A Collection of Information Security Community Standardization Activities and Initiatives
   

Supply Chain Risk Management

The information and communication technology (ICT) sector encompasses thousands of global companies producing thousands of new hardware and software components annually. The manufacture of ICT components also includes complex supplier relationships, globally distributed logistics, high rate of component change, intensive maintenance processes of both the hardware and software components, and a variety of compatibility and compliance issues. Many of the logistic concerns such as just-in-time inventories are important, but are not the concern of end users of ICT equipment. End users want reliability, integrity, and trustworthiness in products they acquire from suppliers. This includes both the product itself such as a computer, or any device that stores, processes, or transmits data, and the software running on that product.

On the software side there are tens-of-thousands of software development firms that employ millions of programmers. Software programming is closer to an art than a science and as a result, software quality is not consistent, often contains hard-to-detect errors, is put on the market before being adequately tested, and can leave your system with exploitable weaknesses. Software applications are used by all of us on our computers, tablets, and smartphones but also include operating systems such as Apple OS-X and Microsoft Windows 8. When someone publicizes one of these errors as a publicly known vulnerability we all get to apply patches. There are standards and best practices developed by organizations to provide software developers tools to reduce software errors and improve overall quality. One such organization, the Software Assurance Forum for Excellence in Code (SAFECode) works to identify and promote best practices for developing and delivering more secure and reliable software. Other organizations such as Open Web Application Security Project (OWASP), and the Build Security In (BSI) consortium also provide useful tools and practices for the software developer.

Hardware appliances such as servers and routers are expensive and the valuable components inside of a device can be stolen, swapped for lower-quality components, or be entirely counterfeit. A common problem is that the integrated circuits or "chips" used in electronic devices are found to be previously used, obtained from discarded products, cleaned up, and slipped into a bundle of new chips destined for a product manufacturer. Home appliances, healthcare devices, cars, and military systems are all exposed to and suffer from this threat. Business and industry groups as well as international standards bodies and government agencies are aligned to combat these crimes. Some examples are Organization of International Standards (ISO) with its publication of "ISO 27036", and SAE International with its publication of "AS 5553". The Open Group Trusted Technology Forum is developing practices focusing on supply chain trustworthiness.

Supply Chain Risk Defined

Risk is the chance that something bad will happen. Risks to the ICT supply chain arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations. Such risks can take the form of sloppy software development, inadequate testing of products before they are shipped, and using the least expensive parts even if that means they may not be authentic.

Supply chain risk management (SCRM) is the process of understanding these risks, their business impacts, and how to manage them by mitigating supply chain weaknesses and exploits throughout the system lifecycle. The U.S. National Institute of Standards and Technologies (NIST) is producing a guidebook for organizations seeking to understand and adopt practices that will strengthen lifecycle processes, both prior to and following an acquisition, to make them more resistant to supply chain exploitation.

Effective ICT SCRM requires processes, procedures, and tools that allow organizations to apply SCRM principles consistently across all ICT systems. One such principle is to minimize the risk of counterfeit parts since they may lead to unpredictable behavior, early failures, or worse. It therefore becomes necessary to distinguish counterfeit parts from authentic parts. There are for example, electronic tests that can compare a particular component to a manufacturer's design standards or a known-good artifact. These tests measure attributes such as logic circuitry, frequency characteristics, and common electric parameters (e.g., power consumption), all of which combine to help form a digital "fingerprint."

A structured language to express these characteristics is needed, such that all members of a supply chain can communicate about them, and which can be used to alert others about counterfeits or express the criteria for legitimate items. A structured language to describe these observable attributes of both legitimate and illegitimate components is one tool for reducing supply chain risk.

A Shared Resource for Supply Chain Information Exchange

Early-in-lifecycle investments in ICT SCRM decrease cyber risks that result from poorly/maliciously designed hardware and software, and will ultimately result in decreased expected costs of response, retrofit, and network reconstitution. Conversely, failure to invest in SCRM during early system development stages will require more sophisticated monitoring and cyber intelligence capabilities to avoid loss of essential functions. To achieve best return on investment, SCRM activities must be embedded and aligned with overall network security strategy and operations.