Best Practices in Safeguarding Supply Chains

We can't rely on "security through obscurity" – proactive measures such as risk analysis, strict data classification standards, and comprehensive vendor security reviews are essential to cyber resilience.

Adobe Stock 362276762
KanawatTH/stock/adobe.com

In today’s hyper-connected, digital world, the threat of cyber-attacks on supply chains and automated environments is more serious than ever before.

In a modern warehouse, all the operations platforms – technologies such as Automated Storage Systems, Autonomous Mobile Robots, packing machines and Goods to Person – are digitalized and connected and therefore have increased the potential access points attack surfaces for possible incursions and vulnerabilities. Supply chain leaders are shifting their thinking to deal with the developing threat, prioritizing the safety of technology systems together with the physical safety of staff.

Late last year, operations at a major international port operator in Australia container terminals in Melbourne, Sydney, Brisbane and Perth were disrupted after a breach was detected, limiting access to several ports across Australia. The attack prompted the Australian government to hold a crisis meeting to coordinate a response and deal with any ongoing disruption to Australia’s supply chains. Cyber-attacks aren’t left for only large-scale organizations either, with smaller businesses with less robust cybersecurity measures often the targets of cybercrimes. There are two types of companies - those that have been compromised and know it, and those that remain unaware they've been breached or are susceptible to a breach at any time. Complacency is no longer an option.

Australian supply chains are squarely in the cross hairs as cyber criminals target converged IT and OT networks. Historically, operational technology like robotics and control systems were "obscured" from cyber threats by being isolated from corporate IT networks, but that separation no longer exists in the era of Industry 4.0 and the modern digital supply chain.

Now that everything is connected and generating reams of data, cyber criminals have expanded attack surfaces to exploit. We've seen countless real-world demonstrations of this, from hackers taking control of an automobile's entertainment system to malicious code sabotaging industrial control systems.

Robust cybersecurity practices that enterprises take for granted on IT networks must be urgently extended to supply chain OT. We can't rely on "security through obscurity" – proactive measures such as risk analysis, strict data classification standards, and comprehensive vendor security reviews are essential to cyber resilience.

Implementing such measures can be intimidating to an organization new to cybersecurity, which is why the help of experts who have seen the battle scars and understand the common vulnerabilities will become increasingly popular.

Creating a Cyber-Safe Culture

Developing a truly cyber secure culture requires ongoing awareness efforts that span an organization’s entire ecosystem, from the C-suite to the warehouse floor to vendor partners. A classic initiative to assess cyber security is to conduct simulated phishing tests, where employees are sent fabricated emails to see who falls for the bait. The results may surprise, with senior leadership often the most susceptible to these social engineering attacks. From cyber tests such as this, it’s important to foster an environment of understanding and learning – if staff feel engaged in an overall mission, they are far more likely to buy into safe and secure practices. 

But cyber training can't just target the usual office staff. With more front-line workers utilizing networked scanners, rugged handhelds and connected machinery like forklifts, awareness modules must be tailored for comprehension across all roles. Vendors and need to be checked - their access should face the same security scrutiny as full-time employees during vendor risk assessments.

Once systems are deployed, continuous monitoring for vulnerabilities becomes exponentially harder in OT environments compared to traditional IT networks. With disparate embedded OS versions and proprietary tools, it requires close coordination with suppliers to properly secure and control access as assets age. If a robot is decommissioned, did you revoke its credentials?

Fostering a cyber safe culture is an endless endeavor as the real and digital worlds converge. By treating connected OT with the same processes and rigor as corporate IT systems, organizations can open the door for a much more resilient environment.

Creating a Contingency Plan

Just as businesses have continuity plans for fires, natural disasters and other physical crises, they must also map out response procedures for cyber-attacks crippling automated systems. Organizations have been slow to react to the threat, with many companies lacking a robust contingency plan for scenarios where their warehouse robotics, autonomous vehicles and other cyber-physical automation gets compromised.

In the old model of human-operated warehouses and supply chains, businesses could build in redundancy capacity to absorb a percentage of worker outages. But if robots are forced offline, organizations need to carefully model their ability to maintain service level agreements and customer commitments during an OT system outage or breach.

Worst-case recovery time objectives need to be identified as well as manual auxiliary processes to keep operations running at a degraded state until systems can be restored. Cross-functional experts should game out different cyber incident scenarios and blueprint detailed response playbooks - just as they would for other disaster scenarios, such as pandemics.

With high-profile cyber-attacks happening more and more, business leaders should have no shortage of case studies highlighting the devastation cyber threats can inflict on operations. The takeaway shouldn't be celebrating a competitor's misfortune, but realizing you narrowly missed being the next victim and using it as a wake-up call to get your cybersecurity house in order.

Latest