Monitoring and controlling cybersecurity risks in the supply chain can be described as challenging at the very least. How does one do it? Products and services are brought into the Netherlands from all over the world, after all. Such an international network comes with opportunities as well as risks.
The NCSC recently opened a dialogue with Dutch public and private organisations on the following question: ‘How do you deal with cybersecurity risks from your supply chain?’ This document offers concrete starting points to answer that question.
Different perspectives and the definition used
On 11 April 2023, the NCSC conducted a workshop with representatives of public and private organisations to share good practices for handling risks in the supply chain.
The supply chain can be viewed from different perspectives. Research institute TNO has mapped these various perspectives on behalf of the NCSC. In the workshop, we used the following definition: ‘The potential for harm or compromise that arises as a result of security risks from suppliers, their supply chains, and their products or services.’
Lessons from Log4j
Supply chains are technically complex and it is difficult to keep a grip on dependencies. This was found when a serious vulnerability was detected in Log4j.
Log4j proved to be the digital equivalent of salt; an exceptionally large number of applications was found to contain Log4j components. Cybercriminals and state actors were then quick to exploit vulnerabilities in Log4j.
Geopolitical developments
Geopolitical developments, too, may give rise to new risks in the supply chains of Dutch organisations.
An international conflict, for instance, may have an impact on supply chain security. Products may not be available due to sanctions or export restrictions, and international supply chains may be targeted by politically motivated digital attacks.
Views: 2
