Supply chain risk is something the security community has been concerned about for some time. Companies and industries have been guilty of ignoring the risk or using ineffective safeguards. But the COVID-19 pandemic has exposed the vulnerabilities of organizations – particularly those with a dependence on China – and made them consider rethinking and transforming their supply chain model.
Because of its dominance, disruptions to business in China puts the entire global supply chain at risk. Deloitte says more than 200 of the Fortune Global 500 firms have a presence in Wuhan, the highly industrialized Chinese province where the outbreak originated. Today, the supply chain risk includes more than obtaining parts, and industry – as well as federal agencies – must also protect against harmful impacts to the IT, cyber and digital supply networks.
To help address supply chain risk, the National Institute of Standards and Technology (NIST) has developed a prototype tool developed to show a possible solution for filling the gap between an organization’s risk appetite and supply chain risk posture by providing a basic measurement of the potential impact of a cyber supply chain event.
While the Cyber Supply Chain Risk Management (C-SCRM) Interdependency Tool does not represent a complete supply chain risk management solution, it can be integrated into or used in concert with tools such as third-party management, enterprise resource planning, and supply chain management efforts.
The tool also provides the user with greater visibility over the supply chain and the relative importance of particular projects, products, and suppliers (which NIST refers to as “nodes”) compared to others. This can be determined by examining the metrics which contribute to a node’s importance, such as the amount of access a node has to the acquiring organization’s IT network, physical facilities, and data.
By understanding which nodes are the most important in their organization’s supply chain, the user can begin to understand the potential impact a disruption of that node may cause on business operations. The user can then prioritize the completion of risk mitigating actions to reduce the impact a disruption would cause to the organization’s supply chain and overall business.
Evaluating the impacts of a supply chain-related cyber event can be a difficult activity, especially for those organizations with complex operational environments and supply chains. A publicly available solution to support supply chain risk analysis that specifically takes into account the potential impact of an event does not currently exist. NIST’s tool has therefore been developed to help federal agencies identify and assess the potential impact of cybersecurity events in their interconnected supply chains.
NIST is seeking comments related to additional functionality or other aspects of the tool which may be used to develop future versions of the software. Comments should be addressed to [email protected] by April 17, 2020.