A supply chain
|“||refers to the distribution channel of a product from its sourcing to its delivery to the end consumer.||”|
|“||is a system of organizations, people, activities, information, and resources, possibly international in scope, that provides products or services to consumers.||”|
|“||[is t]he network of retailers, distributors, transporters, storage facilities, and suppliers that participate in the sale, delivery, and production of a particular product.||”|
|“||[is] a set of organizations, people, activities, information, and resources for creating and moving a product or service from suppliers through to an organization's customers.||”|
|“||[is] a linked set of resources and processes between acquirers, integrators, and suppliers that begins with the design of information and communications technology (ICT) products and services and extends through development, sourcing, manufacturing, handling, and delivery of ICT products and services to the acquirer.||”|
It starts with the unprocessed raw materials and ends with the final customer using the finished goods.
"Products and services in the domestic and international supply chain include hardware, software, and firmware components for systems, data management services, telecommunications service providers, and Internet service providers. Domestic and international supply chains are becoming increasingly important to the national and economic security interests of the United States because of the growing dependence on products and services produced or maintained in worldwide markets.
|“||The globalization of the economy has placed critical links in the manufacturing supply chain under the direct control of U.S. adversaries.||”|
Potential attacks through subversion of hardware or software supply chains can be viewed as another type of insider threat. Access through a hardware supply chain may require development and manufacture of a subverted version of a microelectronic component and a complicated operation to insert the device into the targeted computer, possibly through use of insiders in the supply chain.
A software supply chain attack might involve, for example, a subversion embedded in lower-level system software not likely to be evaluated during testing. Another approach is to subvert the master copy of software used for broad distribution, which hackers recently attempted to do with a mainstream operating system. Even if software is tested, subversions may be difficult to detect since they would typically be revealed only under circumstances difficult for a defender to discover.
- installation of intentionally harmful hardware or software (i.e., containing "malicious logic");
- installation of counterfeit hardware or software;
- failure or disruption in the production or distribution of critical products;
- reliance on malicious or unqualified service providers for the performance of technical services; and
- installation of hardware or software containing unintentional vulnerabilities, such as defective code.
These threats can have a range of impacts, including allowing attackers to take control of systems or decreasing the availability of critical materials needed to develop systems. These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain.
Uncertainty in the supply chain and the growing sophistication and diversity of international cyber threats increase the potential for a range of adverse effects on organizational operations and assets, individuals, other organizations, and the nation. Global commercial supply chains provide adversaries with opportunities to manipulate control system technology products that are routinely used by public and private sector organizations (e.g., suppliers, contractors) in the control systems that support U.S. critical infrastructure applications.
Malicious activity at any point in the supply chain poses downstream risks to the mission/business processes that are supported by those control systems. To mitigate risk from the supply chain, a comprehensive security strategy should be considered that employs a strategic, organization-wide defense-in-breadth approach. A defense-in-breadth approach helps to protect control systems (including the technology products that compose those systems) throughout the System Development Life Cycle (i.e., during design and development, manufacturing, packaging, assembly, distribution, system integration, operations, maintenance, and retirement). The identification, management, and elimination of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to mitigate risk are important components of a successful defense-in-breadth approach.
- NIST Special Publication 800-64, Rev. 2, at 40 n.4.
- NIST Special Publication 800-53, Rev. 3, at B-14.
- Guidelines for Securing Radio Frequency Identification (RFID) Systems, Glossary, at B-3.
- Notional Supply Chain Risk Management Practices for Federal Information Systems (Oct. 2012) (full-text).
- Office of the National Counterintelligence Executive, Supply Chain Threats (full-text).
- IT Supply Chain: Additional Efforts Needed by National Security-Related Agencies to Address Risks, Highlights.
- "Control systems" section: Catalog of Control Systems Security: Recommendations for Standards Developers, at 31.