The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to remind critical infrastructure owners to take steps in securing the nation’s critical supply chains.
The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States pursuant to the Secure and Trusted Communications Networks Act of 2019.
“While it seems like common sense that every enterprise — especially critical infrastructure — would not use devices on the ‘covered list,’ the fact is that new devices are added to the list,” Timothy Morris, Chief Security Advisor at Tanium. “Most organizations do not have accurate inventories of all the devices connected to their networks, so the ability to identify everything in their supply chain can seem elusive.”
Morris adds that once an accurate inventory is complete, identifying riskier devices becomes easier.
“Supply chain risk can be reduced by scanning the environment to discover and remove those on the list. It is not a one and done operation. It has to be continuous and part of every process,” Morris continues. “This includes identifying procurement channels to avoid acquiring those items, robust hardware/software management, vulnerability scans, etc. The Cybersecurity Supply Chain Risk Management Practices outlined by CSRC/NIST can be part of a comprehensive third-party risk management program.”
In the May 1 notifications posted to its website, CISA urged organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in the Defending Against Software Supply Chain Attacks guidelines.
“To minimize threat risks from fourth and fifth parties in the supply chain, organizations should implement robust vendor management practices, including due diligence, security posture monitoring, and clear communication channels,” said Michael Skelton (Codingo), Senior Director of Security Operations at Bugcrowd. “Additionally, vendors should be required to disclose their use of open source code and provide a Software Bill of Materials (SBOM) to identify potential vulnerabilities and dependencies. Contractual agreements with vendors should address security requirements and hold them accountable for their supply chain security. Adopting a risk-based approach to supply chain management, prioritizing high-risk suppliers and components and regularly reviewing and updating risk management strategies will help organizations stay ahead of emerging threats and vulnerabilities.”