Guest post by Jacob Olcott of Good Harbor Security Risk Management
Managing risk to the information technology supply chain, including hardware components and software applications, is an emerging challenge for security managers around the world, including those within the energy sector. The criticality of the energy industry to society will make it increasingly likely that the industry will be subject to increased attention related to its supply chain risk management initiatives.
Growing reliance upon globally sourced information technology exposes information systems and networks to a growing risk of exploitation through counterfeit materials, malicious software, or untrustworthy products. Supply chain attacks may involve manipulating computing system hardware, software, or services at any point during the lifecycle. Supply chain attacks are typically conducted or facilitated by individuals or organizations that have access through commercial ties, leading to stolen critical data and technology, corruption of the system or infrastructure, or disabling of mission-critical operations.
In recent years, supply chain risk has received national-level attention from the U.S. government and the media, particularly in the area of telecommunications. Companies and governments alike have expressed concern about the security risks associated with sensitive equipment from untrustworthy vendors. In spite of heightened security risks, some companies find the potential economic savings associated with a less-trustworthy vendor to be “worth the risk.” Balancing security risk with financial considerations and operational needs makes the supply chain risk management problem particularly difficult for companies to navigate and requires senior executive awareness and approval.
Though supply chain risks can be difficult to understand and uncover, organizations must assess and manage supply chain risks to ensure mission success. There are five critical issues for a security manager to consider when approaching supply chain risk mitigation:
- Know the issue: understand the risks associated with supply chain vulnerability by reviewing government and technical research and reports
- You can’t mitigate every risk: prioritize your efforts based on impact on the business, and develop priorities in coordination with company executives
- Supply chain risk management is a corporate-wide responsibility: educate and inform relevant coworkers, including in legal, procurement, and operations departments
- Leverage your procurement and acquisition process to mitigate supply chain risk: creating an expectation of improved cybersecurity among your suppliers and vendors will save you time and money
- Service updates and remote diagnostics pose opportunities for exploitation: seek specific assurances from your vendors, and consider the full lifecycle of hardware and software
Vendor transparency is crucial for companies to obtain a complete understanding of supply chain risks. Though managing supply chain risks in the energy sector is a relatively new concept, security managers should not hesitate to ask questions. Companies should think twice about purchasing hardware or software from vendors who cannot provide information or assurance about their lifecycle risk management or development processes.