Best Practices for Supply Chain Management
- April 26, 2023
- Canary Trap
We know critical infrastructure refers to systems, assets, and networks that are essential for the functioning of a country’s economy, security, and public health, as such it’s not only dependent on its internal operations, but also on its supply chain.
Of course, that means supply chain disruptions can result in significant consequences to critical infrastructure operations, including financial losses, decreased productivity, and risks to national security. Therefore, it is vital to understand the relationship between critical infrastructure and its supply chain, especially regarding cybersecurity.
Supply Chain & Critical Infrastructure
The supply chain is a network of organizations, individuals, resources, and activities involved in the creation and delivery of goods and services. In the context of critical infrastructure, supply chain dependencies can involve hardware and software suppliers, equipment manufacturers, maintenance contractors, and other third-party service providers. A disruption in any of these dependencies can lead to cascading effects on the critical infrastructure’s operations, leading to a significant impact on society.
For instance, a 2020 report by Security Magazine detailed how “an unauthorized third party gained access to the public healthcare system” in Newfoundland, Canada, which then resulted in delays in patient care and test results in several healthcare organizations, including hospitals and labs.
Best Practices to Protect Critical Infrastructure Supply Chains
Cybersecurity best practices are essential to managing the risks associated with supply chain dependencies in critical infrastructure. As stated by the Cybersecurity & Infrastructure Security Agency (CISA), “protecting your organization’s information in a digitally connected world requires understanding not only your organization’s immediate supply chain, but also the extended supply chains of third-party vendors, service providers, and customers.”
That means organizations need to start with risk assessments, and cybersecurity exercises so employees can understand their role in this battle. Let’s review some of the best practices organizations involved in critical infrastructure supply chains should consider:
- Conduct Comprehensive Supply Chain Risk Assessments
It involves identifying and understanding the potential risks associated with each supply chain dependency. This should include: hardware and software suppliers, equipment manufacturers, maintenance contractors, and third-party service providers
In an article published by McKinsey & Company, cybersecurity experts concluded that “leaders should […] recognize that risk management is not merely about setting up processes and governance models, but also entails shifts in culture and mind-sets.” That is why they should use the information found on their assessments to develop a risk management plan that includes controls and mitigation strategies.
- Perform Due Diligence on Supply Chain Partners
Organizations must do this before engaging in any business relationships. This includes conducting background checks on their partners, assessing their security posture, and understanding their cybersecurity policies and procedures. It is essential to ensure that supply chain partners have adequate cybersecurity measures in place to protect their systems and data from cyber threats.
- Implement Supply Chain Cybersecurity Standards
This can help organizations ensure that their supply chain partners meet specific cybersecurity requirements to make sure that their systems and data are secure.
According to an article by Security Boulevard “ISO 27001 is an excellent choice for operationally mature enterprises seeking certification. In contrast, NIST CSF is a good choice for organizations just starting to establish a cybersecurity risk management plan, understand the security aspects of business continuity, or try to remediate earlier failures or data breaches.” Since ISO 27001 and NIST CSF are the most widely adopted cybersecurity frameworks, organizations may require their supply chain partners to comply with one of them to make sure their data is protected.
- Establish a Supply Chain Incident Response Plan
A plan should be developed to address supply chain cybersecurity incidents. There must be clear procedures for identifying and containing such incidents, as well as processes for communicating with supply chain partners and stakeholders. Conducting regular incident response exercises will ensure the plan is effective and up-to-date.
- Monitor Supply Chain Cybersecurity Risks
This includes monitoring for indicators of compromise, such as suspicious network traffic, unauthorized access attempts, or unusual behavior on systems. Additionally, it is essential to monitor supply chain partners’ compliance with cybersecurity policies and procedures and to conduct regular security assessments of their systems and data.
Now that the world is moving into a new age, we need to be aware of the risks associated with adopting new technologies, especially organizations involved with critical infrastructure. Since it depends on its supply chain, any disruptions can have significant consequences for its operation.
Therefore, implementing cybersecurity best practices is key in preparation against cyber threats. Experts have concluded that best practices include: conducting comprehensive supply chain risk assessments, performing due diligence on supply chain partners, implementing cybersecurity standards, establishing an incident response plan, and monitoring supply chain cybersecurity risks.
SOURCES:
- https://www.securitymagazine.com/articles/96481-canadian-healthcare-system-suffered-cyberattack
- https://www.cisa.gov/information-and-communications-technology-supply-chain-risk-management
- https://www.forbes.com/sites/forbestechcouncil/2022/04/08/supply-chain-attacks-and-critical-infrastructure-achieving-resilience/?sh=542419276c40
- https://www.mckinsey.com/capabilities/operations/our-insights/a-practical-approach-to-supply-chain-risk-management
- https://securityboulevard.com/2022/06/nist-vs-iso-what-you-need-to-know/