Technology

2012

This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST.

Supply Chain Management: An International Journal, 2020

Purpose: Despite growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study investigates cyber risk management in supply chain contexts. Methodology: Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis were established using data mining techniques to conduct a comprehensive, replicable and transparent review. Findings: The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between IT, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention due to a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience. Research implications: Different type of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience. Practical implications: A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions. Originality: This is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.

Computer, 2016

Proceedings of the ... European conference on information warfare and security, 2024

The U.S. National Cybersecurity Strategy is focused on the five pillars of defending critical infrastructure: detect, disrupt, and dismantle threat actors; improve market resilience and security; invest in future resilience; and create international partnerships with shared goals. The National Cybersecurity Strategy Implementation Plan is focused on critical infrastructure supporting energy, financial, healthcare, information technology, and manufacturing sectors. In the U.S. alone, the SolarWinds supply chain attack affected nine federal agencies and about 100 companies. Ransomware attacks such as the Colonial Pipelines, the largest U.S. oil pipeline, disrupted supplies of gasoline and fuel to the U.S. East Coast and the JBS USA as the largest meat processor ransomware attack affecting one-fifth of the nation's meat supply. The U.S. National Cybersecurity Strategy as a response to the U.S.'s critical infrastructure concerns led to the creation of two core cybersecurity documents which were crafted jointly with several other allies. Cybersecurity and Infrastructure Security Agency (CISA) crafted the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software with joint agreement with National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and 15 international government agencies to give international vendors a roadmap of the expected cybersecurity hygiene required from their products. (CISA, 2023a; Car & De Luca, 2022) Building on the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software, CISA, FBI and NSA met with cybersecurity organizations from Australia, Canada, New Zealand, and United Kingdom and jointly created The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously as a core issue identified in the earlier guidance. (CISA, 2023c). These two jointly led by the U.S. helped initiate an international cybersecurity norm insisting international software manufacturers demonstrate product security and transparency in the products they sell. These joint documents quickly showed how a global community can rally to solve cybersecurity challenges that have existed for decades. This led to twenty of the largest international software vendors creating the Minimum Viable Secure Product (MSVP) Working Group to address the requirements levied by these documents; CISA has joined this working group to help shape procurement, contractual controls, self-assessment, and system development lifecycle (SDLC) with these vendors. (CISA, 2024d; MSVP, n.d.

ESP-JETA, 2021

This paper compares the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) and the National Institute of Standards and Technology (NIST) cybersecurity frameworks, analysing their strengths, weaknesses, and implementation challenges. While NERC-CIP focuses on mandatory requirements for the bulk electric system, NIST provides a voluntary and adaptable framework for broader cybersecurity risk management. The study highlights the complementary nature of both frameworks and proposes a comprehensive approach to building cyber risk-free infrastructure, incorporating elements like risk-based prioritization, defense-in-depth strategies, continuous monitoring, and collaboration. It also emphasizes the limitations of relying solely on compliance and suggests additional measures such as advanced threat detection, zero-trust models, and security awareness training to enhance cybersecurity posture in critical infrastructure sectors.

2021

ABSTRACT: The past year has seen critical fluctuations in business operations throughout the US and the world. Due to COVID-19, employees have been encouraged or forced to work from home instead of commuting to a regular work location. Remote work has disrupted and weakened security processes. Cyber criminals have seen an opportunity in this weakened infrastructure. Cybersecurity attacks have disrupted supply chains for businesses, schools, healthcare organizations and other entities. Organizations will need to reassess security strategies with the assumption that work-from-home will become permanent. The US Department of Homeland Security has stepped up its efforts to meet this risk head-on and has incorporated supply chain cybersecurity measures within the constructs of the Customs-Trade Partnership Against Terrorism (C-TPAT) program. This all-volunteer program was launched immediately after 9/11 to thwart potential supply chain risks that could open the door to major terrorist at...

Dr.Anil Lamba, 2017

This research aims to investigate the current status and future direction of the use of information systems for supply chain management for companies with multicomponent production. Paper presents a qualitative research method for analyzing a supply chain processes and for identifying ways of its information support. Based on data collected from different enterprises, can be concluded that in order to identify the most effective strategies of information support of supply chain the attention should focus on the identification and management of the sources of uncertainties, risks and cyber security. To successfully integrate business processes between suppliers and customers, manufacturers must solve the complex problem of information security. The main practical results are: proposed a new approach to the identification and prediction of supply risk within uncertainties conditions; proposed a complex solution to secure data in information systems for supply chain management.

Journal of Transportation Security, 2018

Modern port infrastructures have become highly dependent on the operation of complex, dynamic ICT-based maritime supply chains. This makes them open and vulnerable to the rapidly changing ICT threat landscape and many ports are not yet fully prepared for that. Furthermore, these supply chains represent highly interrelated cyber ecosystem, in which a plethora of distributed ICT systems of various business partners interact with each other. Due to these interrelations, isolated threats and vulnerabilities within a system of a single business partner may propagate and have cascading effects on multiple other systems, thus resulting in a large-scale impact on the whole supply chain. In this context, this article proposes a novel evidence-driven risk assessment methodology, i.e., the MITIGATE methodology, to analyze the risk level of the whole maritime supply chain. This methodology builds upon publicly available information, well-defined mathematical approaches and best practices to automatically identify and assess vulnerabilities and potential threats of the involved cyber assets. As a major benefit, the methodology provides a constantly updated risk evaluation not only of all cyber assets within each business partner in the supply chain but also of the cyber interconnections among those business partners. Additionally, the whole process is based on qualitative risk scales, which makes the assessment as well as the results more intuitive. The main goal of the MITIGATE methodology is to support the port authorities as well as the risk officers of all involved business partners.

Executive Summary Following terrorist attacks in recent years, firms have been taking multiple steps — either voluntarily or to meet mandated government regulations — to ensure safe transit of their goods across international borders. In parallel, natural disasters such as Hurricane Katrina, as well as many other unforeseen events such as product contamination and adulteration, shortages, border closings and strikes by ports, made firms more aware of the vulnerability of their supply chains, and encouraged them to seek ways to reduce risks of such unforeseeable situations and increase stability along their supply chain. Some of the initiatives taken by the U.S. government to assess and minimize the risk involved in international transportation of goods, include, among others, the Container Security Initiative (CSI), the Customs-Trade Partnership Against Terrorism (C-TPAT), the Advanced Manifest Rule (AMR) and the Free and Secure Trade initiative (FAST). Other initiatives, which took...

Supply Chain Management: An International Journal, 2018

Purpose The purpose of this paper is to explore how companies approach the management of cyber and information risks in their supply chain, what initiatives they adopt to this aim, and to what extent along the supply chain. In fact, the increasing level of connectivity is transforming supply chains, and it creates new opportunities but also new risks in the cyber space. Hence, cyber supply chain risk management (CSCRM) is emerging as a new management construct. The ultimate aim is to help organizations in understanding and improving the CSCRM process and cyber resilience in their supply chains. Design/methodology/approach This research relied on a qualitative approach based on a comparative case study analysis involving five large multinational companies with headquarters, or branches, in the UK. Findings Results highlight the importance for CSCRM to shift the viewpoint from the traditional focus on companies’ internal information technology (IT) infrastructure, able to “firewall th...