An unknown removable USB storage device picked up in a parking lot or restroom is almost expected to contain malware, but no so expected for devices provided from well-known and respected companies. Global energy management and automation company Schneider Electric issued a security notification last month advising customers that some USB drives were contaminated with malware during manufacturing by one of their suppliers. Fortunately, the USB did not contain any operational software. Schneider Electric stated the drives were shipped with Conext Combox and Conext Battery Monitor solar-power-related products and contained product documentation and “non-essential” software utilities. This incident exemplifies the need for vendor risk management programs to include measures to help curb the risk posed from downstream suppliers in the multi-tiered supply chain. CyberScoop