Information and operational technology (IT/OT) relies on a complex, globally distributed, and interconnected supply chain ecosystem to provide highly refined, cost-effective, and reusable solutions. This ecosystem is composed of various entities with multiple tiers of outsourcing, diverse distribution routes, assorted technologies, laws, policies, procedures, and practices, all of which interact to design, manufacture, distribute, deploy, use, maintain, and manage IT/OT products and services.
Organizations are increasingly at risk of supply chain compromise, whether intentional or unintentional. The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits, also increase the risk of a compromise to the cyber supply chain, which may result in risks to the end user. Managing cyber supply chain risks require ensuring the integrity, security, quality and resilience of the supply chain and its products and services. Cyber supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain.
Cyber Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT/OT product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.
The Council of Economic Advisors estimated in 2016 that malicious cyber-crime cost the U.S. economy between $57 billion and $109 billion.
The Center for Strategic and International Studies estimates that the cost of cybercrime worldwide is approximately $600 billion. The lion’s share of this cyber theft is directly attributed to poor cybersecurity maturity and ineffective implementation of controls necessary to protect sensitive data.the Department of Defense announced that when awarding contracts Cybersecurity would now be considered as the fourth critical and foundational measurement, along with quality, cost, and schedule. Deputy Secretary Patrick Shanahan explained how the DoD will evaluate its acquisitions. “Security is one of those measures that we need to hold people accountable for. And it shouldn’t be that being secure comes with a big bill. Like we wouldn’t pay extra for quality, we shouldn’t pay extra for security. We’re in a new world, and security is the standard, it’s the expectation, it’s not something that’s above and beyond what we’ve done before.”