Supplier/Supply Chain Management

Short Description (one paragraph)

Description

• treat it like partners management?
• treat IT as supplier too?

• make sure that IT people understand that this is not only dependency management

• OT has a 'special' situation with integrators needing access

• (is this so special, there's the same problem with managed SOCs, outsourced administration done by system houses)

• organization issue

• like SLAs, notifications
• product specific issues woudl rather be "Devices out in the field with known Vulnerabilities/Issues"

Rationale

• why did we include this item in the top 10?

Known Attacks/Examples

• NotPetya: It was believed that the software update mechanism of M.E.Doc—a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, "appears to be de facto" among companies doing business in the country—had been compromised to spread the malware. Analysis by ESET found that a backdoor had been present in the update system for at least six weeks prior to the attack, describing it as a "thoroughly well-planned and well-executed operation". The developers of M.E.Doc denied that they were entirely responsible for the cyberattack, stating that they too were victims.

• Denmark’s Train Network Frozen Due to Cyberattack on Subcontractor

Potential Sources

• https://www.icsadvisoryproject.com
• https://icsstrive.com/
• https://emb3d.mitre.org/
• https://attack.mitre.org/techniques/ics/
• please add more

How-To Test (have to discuss)

• maybe add this to a separate section?

Mitigation/Countermeasures

Design and Implementation

• mitigations for developers/builders

Operational

• mitigations for integrators/builders

References

Standards

• links to relevant standards

Background information

• links to blogs, etc.

Tooling

• for testing, etc.