal design with faculty-colleague/center co-director Thomas Corsi, research fellow Hart Rossman and UMD-Smith CIO Holly Mann. “Just half of our subjects used an executive advisory committee such as a risk board to govern their IT-system risks.”

The findings ended up published in a study entitled “Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems.”

The researchers leveraged the study into the portal. Companies can log on cost-free, and track developing threats, plus map their IT supply chains and anonymously measure themselves against industry peers and NIST standards.

The benchmarking covers operations and allocating for cyber insurance via separate functions:

A self-evaluation exercise shows a company’s structure for cyber protecting the supply chain. For example, users reply to: “To what degree is your CIO and-or IT shop isolated from, or collaborative with, your supply chain specialists who actually procure the hardware and software for your IT system?”

A special formula measures the risk levels of each company asset. The Common Vulnerability Scoring System — standard for analyzing software systems – can analyze the entire range of assets connected to the cyber supply chain.

Firms can compare corporate disclosures, exposures and vulnerabilities to those of peer companies via an insurance-risk analysis framework provided by The Willis Group. The global insurance broker’s database of aggregated SEC-reported cyber attacks — mandated for public companies — supports this tool.

The portal is scalable. About 150 various-sized companies have completed at least one or more of the functions. Fifteen of those firms completed all three assessments and represent industries including high-tech aerospace manufacturing, telecommunication, real estate, and medical and professional services.

“The portal helps individual organizations understand their risk and how they can better manage it. This bolsters the resilience and security posture of the entire ecosystem of the U.S. economy,” said Jon Boyens, senior advisor for information security in NIST’s computer security division. “While this ecosystem has evolved to provide a set of highly refined, cost-effective, reusable products and services that support the U.S. economy, it has also increased opportunities for adversaries and made it increasingly difficult for organizations to understand their risks.”



Leave a Reply

You must be logged in to post a comment.