The SCRM problem arises from both introduced vulnerabilities and external threats to a system or its components. Taken together they comprise the primary risk to the ICT SCRM supply chain.
Within the ICT SCRM supply chain, a weakness creates a vulnerability that can be exploited or triggered by a threat or attack on the supply chain. Weaknesses, threats to/attacks on, the supply chain compromise the integrity, security, confidence in and reliability of, the supply chain. Weaknesses and threats at any point in the supply chain (system/component design, manufacturing, shipping, delivery, operation and end-of-life) are created and implemented by bad actors (individuals, organizations, or nation states). These risks (vulnerabilities and threats) are difficult to detect, hi-tech and complex. They are a considerable risk to organizational reputation, operations, image, assets and capabilities.
Vulnerabilities in the ICT supply chain include both potential exposures to external threat actions including counterfeit parts, tampering with manufactured parts, production of unauthorized or inferior parts, theft and resale of parts, recycled parts, insertion of malicious software, and firmware containing bad parts and/or software. They also include intrinsic exposures to environmental factors such as natural disaster, manufacturing quality, weather, strikes, or single points of failure. Suggested solutions to these vulnerabilities can be found in our section on SCRM Solutions.
Threats to the ICT supply chain include enemy actions and environmental conditions. Threats are countered by the practice of high-quality and effective Supply Chain Risk Management and Mitigation techniques, processes and policies. Information related to these topics can be found in our section onSupply Chain Management, Risk Mitigation And Governance.
Vulnerability and Threat risks are increasing and associated with an organizations decreasing visibility of the supply chain and the processes, procedures, and practices used to deliver the products and services to the customer. It is impossible to eliminate all risks or guarantee all customer products. But it is possible to take advantage of the standards and best practices, and consistently measure and manage the ICT supply chain.