When it comes to supply chain resilience, cybersecurity is often a missing link. With global supply shortages and delays having widespread impacts across industries, companies are beginning to rethink and strengthen their supply chain processes. However, businesses need to realize that without cybersecurity, a gap remains, leaving them vulnerable to attacks that can cripple their operations. An organization’s supply chain cannot be truly resilient unless it is cyber resilient.
As supply chains grow more interconnected, the link between operational technology (OT) and information technology (IT) becomes tighter. Anything that impacts IT can similarly affect OT. Unfortunately, OT is commonly more exposed and more reliant on outdated security measures, which makes it ripe for an attack.
From manufacturing to distribution, companies are using digital technology to streamline and manage their supply chains. Recent attacks on critical infrastructure show how vulnerable and interdependent these supply chains are. The Colonial Pipeline attack, for example, impacted everything from the delivery of goods to the price of raw materials. Even non-cyberattacks illustrate how small impacts can have widespread effects. The , which was stuck in the Suez Canal, showed how a simple disruption could have global effects and demonstrates what a single point-of-failure could mean.
Attackers have seen the benefits of these highly integrated supply chain systems. Namely that a single point of access can allow them to hold an entire organization hostage by disrupting operations and causing everything to grind to a halt. The only way to prevent this is to build a robust cybersecurity system that accounts for gaps that may have otherwise been overlooked.
A duel cyber threat for the supply chain
Companies face two distinct ways the supply chain can be disrupted:
Attacks on the supply chain target a specific supplier or company critical to the supply chain. They are designed to disrupt operations and delay the flow of goods to market. Much like a traffic jam when there are impacts, resources are restricted and delivery is delayed. If a business’s operations are attacked, they become a transmissible weak link, causing a ripple effect on the entire supply chain.
Attacks through the supply chains occur when an attacker compromises a component that is then delivered, integrated and passed on to the next link. For example, an exploited chip is delivered to a company that uses it to manufacture a piece of equipment that they then deliver. While most companies inspect the component to ensure it works properly, they don’t always check for malware that may have been inserted along the way. Neglecting to check for cyber exposure means that a business is accepting all that risk and putting its company name on it.
In short, an attack through the supply chain is like replacing a relay race baton with a stick of dynamite and allowing cyber risk to be passed on from one company to another.
How to manage supply chain cyber risk
Supply chain cybersecurity management is complex, but there are some basic steps businesses can take to start managing risk.
View the supply chain through a cyber lens:
- Cyber map the supply chain. Identify key suppliers, components and connections that comprise the supply chain. Don’t stop at the first level of the supplier, look at the supplier of their suppliers. The better picture a business has of its cyber dependencies, the more it can see the key vulnerabilities and risks in its operations.
- Prioritize cyber risks. Rate the criticality of the components, connections and suppliers that impact the business’s supply chain to reveal where to invest resources.
- Compare the supply chain resiliency plan to the cyber resiliency plan. Match cyber resiliency with overall supply chain resiliency. This might influence the suppliers and risk measures the business implements.
Hold your suppliers accountable for cyber hygiene:
- Know the sub-components. Most manufacturing companies do not know where the sub-components are made. Organizations must know the suppliers of their suppliers.
- Cyber acceptance testing. Many companies do acceptance testing, yet almost none list cyber as a component. Organizations must ensure cybersecurity is added to acceptance testing of any component.
- Write cyber into contracts. Cyber is usually a part of most contracts with suppliers. However, the language is often too vague and unenforceable to be useful. Contracts should reflect the ability to validate good cyber hygiene, promote collaboration before and after a potential incident and spell out cyber responsibilities.
- Map and monitor connectivity. Take a good look at connections to suppliers. Too often there are legacy or unmonitored connections, which can have open or shared access. These are prime avenues for cyber attackers to access networks.
- Practice together. Jointly build a monitoring and response plan with suppliers and then practice it.
Make sure you are not the weak link:
- Cyber by design. Since cybersecurity starts in the design phase, organizations must account for cybersecurity at the design phase of manufacturing, operations and distribution processes.
- Implement a clean build. Operations can introduce vulnerabilities into the supply chain. Organizations can combat these vulnerabilities by putting the people, processes and technologies in place to ensure operations are as low risk as possible.
- Pay attention to delivery. Your organization is responsible for securing any gaps in the supply chain until the product is safely handed off. Delivery is a common weak point for most supply chains and everything from logistics to provenance needs to be considered in a cyber context.
- Account for ongoing maintenance and end-of-life of products. Supply chains span a product lifecycle. Everything, from fraudulent replacement parts to protecting unsettled products, carries cyber risk.
It comes down to visibility and control
Cybersecurity comes down to visibility and control. Although production flows down a supply chain, risk management needs to flow up the supply chain. This means that every link in a supply chain needs to hold its suppliers accountable for cybersecurity and have insight into the risks of each and every one of their partners. Creating a robust framework for cybersecurity not only protects data, but it also protects your operations, other organizations in the supply chain and the bottom line.
Click here to hear more about visibility in the supply chain: