An example of cyber supply chain risk management A recent Network World article stated that Dell is warning customers that a small number of PowerEdge server motherboards sent out through service dispatches may contain malware.Here is a link to the article in question:http://www.networkworld.com/news/2010/072110-dell-warns-of-malware-on.html?hpg1=bnDell is doing the right thing by alerting potentially impacted customers but questions remain:1. How did the malware get there?2. Were the motherboards assembled in a certain place or by a specific manufacturer?3. What processes does Dell (and other server vendors) have in place to ensure that this doesn’t happen?I could go on and on.To me, the Dell incident demonstrates an important but relatively unknown concept called cyber supply chain assurance. Servers, software, and other IT equipment is made up of millions of lines of code, a potpourri of components, and hundreds or even thousands of specialized electronic gear. If any one of these elements is compromised, the whole enchilada could be a ticking time bomb. Malware on a server motherboard is just the beginning. A bit of a tangent: Back in 2004, the U.S. federal government issued a report stating that only 21% of semiconductor manufacturing remained in the United States while the bulk of capacity was migrating to China. This caused great concern in the Dept. of Defense as most our weapons systems, communications, and logistics all depend upon IT. This led to the creation of the Trusted Foundry program, a DOD/industry initiative to ensure microprocessor domestic microprocessor design and manufacturing capabilities. I bring up this example to illustrate a point. DOD realized that it was dependent upon technology and thus vulnerable to a breach of the cyber supply chain. Outside of the defense community however, cyber supply chain risk management is nearly invisible. While the Dell incident is minor and seems contained, it is a further warning about the risk we all face. Let’s hope it wakes up some security professionals outside of the Pentagon. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe