Supply Chain Resilence Operations Center

Reduce Operational Risk

Today’s supply chains are characterized by a global web of interconnected suppliers, manufacturers, transportation providers, and infrastructure, with complex and undiscovered dependencies. Furthermore, the dynamic nature of supply chains means that their components are constantly shifting, exposing them to risks from new directions.

The impact of supply chain failure on operations can be dire to businesses, organizations and customers, causing shortages of anything from toilet paper and vehicle chips during the COVID-19 pandemic, to more recent issues with supply of baby formula and children’s pain-relief medicine.

The picture becomes even more complicated when we factor in dependence on information technology. This dependence renders supply chains vulnerable to attacks carried out in the virtual sphere, but with grave consequences in the real world, such as the shutdown of the Colonial Pipeline due to a ransomware attack in May 2021.

A modern Supply Chain Risk Management (SCRM) program will illuminate your supply chain’s direct and indirect dependencies. This enables you and your SCRM provider to proactively seek risk mitigation measures and monitor risk levels in real-time. In addition, no SCRM program is complete without a cybersecurity component, to protect both your operational IT functions and your sensitive digital assets.

Protect Company and Customer Data

Hardly a month goes by without a hacking event perpetrated by malicious actors, illegally accessing anything from customers’ personal information and credit card numbers, to proprietary company information, to digital funds.

Just as a few examples:

• In December 2020, threat actors extorted security company Accellion by threatening to sell its data online unless a ransom was paid. $5M were paid to customers whose personal data was stolen.
• In July 2021, IT solutions developer Kaseya was a victim of a ransomware attack, putting at risk thousands of their managed services clientele. Hackers demanded $45,000 from each of Kaseya’s customers.
• In December 2022, a cybercrime drained more than $370 million from crypto exchange FTX, hours after it filed for bankruptcy.

Cyber attack scenarios such as these can cost commercial organizations millions of dollars in lost customers, damage to reputation, litigation expenses, and theft. The consequences can be even more severe when the target of the attack is a Defense organization, and a breach may affect national security and personal safety.

Open Doors to Government Markets

“In an effort to improve supply chain resilience and protect against material shortages, President Joseph R. Biden Jr. signed Executive Order (E.O.) 14017, America’s Supply Chains.” “The DoD will need to work closely both internally and with its partners—interagency, international, and industry—to build strong and responsive supply chains in the coming years.” — “Securing Defense-Critical Supply Chains”, Dr. Kathleen H. Hicks, US Deputy Secretary of Defense

Due to its critical impact on national security and economic robustness, it’s not surprising that the highest echelons of US Government and Defense are devoting thought and resources to SCRM policy and implementation. This results in frequently updated guidance documents such as NIST 800-161 (Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations), NIST 800-37 (Risk Management Framework for Information Systems and Organizations) and NIST 800-53a (Assessing Security and Privacy Controls in Information Systems and Organizations).

For companies who are (or plan to be) part of the Defense Industrial Base (DIB), implementing a sound SCRM plan is not only good for business operations, it’s also good for business. From the perspective of Government clients, vendors with solid SCRM programs are a lower-risk option than their non-compliant competitors. And although implementing an SCRM plan is not currently mandatory for DIB members, it may become so in the foreseeable future.

Supply Chain Illumination to the Nth Tier

Supply chain illumination means identifying the entities and connections involved in an organization’s supply chain, including products, suppliers, people, and their geo-political context. To effectively identify supply chain risk, it’s not enough to examine 1^st-tier suppliers. The analysis must go deeper into multiple tiers of suppliers. Illuminating relationships to a vendor can expose risk in the form of Foreign Ownership, Control or Influence (FOCI), single supplier risk, or blacklisted upstream suppliers.

As part of its SCRM services, Anglicotech uses tools that scour Open Source Intelligence and commercially available data sources such as news articles, press releases, public filings, transactional documents, customs forms, bills of lading, web scrapes, and social media. This data is then fed through algorithms that evaluate both the data and its source to derive a risk level per vendor.

Risk Assessment

Effective risk assessment involves developing and maintaining both general expertise in the latest threat vectors, capabilities and trends, and knowledge of the specific structure and vulnerabilities of your supply chain. Our team of experts stay abreast of the latest attack patterns and methods used at various points along the supply chain. Key references are the MITRE Supply Chain Attack Catalogue and the Supply Chain Domain of the Common Attack Pattern Enumeration and Classification (CAPEC) sponsored by the Department of Homeland Security (DHS).

Risk assessment on adversarial threats is conducted periodically, and includes a Probability and Consequence assessment. This catalogs, evaluates and ranks the likelihood each risk will materialize, and the magnitude of impact if it does. This numeric classification helps prioritize the selection of security controls and risk mitigation implementation measures.

Vulnerabilities Assessment

Vulnerabilities are weaknesses in software infrastructure that can put an organization’s data and communications at risk of unauthorized access, due to the incorrect or non-existent implementation of security controls. During Vulnerability Assessment, we evaluate existing security plans in order to verify that they are appropriate for the threat and that they are correctly implemented. We provide recommendations to adjust or add security controls to the organization’s security plan.

Risk Mitigation

[COMING SOON]

Cybersecurity Supply Chain Risk Management (C-SCRM)

Cybersecurity risk in the supply chain is the potential for harm that arises from the cybersecurity risks posed by suppliers, their supply chains, and their products or services. Employees, vendors, and privileged users can all leak sensitive data and personal information outside the organization. Examples of common risks are data leaks, systems breaches (“hacking”), and ransomware attacks.

A C-SCRM plan manages and mitigates exposures to cybersecurity risk in the supply chain, guards against threats and vulnerabilities, and develops response strategies to the cybersecurity risk in the supply chain presented by the supplier, the supplied products and services, or the supply chain itself.

Anglicotech’s SC-ROC has built its Cybersecurity Supply Chain Risk Management methodology around half a dozen special publications of the National Institute of Standards and Technology (NIST). This has the double benefit of being the gold standard of quality for cybersecurity programs, and being instantly recognized and approved by Government clients.

Compliance with Government Policy

Although aligning your SCRM plan with Government policy is clearly advantageous, digesting, analyzing and implementing thousands of pages of Government guidance documents can be daunting, time-consuming and ineffective. This is where Anglicotech comes in. Anglicotech has already done the legwork of translating Government SCRM policy into a practicable checklist of controls, procedures and processes to implement, and its SC-ROC provides the expertise to do so.

Continuous Monitoring

For a robust and effective SCRM plan, it’s not enough to perform an initial mapping of supply chain risk and formulation of a one-off mitigation plan. Due to the dynamic nature of supply chains, risks must be continuously monitored. Continuous monitoring means performing periodic reviews of the vendors, systems, products and services in your supply chain, identifying new or changed risks, and updating your risk mitigation strategy accordingly. The tools we use in our SC-ROC provide real-time alerts in the case of increased risk levels for monitored supply chain elements, allowing us to respond immediately and update our client’s SCRM plan in an agile fashion.

Crisis Response

Crisis response is the act of implementing the Contingency Plans defined to address risks that have materialized.

[COMING SOON]