The supply chain faces risks on various fronts--including from cyberattacks--imperiling chip and electronic components inventories.
Risks in recent months have included worker shortages at fabs and assembly plants in China where Covid-19 lockdowns continue. Some shipping companies refuse to take electronics parts from the U.S. and elsewhere into China.
There are also worries over sufficient raw materials, made somewhat worse by fears about shutdowns in Europe over Russia’s invasion of Ukraine. Economic embargoes could lessen energy supplies needed by production plants.
One of the more nefarious problems is cyberattacks, which have caught the eye of industries for years and governments far and wide. Cyber attacks on supply chains could be more pressing because of actions by enemy states made more urgent by the war in Ukraine, U.S. government security officials have warned.
Finished products can be vulnerable to attacks as well as components which may have been developed elsewhere and attacked during delivery.
The U.S. National Institute of Standards and Technology has been at the forefront of making recommendations to industry and organizations to protect themselves. Over recent years, NIST has developed a set of key practices that were revised on Thursday in response to an executive order issued one year ago. The result is a publication to help organizations identify, assess and respond to cyber risks throughout the supply chain at all levels of an organization.
“If your agency or organization hasn’t started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately,” said Jon Boynes, one of the NIST publication’s authors.
“A manufacturer might experience a supply disruption for critical manufacturing components due to a ransomware attack at one of its suppliers, or a retail chain might experience a data breach because the company that maintains its air conditioning systems has access to the store’s data sharing portal,” he added.
The 315-page document, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,” includes examples of cybersecurity risks. One example features insiders working on behalf of a system integrator who steal sensitive intellectual property. Another is a person working on behalf of a nation-state who inserts malicious software into supplier-provided product components.
“It may take years for vulnerabilities to be exploited or discovered,” the report says. “Vulnerabilities in the supply chain are often interconnected and may expose enterprises to cascading cybersecurity risks.”
The examples given appear to based on true-to-life scenarios from recent years but without the mention of company names, dates or locations. “For example, a large-scale service outage at a major cloud services provider may cause service or production disruptions for multiple entities within an enterprise’s supply chain and lead to negative effects within multiple mission and business practices,” the report adds.
The management practices in the government report tend to follow the format of a Gartner or Deloitte consultancy’s best practices white paper that may cost corporations many thousands of dollars to access. One table lays out the multiple stakeholders in a decision-making process to bolster cybersecurity. “The key to multidisciplinary Cybersecurity Supply Chain Risk Management teams is breaking down barriers between otherwise disparate functions within the enterprise,” reads the report.
RELATED: Ukraine war will impact global energy supply, chips: analysts