Supply chain functions are moving towards automation and integration. For instance, take the use of cloud computing, robotics and artificial intelligence in improving productivity and customer service. In fact, not a single day goes by when we don’t come across headlines about the shipping and logistics industry, like Clearpath or DHL, developing drones and warehouse robots or Uber’s efforts to create autonomous vehicles. We could not have fantasized such technological advancements last century. But for all of the pervasiveness and advantages attached to the Internet of Things (IoT), it is observed that IoT actually makes supply chain systems more vulnerable to cyber-attacks and other exploits. Supply chains are becoming a hefty target for cyber-attacks due to the fact that companies and we (researchers) are preaching end-to-end supply chains. Such a model promotes extensive sharing and distribution of information through digital means between all layers of the supply chain (upstream and downstream).
Petya Ransomware Halted Maersk’s Supply Chain
The growing threat posed to supply chains was vindicated when NotPetya malware hit global businesses in approximately 59 countries in late June 2017, an attack which prevented one of the largest container shippers, Maersk Line, from taking new orders. The attack came just when the company introduced a new digitalization strategy in an industry where most of the bookings are taken via phones. The hardest hit of Maersk’s infrastructure was its APM terminal unit, which halted operations in some of the 76 ports in 59 countries around the globe. Those affected locations included New York (the largest port on the U.S. East Coast), Rotterdam – Netherland, and Jawaharlal Nehru Port (India’s biggest container port). As of this writing, Maersk has brought all of their IT systems back online after the cyber-attack but what does this attack mean to the rest of the shipping lines? Are they better secured than Maersk? Do their employees even know what to do when malware or ransomware hits their systems? It’s an eye-opening concern for organizations, as they may face a similar situation in the near future. Indeed, the NotPetya ransomware attack was just the beginning; a greater mess lies ahead if businesses continue to believe no risks threaten them due to ‘having operations at very low scale.’
Cyber Security Risks & Considerations
As discussed in a workshop held by the National Institute of Standards and Technology, some of the key cyber security risks and considerations in an organization's supply chain need to be answered by every stakeholder involved in a business that utilizes cyber space.
1. Third-party service providers or vendors
What sort of cyber-security practices are expected from upstream suppliers? How should adherence to these expectations or standards be assessed? This is one of the basic deficits faced by the logistics industry. Global business giants have no idea how protected and updated the systems and applications used by their vendors are. Yet we promote the concept of Vendor Managed Inventory (VMI) and Collaborative Planning, Forecasting and Replenishment.
2. Poor information security practices by lower-tier suppliers
How many companies make sure that their lower-tier vendors are staying up-to-date on emerging system, network and application-level vulnerabilities?
3. Lack of cyber-security awareness among employees
Cyber Security has a serious talent shortage, especially when it comes to supply chain. In my own experience, I have never come across any extensive cyber security module covered under the supply chain. In fact, most of the universities have not even introduced basic cyber security training in undergraduate or graduate logistics programs. Moreover, how many recruiters conduct an active assessment of basic cyber security knowledge when hiring individuals for key supply chain positions?
4. Software security vulnerabilities in company’s or supplier’s system
Cyber criminals usually conduct a network scan to identify the weakest link. In most of the cases, it is not the strongest and most widely used system in your network that's exposed to cyber-attack. Rather, it's oftentimes the weakest of all; it may be a reserved system that might not have gotten your attention previously. This is cyber-security; it's not a kind of business strategy where you can opt for an 80/20 rule or ABC analysis to set priorities.
5. Counterfeit hardware/software with embedded malware
This generally refers to small-scale companies that utilize BYOD to integrate the supply chain. What levels of malware protection and detection are performed on those devices? Make sure both hardware and software connected to the network are scanned by the information security team.
Now That You Know…
Whether you are running a SMB or a blue-chip organization, investing in cyber security measures is a must. Remember, cyber security is an ongoing process, as cyber criminals are always finding new exploits in your network/system. They will never stop exploiting vulnerabilities. As such, the cost of not employing best cyber security practices is much higher than its implementation.
About the Author: Sufian Farrukh is a Cyber-Security Analyst and Research Supervisor in various universities. He has a passion to read and write in areas such as Cyber-Security, Internet of Things, FinTech, Cloud Computing, Logistics and Artificial Intelligence. You can contact him at [email protected]. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.