{ "total": 41, "threats": [ { "threat_id": "NT-1", "grouping": "Natural Threat", "name": "Drought & Water Shortage", "description": "Regardless of geographic location, periods of reduced rainfall are expected. For non-agricultural industries, drought may not be impactful to operations until it reaches the extent of water rationing." }, { "threat_id": "NT-2", "grouping": "Natural Threat", "name": "Earthquakes", "description": "Earthquakes are sudden rolling or shaking events caused by movement under the earth’s surface. Although earthquakes usually last less than one minute, the scope of devastation can be widespread and have long-lasting impact." }, { "threat_id": "NT-3", "grouping": "Natural Threat", "name": "Fire & Wildfires", "description": "Regardless of geographic location or even building material, fire is a concern for every business. When thinking of a fire in a building, it envisions a total loss to all technology hardware, including backup tapes and all paper files being consumed in the fire." }, { "threat_id": "NT-4", "grouping": "Natural Threat", "name": "Floods", "description": "Flooding is the most common of natural hazards and requires an understanding of the local environment, including floodplains and the frequency of flooding events. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility)." }, { "threat_id": "NT-5", "grouping": "Natural Threat", "name": "Hurricanes & Tropical Storms", "description": "Hurricanes and tropical storms are among the most powerful natural disasters because of their size and destructive potential. In addition to high winds, regional flooding and infrastructure damage should be considered when assessing hurricanes and tropical storms." }, { "threat_id": "NT-6", "grouping": "Natural Threat", "name": "Landslides & Debris Flow", "description": "Landslides occur throughout the world and can be caused by a variety of factors including earthquakes, storms, volcanic eruptions, fire and by human modification of land. Landslides can occur quickly, often with little notice. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility)." }, { "threat_id": "NT-7", "grouping": "Natural Threat", "name": "Pandemic (Disease) Outbreaks", "description": "Due to the wide variety of possible scenarios, consideration should be given both to the magnitude of what can reasonably happen during a pandemic outbreak (e.g., COVID-19, Influenza, SARS, Ebola, etc.) and what actions the business can be taken to help lessen the impact of a pandemic on operations." }, { "threat_id": "NT-8", "grouping": "Natural Threat", "name": "Severe Weather", "description": "Severe weather is a broad category of meteorological events that include events that range from damaging winds to hail." }, { "threat_id": "NT-9", "grouping": "Natural Threat", "name": "Space Weather", "description": "Space weather includes natural events in space that can affect the near-earth environment and satellites. Most commonly, this is associated with solar flares from the Sun, so an understanding of how solar flares may impact the business is of critical importance in assessing this threat." }, { "threat_id": "NT-10", "grouping": "Natural Threat", "name": "Thunderstorms & Lightning", "description": "Thunderstorms are most prevalent in the spring and summer months and generally occur during the afternoon and evening hours, but they can occur year-round and at all hours. Many hazardous weather events are associated with thunderstorms. Under the right conditions, rainfall from thunderstorms causes flash flooding and lightning is responsible for equipment damage, fires and fatalities." }, { "threat_id": "NT-11", "grouping": "Natural Threat", "name": "Tornadoes", "description": "Tornadoes occur in many parts of the world, including the US, Australia, Europe, Africa, Asia and South America. Tornadoes can happen at any time of year and occur at any time of day or night, but most tornadoes occur between 4–9 p.m. Tornadoes (with winds up to about 300 mph) can destroy all but the best-built man-made structures." }, { "threat_id": "NT-12", "grouping": "Natural Threat", "name": "Tsunamis", "description": "All tsunamis are potentially dangerous, even though they may not damage every coastline they strike. A tsunami can strike anywhere along most of the US coastline. The most destructive tsunamis have occurred along the coasts of California, Oregon, Washington, Alaska and Hawaii." }, { "threat_id": "NT-13", "grouping": "Natural Threat", "name": "Volcanoes", "description": "While volcanoes are geographically fixed objects, volcanic fallout can have significant downwind impacts for thousands of miles. Far outside of the blast zone, volcanoes can significantly damage or degrade transportation systems and also cause electrical grids to fail." }, { "threat_id": "NT-14", "grouping": "Natural Threat", "name": "Winter Storms & Extreme Cold", "description": "Winter storms is a broad category of meteorological events that include events that range from ice storms, to heavy snowfall, to unseasonably (e.g., record breaking) cold temperatures. Winter storms can significantly impact business operations and transportation systems over a wide geographic region." }, { "threat_id": "MT-1", "grouping": "Man-Made Threat", "name": "Civil or Political Unrest", "description": "Civil or political unrest can be singular or wide-spread events that can be unexpected and unpredictable. These events can occur anywhere, at any time." }, { "threat_id": "MT-2", "grouping": "Man-Made Threat", "name": "Technology & Cybersecurity", "description": "Unlike physical threats that prompt immediate action (e.g., \"stop, drop and roll\" in the event of a fire), cyber incidents are often difficult to identify as the incident is occurring. Detection generally occurs after the incident has occurred, with the exception of \"denial of service\" attacks. The spectrum of cybersecurity risks is limitless and threats can have wide-ranging effects on the individual, organizational, geographic and national levels. \n\nThis category of risk includes the management of cybersecurity requirements for Information and Communications Technology (ICT), including technical vulnerabilities and weaknesses in computation logic (code) found in software and hardware components that, when exploited, results in a negative impact to Confidentiality, Integrity, Availability and/or Safety (CIAS)." }, { "threat_id": "MT-3", "grouping": "Man-Made Threat", "name": "Hazardous Materials Emergencies", "description": "Hazardous materials emergencies are focused on accidental disasters that occur in industrialized nations. These incidents can range from industrial chemical spills to groundwater contamination." }, { "threat_id": "MT-4", "grouping": "Man-Made Threat", "name": "Nuclear, Biological and Chemical (NBC) Weapons", "description": "The use of NBC weapons are in the possible arsenals of international terrorists and it must be a consideration. Terrorist use of a “dirty bomb” — is considered far more likely than use of a traditional nuclear explosive device. This may be a combination of conventional explosive device with radioactive / chemical / biological material and be designed to scatter lethal and sub-lethal amounts of material over a wide area." }, { "threat_id": "MT-5", "grouping": "Man-Made Threat", "name": "Physical Crime", "description": "Physical crime includes \"traditional\" crimes of opportunity. These incidents can range from theft, to vandalism, riots, looting, arson and other forms of criminal activities." }, { "threat_id": "MT-6", "grouping": "Man-Made Threat", "name": "Terrorism & Armed Attacks", "description": "Armed attacks, regardless of the motivation of the attacker, can impact a business. Scenarios can range from single actors (e.g., \"disgruntled\" employee) all the way to a coordinated terrorist attack by multiple assailants. These incidents can range from the use of blade weapons (e.g., knives), blunt objects (e.g., clubs), to firearms and explosives." }, { "threat_id": "MT-7", "grouping": "Man-Made Threat", "name": "Utility Service Disruption", "description": "Utility service disruptions are focused on the sustained loss of electricity, Internet, natural gas, water and/or sanitation services. These incidents can have a variety of causes but directly impact the fulfillment of utility services that your business needs to operate." }, { "threat_id": "MT-8", "grouping": "Man-Made Threat", "name": "Dysfunctional Management Practices", "description": "Dysfunctional management practices are a manmade threat that expose an organization to significant risk. The threat stems from the inability of weak, ineffective and/or incompetent management to (1) make a risk-based decision and (2) support that decision. The resulting risk manifests due to (1) an absence of a required control or (2) a control deficiency." }, { "threat_id": "MT-9", "grouping": "Man-Made Threat", "name": "Human Error", "description": "Human error is a broad category that includes non-malicious actions that are unexpected and unpredictable by humans. These incidents can range from misconfigurations, to misunderstandings or other unintentional accidents." }, { "threat_id": "MT-10", "grouping": "Man-Made Threat", "name": "Technical / Mechanical Failure", "description": "Technical /mechanical failure is a broad category that includes non-malicious failure due to a defect in the technology, materials or workmanship. Technical / mechanical failures are unexpected and unpredictable, even when routine and preventative maintenance is performed. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life)." }, { "threat_id": "MT-11", "grouping": "Man-Made Threat", "name": "Statutory / Regulatory / Contractual Obligation", "description": "Laws, regulations and/or contractual obligations that directly or indirectly weaken an organization's security & privacy controls. This includes hostile nation states that leverage statutory and/or regulatory means for economic or political espionage and/or cyberwarfare activities. \n\nChanges in statutes, laws, policies, regulations and/or agreements that materially impact a business or market sector and that can increase business operating costs, reduce the attractiveness of investment, or change the competitive landscape. This extends across the supply chain due to a wide-range of laws and regulations." }, { "threat_id": "MT-12", "grouping": "Man-Made Threat", "name": "Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) Data", "description": "Redundant, Obsolete/Outdated, Toxic or Trivial (ROTT) data is information an organization utilizes for business processes even though the data is untrustworthy, due to the data's currency, accuracy, integrity and/or applicability." }, { "threat_id": "MT-13", "grouping": "Man-Made Threat", "name": "Artificial Intelligence & Autonomous Technologies (AAT)", "description": "Artificial Intelligence & Autonomous Technologies (AAT) is a broad category that ranges from non-malicious failure due to a defect in the algorithm to emergent properties or unintended consequences. AAT failures can be due to hardware failures, inherent biases or other flaws in the underlying algorithm. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life)." }, { "threat_id": "MT-14", "grouping": "Man-Made Threat", "name": "Fraud, Corruption and/or Willful Criminal Conduct", "description": "Willful criminal conduct is a broad category that includes consciously-committed criminal acts performed by individuals (e.g., mens rea). These incidents can include a wide-range of activities that includes fraud, corruption, theft and illegal content. Criminal conduct generally involves one of the following kinds of mens rea: (1) intent, (2) knowledge, (3) recklessness and/or (4) negligence." }, { "threat_id": "MT-15", "grouping": "Man-Made Threat", "name": "Conflict of Interest (COI)", "description": "Conflict of Interest (COI) is a broad category but pertains to an ethical incompatibility. COI exist when (1) the concerns or goals of different parties are incompatible or (2) a person in a decision-making position is able to derive personal benefit from actions taken or decisions made in their official capacity." }, { "threat_id": "MT-16", "grouping": "Man-Made Threat", "name": "Macroeconomics", "description": "Macroeconomic factors that can negatively affect the global supply chain. Macroeconomic factors directly impact unemployment rates, interest rates, exchange rates and commodity prices. Due to how fiscal and monetary policies can negatively affect the global supply chain, this can disrupt or degrade an organization's business operations.\n\nEconomic instability can lead to reduced investment and weakened consumer confidence. Multiple factors may cause instability and may include recession, sanctions, demand shocks, price volatility, inflation and unemployment. An out-of-balance economy can lead to unpredictable fluctuations in growth, inflation, employment and financial health. This instability can be episodic, meaning discrete events such as job loss, or it can be chronic, meaning sustained events such as variations to employee compensation." }, { "threat_id": "MT-17", "grouping": "Man-Made Threat", "name": "Foreign Ownership, Control, or Influence (FOCI)", "description": "Foreign Ownership, Control, or Influence (FOCI) is a Supply Chain Risk Management (SCRM) threat category that pertains to the ownership of, control of, or influence over an organization. Primarily, the concern is if a foreign interest (e.g., foreign government or parties owned or controlled by a foreign government) has the direct or indirect ability to influence decisions that affect the management or operations of the organization.\n\nThe ability exercise the power to influence management or operations may result in unauthorized access to sensitive / regulated data or may adversely affect the performance of contracts and/or programs. FOCI may have national security implications, in addition to corporate espionage / maleficence." }, { "threat_id": "MT-18", "grouping": "Man-Made Threat", "name": "Geopolitical", "description": "Geopolitical is a Supply Chain Risk Management (SCRM) threat category that pertains to a specific geographic location, or region of relevance, that affects the supply chain. Primarily, the concern is if a foreign state can affect the supply chain through political intervention within the host nation.\n\nInternal or geopolitical instability can lead to disrupted supply chain operations, increased business operating costs, reduced attractiveness of investment and/or altered competitive landscapes." }, { "threat_id": "MT-19", "grouping": "Man-Made Threat", "name": "Sanctions", "description": "Sanctions is a Supply Chain Risk Management (SCRM) threat category that pertains to past or present fraudulent activity or corruption. Primarily, the concern is if the third-party is subject to suspension, exclusion or other sanctions that can affect the supply chain." }, { "threat_id": "MT-20", "grouping": "Man-Made Threat", "name": "Counterfeit / Non-Conforming Products", "description": "Counterfeit / Non-Conforming Products is a Supply Chain Risk Management (SCRM) threat category that pertains to the integrity of components within the supply chain. Counterfeits are products introduced to the supply chain that falsely claim to be produced by the legitimate Original Equipment Manufacturer (OEM), whereas non-conforming are OEM products / materials that fail to meet the customer specifications. Both can have a detrimental effect on the supply chain.\n\nThe items lack industry standard tests during the production phase ( e.g., pressure testing) or are counterfeit items could pose significant risk to the function and safety of the system, increased maintenance costs due to depreciation in quality and added stresses due to an item's inability to function at true capacity." }, { "threat_id": "MT-21", "grouping": "Man-Made Threat", "name": "Operational Environment", "description": "Operational Environment is a Supply Chain Risk Management (SCRM) threat category that pertains to the user environment (e.g., place of performance). Primarily, the concern is if the operational environment is hazardous that could expose the organization operationally or financially." }, { "threat_id": "MT-22", "grouping": "Man-Made Threat", "name": "Manufacturing & Supply", "description": "Manufacturing & Supply is a Supply Chain Risk Management (SCRM) threat category pertaining to interdependencies related to data, systems and mission functions. Concerns include the availability of supply, capacity to surge, sole-source and concentration within or over-reliance on a single source.\n\nAt issue is a single supplier or sector/market that is incapable of meeting market demand. This can be due to reduced throughput or production delays caused by capacity constraints, obsolescence, industrial limitations, market conditions, disrupted material delivery and other conditions." }, { "threat_id": "MT-23", "grouping": "Man-Made Threat", "name": "Product Quality & Design", "description": "Product Quality & Design s a Supply Chain Risk Management (SCRM) threat category that pertains to inherent design and quality problems (e.g., raw materials, ingredients, production, logistics, packaging) that result in the product and/or service failing to meet performance specifications and quality standards. This includes an understanding of the quality assurance practices associated with preventing mistakes or defects in manufactured/ developed products and avoiding problems when delivering solutions or services to customers." }, { "threat_id": "MT-24", "grouping": "Man-Made Threat", "name": "Financial", "description": "Financial is a Supply Chain Risk Management (SCRM) threat category that pertains to financial distress that can lead to the inability to meet contractual obligations, hostile takeovers, or bankruptcy. This involves situations where a supplier cannot generate revenue or income resulting in the inability to meet financial obligations." }, { "threat_id": "MT-25", "grouping": "Man-Made Threat", "name": "Human Capital", "description": "Human Capital is a threat category that pertains to human skills, knowledge and actions that may impact a market's ability to produce goods and/or services to meet demand. This includes industrial disputes, labor availability and unrest, attrition of required skills and consumer behavior that disrupts a given market or industry." }, { "threat_id": "MT-26", "grouping": "Man-Made Threat", "name": "Transportation & Distribution", "description": "Transportation & Distribution is a threat category that pertains to dynamic disruptions within the transportation and logistics of moving a product from one point to another. The transportation industry is among the most risk-prone of all industries due to accidents, losses of cargo, driver shortages and deteriorating infrastructure. These risks can cause shipment delays, supply chain disruptions, increased costs and damaged reputations. In addition, the inability to predict and plan for disruptions in the logistics plan presents risk in meeting delivery requirements and maintaining operations." }, { "threat_id": "MT-27", "grouping": "Man-Made Threat", "name": "Infrastructure", "description": "Infrastructure is a threat category that pertains to the availability and functioning of fundamental facilities and systems necessary to support an industry and its supply chains within a country. This includes buildings, transportation networks, utilities and equipment. Additionally, this includes how well those facilities and systems are protected from both natural and man-made threats." } ] }