ICT Supply Chain Risk Management: Critical Aspects to Consider

The information and communications technology supply chain is a vast network of globally interconnected suppliers, vendors, and contractors to produce raw materials into an end product, usually referring to computer hardware and software solutions.

Due to its nature, this industry is no stranger to cybercriminals, as they work to exploit any weak link in the supply chain. For this reason, organizations need to take steps to protect their systems and data by implementing rigorous cybersecurity compliance programs as a means of combatting vendor negligence.

In this article, we will discuss some critical aspects of supply chain risk management for information and communication technologies organizations.

Unique Vulnerabilities in Information and Communications Technology

Cybercriminals exploit vulnerabilities as an entryway to different information and communication technology (ICT) companies. These vulnerabilities can allow criminals to steal data, disrupt operations, or even take control of systems, so it is essential for organizations to be aware of the vulnerabilities and take steps to mitigate risk.

Storage of Sensitive Customer Data

ICT suppliers store sensitive customer data in their databases, such as credit cards or social security numbers. This data is often transmitted across the internet and stored in remote servers. If this data is not encrypted, criminals can easily access it.

Additionally, the transmission of this data worldwide can create further vulnerabilities, increasing the chances of being compromised.

There are many attack vectors that criminals can use to exploit a company’s infrastructure:

●  Attacking the systems that store sensitive data

●  Infecting systems with malware

●  Compromising the networks that connect the systems

Contending with Multiple Types of Third-party and Supply Chain Risk

The challenge for businesses is to assess and monitor their exposure to espionage, sabotage, and other interference efforts from foreign adversaries—often referred to as Foreign Ownership, Control or Influence (FOCI) risk.

FOCI risk is more than a national security concern. It can also impact individual companies, government agencies, and the global ICT supply chain.

For instance, Chinese subcontractors planted malicious chips onto semiconductors and equipment like server motherboards used by a US telecom firm. North Korea also hacked the Bangladesh Central Bank using fraudulent orders on SWIFT payment systems.

Furthermore, many businesses do not have the resources to thoroughly investigate the security practices of their suppliers and service providers. As a result, companies often rely on the perceived trustworthiness of an organization when deciding which suppliers to work with. However, this trust can be exploited by foreign adversaries who may attempt to infiltrate a business through its services supply chain.

Organizations must have a robust security posture, third-party risk management, and supply chain resilience to closely monitor their systems and networks for any signs of compromise. This can be difficult because businesses must understand the taxonomy and their complex relationships with suppliers and subcontractors.

They must also work with their third-party suppliers to ensure that all components used in their systems are secure and have been vetted for potential risks. 

Determining Over-reliance to Diversify

An organization’s cybersecurity is only as strong as its weakest link. If an organization’s supply chain is concentrated in one geographic area or country, it increases the risk of a cyberattack. If malicious actors compromise a supplier, they can access the organization’s systems and critical infrastructure.

Over-reliance can also lead to disruptions in the supply chain if there is an incident in the geographic area or country where the supply chain is located. 

One way to mitigate the risk of over-reliance on a single supplier is to diversify the ICT supply chain. Source materials from multiple suppliers or manufacture products in numerous locations.

By diversifying the ICT supply chain, companies can protect themselves from disruptions and ensure that ICT products are available when and where they are needed.

The Cybersecurity Executive Order (Executive Order 14017)

EO 14017 responds to the growing number of cyberattacks against government agencies, critical infrastructure, and other companies. It is meant to help the United States government and private sector work together to protect themselves from these threats better—serving as another solid solution for how organizations can address various third-party risks in America’s supply chains.

According to this 2021 White House announcement, the Federal Government contracts with the private sector, specifically Information Technology (IT) and Operational Technology (OT) service providers, to conduct various day-to-day functions on Federal Information Systems. These IT service providers, including secure cloud providers, have unique access to and insight into cyber threats and incident and threat information on Federal Information Systems spanning various government networks.

At the same time, current contract terms or restrictions may restrict the sharing of cyber threat or incident information with executive departments and government agencies responsible for investigating or remediating cyber incidents, such as the Cybersecurity Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC).

The EO removes these contractual barriers and increases the sharing of information about cyber threats, cybersecurity incidents, and risks.

The Director of the Office of Management and Budget (OMB), in consultation with the Secretary of the Department of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, reviewed the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT service providers.

With this EO, the private sector can expect the following:

●  Modifying contract language to reflect new guidance from the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA). If your company cannot accept the modification, you will not be able to participate in the Federal Government’s procurement process and sell software products.

●  The US General Services Administration (GSA) will provide updates on all significant developments.

●  Continued guidance from OMB to enhance software supply chain security.

●  Future updates to the Federal Acquisition Regulation (FAR).

Cybersecurity to Prevent and Detect Attacks from Malicious Actors

Supply chain cybersecurity is essential for preventing and detecting attacks from malicious actors. Organizations can reduce their vulnerability to attacks by monitoring and securing networks and fortifying their supply chain security.

By tracking and investigating cyber incidents, organizations can improve their ability to respond to attacks and protect critical supply chains.

Gain Knowledge of Your Supply Chain

ICT supply chains have come under increased scrutiny in recent years as our reliance on technology has grown exponentially. The simple truth is that we cannot afford to be blind to the vulnerabilities of our ICT supply chains. We can identify potential risks and develop mitigation strategies by thoroughly understanding our ICT supply chains.

This includes understanding the sources of raw materials, the various stakeholders involved in procurement and product life cycle, partnerships, the manufacturing process, and the distribution channels.

Exiger’s Supply Chain Explorer is a tool that provides a detailed view of a company’s supply chain. It allows companies to identify potential risks and take steps to mitigate them. Contact us to request a demo or access a trial.

Implementing an Effective Software Risk Management Strategy 

A few key risk management aspects should be considered when implementing a strategy around the software. Your organization can help protect its systems and data from cybercrime by taking the following steps.

Monitoring for the Most Critical Risks in Supply Chains

Monitoring your ICT supply chain is essential to understand where you may be most exposed across the enterprise.

ICT supply chains are increasingly complex, often spanning multiple countries and involving many suppliers. This can make it difficult to monitor where ICT products and services are being sourced and identify potential risks.

It is essential to clearly understand the ICT supply chain and monitor where ICT products and services are sourced. This will help to identify potential risks and enable organizations to take steps to mitigate these risks.

Log4j is a Java logging framework that is widely used in Java applications. In December of 2016, a vulnerability was discovered in Log4j that could allow an attacker to execute code on the system. This vulnerability was quickly patched, but it highlights the importance of monitoring vulnerabilities in ICT products and services.

Log4j vulnerability demonstrates how a cyber threat can impact an organization’s supply chain and how important it is to monitor for these threats. If a vulnerability is not identified and addressed, it can lead to a costly breach like that suffered from Log4j.

Additionally, monitoring your ICT supply chain can help ensure that your assets comply with all relevant regulations. By understanding your exposures and risks, you can make informed decisions about how to protect your ICT assets and infrastructure.

Rigid Structures Around Open Source Software to Ensure Risks Don’t Evolve

Organizations should continuously audit their software for risks, even if that software has been previously audited. Threats can evolve, so it’s essential to go back and check every open-source software used to ensure that no new vulnerabilities have been introduced. Doing this will help protect itself from cybercrime and other malicious activities.

To continuously audit your software, you must have rigid structures and processes. This includes having a dedicated working group of security professionals responsible for regularly auditing the organization’s software supply chain.

Additionally, you need to have a system to track all changes made to the software over time. This way, you can quickly identify any new risks that may have been introduced.

The bottom line is that open-source software can be a great asset for organizations, but managing the risks is essential. Having rigid structures and processes for information technology, information sharing, and software development can help protect your organization from potential threats.

Illuminate Your Supply Chain Risks with Exiger

While it is impossible to eliminate the risk of a cyberattack, implementing rigorous ICT supply chain risk management can help organizations reduce their exposure and protect their systems and data.

Exiger Supply Chain Explorer is a cutting-edge risk management tool that helps information and communications technology (ICT) companies mitigate supply chain risk. It does this by identifying and analyzing potential weak links in the supply chain so that organizations can take steps to protect their systems and data. Supply Chain Explorer is used by many of the world’s leading organizations, including Fortune 500 companies, government agencies, and financial institutions.

Contact us to request a demo or a trial of Supply Chain Explorer.