CSIA 350: Cybersecurity in Business and IndustryProject #1: Supply Chain Risk Analysis
Overview
For this project, you will write a research-based report on Cyber and IT supply chain risks which
the client company, Sifers-Grayson must be aware of. This report will be presented to the company’s
executive leadership to help them understand the overall problem of Cyber and IT supply chain risk. This
problem has been raised to the attention of the company’s executive leadership by two influential
customers — the US Department of Defense and US Department of Homeland Security. These two
customers have raised concerns about the company’s preparedness to address and mitigate
cybersecurity risks which could result from supply chain attacks. In their letter to Sifers-Grayson, these
customers asked the company “what are you doing to prevent supply chain attacks?”
Background
Nofsinger consultants met with the government officials and learned that they were concerned
about managing the risks from attacks such as the 2020 Solar Winds attacks and longstanding
trojans/backdoor attacks in network hardware (e.g. Huawei routers) and computer system components.
The Solar Winds attack compromised the software update mechanisms for a widely used set of network
management tools (Korolov, 2021). Supply chain attacks which compromise hardware components
purchased from non US sources are also of concern.
Nofsinger consultants also analyzed the internal business processes involved in the engineering
supply chain for client Sifers-Grayson. They have learned that, when a Sifers-Grayson engineer needs
parts to build a robot or drone, the engineer will place an internal order from the company’s parts
stockroom. If the stockroom does not have the part immediately available, an employee will place an
order with an approved vendor. These vendors are equipment resellers who purchase components from
a number of manufacturers and suppliers. The company also makes purchases of components for some
systems via e-Commerce websites and has encountered supply chain issues as a result of using these
systems to purchase common components such as CPU chips, memory chips, programmable control
chips, power supplies, graphics cards, network interface cards, and mass storage devices. Some may be
brand-name components while other, less expensive products, are made by companies who are less
well known. They also learned that Sifers-Grayson does not have a controlled process for testing
software updates prior to the updates being installed on computer systems in the company’s R&D labs.
Finally, the consultants learned through interviews that, at times, there are supply chain
shortages which may result in a reseller substituting generic products for brand name products. The
consultants informed Sifers-Grayson that such substitutions can increase risks associated with
purchasing products from third parties whose reputations are unknown or less well established. The
company responded that it has a quality assurance process which checks purchased parts for physical
damage or lack of functionality. The consultants believe that this process can be improved to reduce the
likelihood of an undetected supply chain attack (e.g. malware loaded onto a USB or SSID mass storage
device, programmable control chip, etc.).
Copyright © 2022 by University of Maryland Global Campus. All rights reserved.
CSIA 350: Cybersecurity in Business and Industry
Your Task
Your task is to build upon the business analysis previously conducted by the Nofsinger
consultants (see overview section in this file). You must research the problems of hardware and
software supply chain attacks and then write a research-based report for Sifers-Grayson executives
which will provide them with information they can use to evaluate proposed solutions for addressing
the identified supply chain risks. Use the authoritative sources provided below (under “Research”) to
start your investigation into the issues. Then, follow the required outline (See “Write” in this file) to
organize and write your report. You must paraphrase information from your authoritative sources and
provide appropriate citations which identify your sources so that readers can fact check your work.
Research
1.
Research Cyber Supply Chain Risks affecting industry in general. Here are some suggested
resources to get you started:
a. https://www.zdnet.com/article/supply-chain-attacks-are-getting-worse-and-you-arenot-ready-for-them/
b. https://www.cshub.com/attacks/articles/cyber-attacks-top-list-of-risks-impactingsupply-chain
c. https://www.lmi.org/blog/securing-supply-chain-cybersecurity-and-digital-supply-chain
d. Information and Communications Technology Supply Chain Risk Management (ICT
SCRM) https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-RiskManagements/documents/nist_ict-scrm_fact-sheet.pdf
e. Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
(NISTIR 8276) https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8276.pdf
2. Research Hardware Supply Chain Attacks including trojans/backdoors in commercial network
hardware
a. https://www.theguardian.com/technology/2019/apr/30/alleged-huawei-routerbackdoor-is-standard-networking-tool-says-firm
b. https://www.trendmicro.com/en_us/research/21/k/private-5g-security-risks-inmanufacturing-part-4.html
c. https://www.techdesignforums.com/practice/guides/hardware-trojan-securitycountermeasures/
3. Research Software Supply Chain Attacks including the Solar Winds Attack
a. https://www.mitre.org/sites/default/files/publications/pr-18-0854-supply-chain-cyberresiliency-mitigations.pdf
b. https://www.cisa.gov/sites/default/files/publications/defending_against_software_sup
ply_chain_attacks_508_1.pdf
c. https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supplychain-compromises-with-sunburst-backdoor
d. https://www.datacenterknowledge.com/security/what-are-supply-chain-attacks-andhow-guard-against-them
Copyright © 2022 by University of Maryland Global Campus. All rights reserved.
CSIA 350: Cybersecurity in Business and Industry
4. Research best practices and recommended strategies and approaches for managing Cyber and
IT supply chain risks
a. Best Practices in Cyber Security Supply Chain Risk Management
https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-RiskManagement/documents/case_studies/USRP_NIST_Exelon_102215_05.pdf
b. Supply Chain Cybersecurity: Experts on How to Mitigate Third Party Risk
https://digitalguardian.com/blog/supply-chain-cybersecurity
c. 5 Cybersecurity Best Practices for your Supply Chain Ecosystem https://supplychain.cioreview.com/cxoinsight/5-cybersecurity-best-practices-for-your-supply-chainecosystem-nid-14195-cid-78.html
Write
1. An introduction which addresses the problem of Cyber and IT supply chain security. Your
introduction should clearly explain what a supply chain is and why it is important to a
manufacturing firm like Sifers-Grayson.
2. A section on Cyber and IT supply chain risks in which you identify and describe specific sources
of cyber or IT supply chain risk which could impact Sifers-Grayson’s operations and its products
and services. Begin this section with an overview followed by the two required sub-sections. You
should have at least 3 hardware supply chain related risks and 3 software supply chain related
risks (six or more total risks).
a. Use a sub-section to address 3 or more risks of attacks which could impact hardware
components used in manufacturing robots and drones (focus on components obtained
from third-parties and vendors via the hardware supply chain). You should also address
the networks and computers used in the manufacturing facility (which are also obtained
via the hardware supply chain).
b. Use a sub-section to address 3 or more risks of attacks against the software supply
chain (e.g. attacks against the software supply chain for software used to program and
test control systems for the robots and drones produced by Sifers-Grayson).
3. A section on best practices for reducing risks in the Cyber and IT supply chain. In this section
you must identify and discuss 5 or more best practices for managing Cyber and IT supply chain
risks in a manufacturing industry. You must also provide an evaluation of the expected benefits
from implementing each of these practices.
4. A summary and conclusions section in which you present an overall picture of the supply chain
risk problem in a manufacturing industry and best practices for managing Cyber and IT supply
chain risks.
Submit for Grading
Submit your work in MS Word format (.docx or .doc file) using the Project 1 Assignment in your
assignment folder. (Attach the file.)
Copyright © 2022 by University of Maryland Global Campus. All rights reserved.
CSIA 350: Cybersecurity in Business and Industry
Additional Information
1. Consult the grading rubric for additional content and formatting requirements for this project.
2. Your 4-5 page paper should be professional in appearance with consistent use of fonts, font
sizes, margins, etc. You should use section and sub-section headings in addition to page breaks
to organize your paper.
3. You are allowed to exceed the page count listed under item #2 but you should focus upon
providing a clear and concise written analysis. Graphics, title page, table of contents, and
reference list do not count towards the page count.
4. Your paper should use standard terms and definitions for cybersecurity concepts.
5. The CSIA program recommends that you follow standard APA formatting since this will give you
a document that meets the “professional appearance” requirements. APA formatting guidelines
and examples are found under Course Resources. An APA template file (MS Word format) has
also been provided for your use CSIA_Paper_Template(TOC+TOF,2021).docx.
6. You must include a cover page with the assignment title, your name, and the due date. Your
reference list must be on a separate page at the end of your file. These pages do not count
towards the assignment’s page count. The table of contents from the template is not required
for this assignment and does not count towards the page count. However, if you leave the table
in place, you must update it so that it shows correct headings and page numbers.
7. You are expected to write grammatically correct English in every assignment that you submit for
grading. Do not turn in any work without (a) using spell check, (b) using grammar check, (c)
verifying that your punctuation is correct and (d) reviewing your work for correct word usage
and correctly structured sentences and paragraphs.
8. You are expected to credit your sources using in-text citations and reference list entries. Both
your citations and your reference list entries must follow a consistent citation style (APA, MLA,
etc.). If you paste in graphics, you MUST provide a caption with an in-text citation that identifies
the source (treat it like a quotation).
Copyright © 2022 by University of Maryland Global Campus. All rights reserved.
CSIA 350: Cybersecurity in Business and Industry
References
Korolov, M. (2021, January 12). What are supply chain attacks, and how to guard against them.
Retrieved from https://www.datacenterknowledge.com/security/what-are-supply-chainattacks-and-how-guard-against-them
Copyright © 2022 by University of Maryland Global Campus. All rights reserved.