Increasing cyber security risk
Even as global Supply Chains Networks are being reviewed to reduce their complexity, technology developments mean that your organisation’s Supply Chains Network is likely to become more complex, making it even more susceptible to cyberattacks.
Increasing promotion of Digitalisation within supply chains has potential threats associated with cyber-attacks not limited just to corporate IT hardware and software resources. There will be an increasing scope for attacks that target operational technology (OT), which can impact the physical assets in inbound and outbound stores and warehouses.
Smaller businesses (SMEs) in a supply chain can be targets for attack, due to their cyber defences being minimal. An attack is in the hope of gaining access to larger companies in the supply chain. So, all businesses in a supply chain are vulnerable. There are two types of cyber-attack (Source: Resilinc):
Malware: Refers to spyware, ransomware, viruses and worms. Malware infiltrates a network through a weakness, often human, when a user clicks on a malicious link or email attachment, which then installs harmful software:
- Access to critical devices and components is denied (ransomware)
- Installs viruses and worms or other dangerous code
- Collects information, including Intellectual Property (IP) and proprietary processes, covertly by obtaining data from a hard drive (spyware)
- Critical components are disabled, rendering operations unworkable
Phishing: Delivers fake messages that appear to originate from a trusted source, often by email. Phishing is an increasing cyber threat:
- Steal sensitive information such as payment card and login information
- Install malware on a victim’s PC
The Supply Chains of cyber-physical and inter-connected businesses include ‘Industry 4.0’ technologies – Industrial Internet of Things (IIoT), robotics and industrial automation. These networks may also include older equipment used in Logistics operations that are built on proprietary software platforms or old operating systems, that may contain possible security access points.
Cyber challenges for your Supply Chains group
The proliferation of software-as-a-service (SaaS) applications and the use of Cloud hosting has enabled people to work effectively from anywhere. The risk analysis firm Resilinc has recently published a report concerning cyber-attacks in supply chains. It notes that cyber risk has increased, with more remote work and the subsequent transfer of corporate data between the business and portable devices. The cyber risks associated with remote working (according to an Alliance Virtual Offices survey) are that remote workers:
- receive cybersecurity training only once per year or less. Minimal auditing of adherence to remote work rules
- use personal devices for work tasks
- use work issued devices for personal tasks
- allow outside parties to use their work devices
The report also notes that businesses can use the services of a managed service provider (MSP). However, a business may unknowingly put themselves at risk due to:
- Many third -party security providers are new or start-up companies that may not have the best internal protection, enabling cybersecurity threats:
- Third-party suppliers have been increasingly targeted by cybercriminals wanting to broaden their scope of assaults. NTT Security Holdings’ 2022 Global Threat Intelligence Report
- Hackers tend to identify and attack weak third-party services to extract and sell data
- Attacks are in the hope of utilizing third parties as a step to target many downstream customers through the extended supply chains
Trust but verify approach
Currently, there is no sequence of actions that will fully protect an organisation from a cyber-attack on itself or its supply chains. By participating in a supply chain, a business connects with all others at Nodes and Links in the chain. Therefore, improvements made to the cyber security of your business will strengthen the supply chain’s security.
A place to start is establishing a ‘trust but verify’ approach when considering all things concerned with cyber security. Build a picture of the types of data, where it’s located and its sensitivity in the supply chains. Include your organisation’s internal data (plus backups) and data that suppliers have access to.
Then quantify the physical and cyber risk at each Node and Link in the Network. It identifies the location or asset that an attack may target and the supply chain processes and data that an attack could possibly affect.
This process is an enhancement to your organisation’s existing Supply Chains Network Design map. With the Map as guide to cyber security challenges, there are steps that can be taken to mitigate the potential risks:
Procurement: How does your enterprise qualify its Tier 1 suppliers? Are suppliers evaluated concerning their supply chains cyber security risk? Do suppliers have a cyber security program and follow it? Should suppliers align with a set of cybersecurity standards and certifications? Cyber security expectations should be noted in contracts and memorandum of understanding (MOU) to provide assurance that suppliers are managing their supply chain cyber security risk.
Operations Technology requires remote auditing for data integrity.
- Check that data sent from an IIoT device has actually occurred at that location and time. Confirmation from a chip within a device that uses an equation to provide a digital signature attached to the transaction data
- Test supply chain software updates, as hackers can install malware in software from trusted suppliers
- Restrict data and information access to registered suppliers and customers on a ‘need to know’ basis
Remote working at company locations or at home, obtained from various sources:
- Only company issued devices are to be used. If private devices allowed, specify acceptable security software programs and enforce their use by requiring proof that it’s installed
- Every employee should have a digital identity within the system, to manage rules concerning access to data and information
- Two factor authentication at employee’s approved device
- Password policy concerning structure and update timing
- Device supports biometric identification (such as a fingerprint scan) to provide an additional level of security
- Only approved applications are pre-loaded
- Approved security software pre-loaded
- No mobile apps
- Only communicate with company staff and approved suppliers/customers
- Internet disconnected
- Encrypt data before transfer to minimize risk
Cyber security carries risks and costs. The suggestions listed above have risks if not implemented and costs if they are. Doing nothing also carries risks. Cyber security is a shared responsibility between your company and any organisation that digitally interacts with it. Your business cannot completely outsource cybersecurity, so what will your Supply Chains group do?
This blogpost is the last for 2022. Thank you to all who have read the blogs and hopefully improved their supply chains. Learn About Logistics will return on Monday January 9, 2023.