16 minute read
FOCUS
SHIELDING The Supply Chains from Cyber Threats
Supply chain attacks are mainly particularly pernicious since a single exploited supplier can result in attacks on hundreds of companies or organizations. For many firms, the supply chain is the weak link in their cybersecurity protocols. One can do all the right things to protect yourself from cybersecurity attacks, which also includes the adoption of a zero-trust approach to your network security, but if you don’t make sure your vendors are equally conscientious, you can be exposed to harm from a supply chain attack. Anil Kumar Pandey, PhD Candidate (Finance & Economics), National Institute of Industrial Engineering (NITIE), gives you a sneak peek into the ways to shield the vulnerable supply chains from the threats of cyberattacks.
Advertisement
Anil Kumar Pandey is a Final year PhD Student at National Institute of Industrial Engineering Mumbai. He works in Supply Chain Finance and Working Capital Finance. Prior to this, he holds an MBA from Aligarh Muslim University (Supply Chain Management & Operations/Finance. He also holds a B. Tech in (Electronics & Instrumentation/ Control Engineering).
HERE’S an astonishing statistic for you… “97% of firms have been negatively highly impacted by a cybersecurity breach or threat that looms largely on global supply chains and have gained traction and occurrence in their supply chain.” In conjunction to this, a leading global security company GreatHorn, stated, “It’s no longer enough to defend only your own organization’s attack surface. You also need to protect against phishing scams and network compromises within business partners up and down the supply chain.”
This current year, according to A 2020 Global Insights Report survey, not only explores the scale of the challenge but also the amount and severity of supply chain breaches is mindboggling. It also tracks the way that different companies, industries, and regions are responding to a year of cyber crisis. The responses show a fractured landscape, with different industries and regions responding differently to the challenges posed by another year of damaging, costly cyber events. Firms across all industries and across all over the globe have been investing largely in the cybersecurity. However, some firms still hesitate to have third-party cyber risk as a strategic priority and to coordinate and formalize their approach to cyber defense and to its remedy. Additionally, many firms struggle to assign the ownership of their third-party cyber risk program. Also, adversaries can now actively scan firms across the globe to identify the supply chain attack vectors that can aid significantly in the adverse cybersecurity events, including damaging data exfiltration and crippling ransomware attacks. Firms need to commit more to incorporating continuous monitoring and remediation into their third-party cyber risk program, as well as raise awareness at the senior executive and board level to help the business understand the resources needed to protect the business.
ENISA, regarded as the European Union Agency for Cybersecurity, monitors supply chain attacks on a day-to-day basis. They have further developed a taxonomy of supply chain attacks, which are vulnerable to the global supply chain that allows for the systematic analysis. The taxonomy is basically based on the four major fundamental elements of a supply chain attack: Attack technique used to compromise the supplier Supplier assets targeted Attack technique used to compromise the customer Customer assets targeted
What is particularly interesting about this taxonomy is where it begins: While most focus – and certainly most news stories — about supply chain attacks focus on how, which and how many victims are attacked — there is
A 2020 Global Insights Report stated that managing third-party vendor cyber risk is fast becoming the defining cybersecurity challenge of our time. The cybersecurity landscape in 2021 has proven that statement. Third-party cyber-attacks have affected multiple industries in waves: Actelion, SolarWinds, Kaseya. In some cases, a single breach in one vendor network or program affected tens of thousands of companies. Accelerated by the worldwide rise of ransomware activity, cyber-attacks on third-party vendors led to intrusions into major banks, defense companies, utilities, healthcare systems, and governments. SolarWinds is estimated to have cost more than $100 billion in losses. The main importance of third-party cyber risk management has been proven to be a necessary component of an overall risk management program. The question remains as to how companies and the industries in which they operate respond to the challenge of ensuring that their supply chain is secure. The solution is complex, but achievable. Vendor supply chains are often interlinked, resulting in overlap and complicated dependencies. They are multi-layered, meaning that sensitive information might be stored or processed by third- and even fourth-party providers. Simply gaining visibility into the supply chain can be difficult and costly, even before attempting to secure it.
little discussion about the starting point. That is, the fact that a successful attack on the supplier is what sets the full chain in motion.
Supply chains are compromised with the same techniques used in direct attacks: malware, brute force attacks, social engineering, exploiting software vulnerabilities, etc. The ultimate targets can be anything that would be targeted in a direct attack: ransom, extortion, theft of personal data or trade secrets, espionage. The recent supply chain attacks on SolarWinds and Accellion are two attacks are among the highest profile supply chain attacks.
With recent breaches, companies are now starting to understand that their supply chains have become their weakest link. To address this problem, companies should apply similar security methodologies that they use to protect their own infrastructure. Of course, there are some limitations, but this is still possible. The first step is to gain visibility. For example, map all the different assets that the suppliers are using within the company, and/or have access to in a secured (or unsecured) manner. The second step is to introduce or improve controls. Most companies already have some controls in place around the assets that involve the supply chain. The company should improve those controls to address access of an external entity with higher risk (the supplier) or introduce new controls around those assets if they do not exist. The last step is incident response. Companies should realize by now that eventually security incidents will happen. They must include steps and workflows within their incident response process that involves their supply chain. For example, what happens if the source of the leak is the supplier? What should we do if the compromised asset belongs to the supplier? etc. THE ENHANCED VULNERABILITIES
When I look for key areas where information security may be lacking, one place I always come back to is the supply chain. Businesses are increasingly concerned about managing major supply chain disruptions, and rightfully so. Supply chains are a vital component of every organization's global business operation and the backbone of today's global economy. However, security chiefs everywhere are concerned about how open they are to an abundance of risk factors. A range of valuable and sensitive information is often shared with suppliers and, when that information is shared, direct control is lost. This leads to an increased risk of its confidentiality, integrity or availability being compromised.
Security is only as strong as its weakest link. Despite organizations' best efforts to secure intellectual property
and other sensitive information, limited progress has been made in effectively managing information risk in the supply chain. Too often, data breaches trace back to compromised vendor credentials to access the retailer's internal networks and supply chain. Mapping the flow of information and keeping an eye on key access points will unquestionably remain crucial to building a more resilient information system.
Organizations need to think about the consequences of a supplier providing accidental, but harmful, access to their corporate data. Information shared in the supply chain can include intellectual property, customer-to-employee data, commercial plans or negotiations and logistics. Caution should not be confined to manufacturing or distribution partners. It should also embrace professional services suppliers, all of whom share access, often to your most valuable assets.
To address information risk in the supply chain, organizations should adopt strong, scalable, and repeatable processes – obtaining assurance proportionate to the risk faced. Supply chain information risk management should be embedded within existing procurement and vendor management processes.
The time to make supply chain security enhancements a priority is now. A wellstructured supply chain information risk assessment approach can provide a detailed, step-by-step approach to portion an otherwise daunting project into manageable components. This method should be information-driven and not supplier-centric, so it is scalable and repeatable across the enterprise. PROTECTING AGAINST SUPPLY CHAIN ATTACKS
Supply chain attacks have been notoriously hard for end-victims to defend against since these attacks generally originate with a presumably trusted vendor firm. Since almost all firms depend on vendors that mainly leverage global electronic supply chains, and it’s important to perform the cybersecurity due diligence on vendors, and then monitor them to be sure they continue to follow good cybersecurity procedures and practices. Accellion and SolarWinds have both been sued for negligence around their security practices in global supply chain.
This represents an organizational challenge at the firm level and thus the IT people are often hard-pressed against time to manage internal requirements, much less finding time to check up on external providers. In addition, IT is seldom involved in vetting and approving vendors. To reduce supply chain risk, best practices for customers call for identifying critical vendors and verifying their security practices. “Critical vendors” are those that either provide critical services to the corporation, or who have access to sensitive corporate information.
All critical vendors should be subject to a cybersecurity review as part of the company’s vendor management program. Since site visits may not be practical, you can look for independent audits that have been conducted to verify the vendor complies with cybersecurity best practices, including adoption of zero trust capabilities.
Particular attention should be paid to how the vendors defend their endpoints against web-based malware and phishing, since these delivery channels are involved in most attacks. For instance, remote browser isolation might have stopped the SolarWinds attack before it began, if the original breach was carried out through social engineering. Likewise, micro segmentation might have halted a brute force attack before the malware reached the Orion monitoring platform.
Finally, adopting a Zero Trust approach, which operates on the assumption that breaches will occur, may help limit damage to your own network and data in the event that one of your vendors is compromised. For example, implementing least privilege access can minimize damage that occurs in the event of a breach by restricting what the vendor can access.
The National Cyber Security Centre (NCSC) has also heeded that it has defended the UK from a record number of cyber-attacks in the last year including those targeted at Covid-19 vaccine research, distribution, and supply chains. The agency, which is a part of GCHQ, released its annual report showing that it dealt with an unprecedented 777 incidents over the last 12 months – up from 723 the previous year – with around 20% of firms supported linked to the health sector and vaccines. The health sector and in particular the vaccine rollout was a major focus for the NCSC, as it was forced to tackle threats levied against the NHS, healthcare, and vaccine supplier IT systems from malicious domains billions of times. Over the past 12 months, the NCSC also responded to a rise in ransomware attacks. A range of services have been provided to businesses over the past year to help protect them
Threat prevention is a constantly evolving industry itself with a wide range of new security, protection, and detection solutions. The challenge is to identify the set of products that can function well together across prevention, detection, and response. Threat detection service providers assist in identifying better-fit solutions for the supply chain to make sure not only internally but across their supply chain ‘members’ are following best practices in cyber security.
from ransomware including the Early Warning Service alerting organizations to emerging threats and cybersecurity advice for those working in education.
Last year, cyber criminals took advantage of the surge in home working and people moving to online services due to the pandemic. The City of London Police reported that the first month of lockdown saw a 72% surge in financial losses from cybercrime. There has also been several significant global incidents revolving around global supply chain management attacks in the recent past, including the attack on the SolarWinds IT management platform by the Russia’s Foreign Intelligence Service – one of the most serious cyber intrusions of recent times – and a major ransomware attack on the American software company Kaseya. To shield against attacks of this kind, businesses should utilize technologies such as biometrics to improve upon identity management processes.
RECOMMENDATIONS
Gaining visibility into the supply chain supply chain ecosystems is large, multilayered, and complex. Getting complete visibility into the supply chain is hard. It is necessary, however, to fully understand third-party vendors beyond the first tier or most critical suppliers. Companies should drive supplier risk-reduction activity by building constructive support for suppliers into their third-party cyber risk management program. They should alert the vendor when new risks emerge and provide practical steps for them to follow to solve the problem. Until third-party cyber risk is a clearly defined mandate at the executive level, it is difficult to effectively coordinate resources and define clear strategies. Companies must integrate continuous supply chain monitoring with appropriate reporting to the board and senior executives.
Too many cyber-attacks in 2021 occurred after patches were released, after vulnerabilities were disclosed, or after vendor monitoring systems would have revealed suspicious activity. Auditing or assessing supply chain every few weeks or months is not sufficient to stay ahead of agile, persistent attackers. Continuous monitoring and quick action against newly discovered critical vulnerabilities needs to become the sine qua non of effective third-party cyber risk management. Automate analysis; expand assessment to include the ‘long tail’ of vendors and not a limited number of critical suppliers; identify areas of nonsubstitutability or where risk is pooled.
Improving cybersecurity education and training for vendors for years, employee education programs have demonstrated outsized impact on organizational cybersecurity. The same is true for vendor education. Too often, vendors are unaware of their cyber risk, and so do not implement appropriate asset management, cybersecurity training, or cybersecurity protocols.
These are a few steps firms should take to secure their global supply chains against cyberattacks and data breaches: Firms should consider defining reasonable levels of security and associated controls; requiring subcontractors, vendors, and critical supply chain partners to meet or exceed those standards as terms and conditions of established business agreements. Companies should consider adding vendor-identifiable information to any existing cyber threat intelligence activities to identify instances of emerging threats or active attacks.
Threat actors may compromise a lesser-defended vendor network identified as having access to the principal enterprise network.
Awareness of these activities would allow the parent company to initiate countermeasures before the threat actor can move laterally onto their network. Cybersecurity, much like life, requires collaboration.
When dealing with your supply chain in a B2B relationship, you are able to be more prescriptive as to how you interact with members of your supply chain and what security measures you are expecting to maintain. When working with a supply chain vendor's organization, assess the vendor's cybersecurity risk for sharing data, interfacing networks/systems and establishing access to networks/systems. Areas that should be looked at include: Conducting vendor risk assessments:
To mitigate your vendor-related risks, organizations should conduct
a thorough, annual vendor risk assessment and perform the necessary due diligence with thirdparty relationships. Due diligence can help you identify what the vendor might require in terms of controls and monitoring. Defining data ownership/stewardship requirements: Who maintains ownership of data being shared and what is acceptable use of that data? Defining regulatory compliance requirements: Are there regulatory requirements that need to be met and maintained by both parties? Be able to monitor compliance. Maintaining incident response plans: Both parties need to have a plan to notify the other if their network, systems, or data have been compromised or a compromise is suspected. Information and Communication:
Written communication plans that address what information is distributed to whom are highly recommended. Third parties involved with your organization's IT security should be considered part of this communication plan, and your organization should be part of theirs, as data breaches on their end could affect your data.
Propelling the Indian Supply Chain
The exuberant atmosphere at the recently concluded 2nd Annual Warehousing & Logistics Excellence Awards 2021 hosted by Quantic India was quite palpable with it being one of the very first events conducted offline. Meeting the fellow supply chain members and exchanging dialogues, this event set the pace of opportunistic horizons waiting to be harnessed.
QUANTIC India’s 2nd Annual Warehouse & Logistics Excellence Awards 2021 proved to be a successful gathering of supply chains leaders, which offered an ideal platform for companies from the manufacturing, e-commerce, retail, FMCG, pharma & automotive sector to demonstrate their thought leadership on their outstanding supply chain & manufacturing performance throughout the pandemic. It brought all stakeholders together under one roof and provided the ideal Business to Business (B2B) and Business to Government (B2G) platform for companies and industry leaders to present new warehouse and logistics related technologies and services direct to investors and decision makers driving the growth of Indian trade competitiveness amidst the pandemic.
The event started with an intriguing panel discussion on ‘Business-driven Warehousing & Plant Strategies – Integrating Infrastructure, Logistics, Manufacturing and Technology’. With Chandrashekar N, GM - Integrated Supply Chain and Commercial, Gencrest Bio Products; Prashant Kanhed, Head Warehousing & Logistics, Hindalco; Amit Arora, GM – Manufacturing & Supply Chain, ACC Ltd.; as few of the august panelists, the discussion revolved around embracing digital transformation – shift from leaner sequence to digital supply chain; bringing the data together; SCM 4.0; making warehouses & plants great and future direction of warehousing in India. During the discussion, Amit Arora highlighted, “In adversity lies the biggest opportunity’ and this is what we as supply chain players need to leverage on.” According to Ronit Verma, National Logistics Manager, Red Bull India, “Post-Covid world has necessitated variabilities in the warehousing space and the developers need to create exceptional benchmarks in developing Grade A warehouses in the country as we move ahead.” Akash Singhai, MD, Dura Floor, raised a very pertinent point that companies often miss out on the importance of right flooring. He emphasized on the need to spend considerable time in deciding the right flooring.
The second panel on future challenges for SCM threw light on important aspects such as managing in the VUCA world; structuring a resilient & efficient supply chain architecture; solving the logistics puzzle; equipping people with right intelligence to harness digital tools, etc. Another panel discussion delivered key insights on ‘what to expect from the future supply chain leader’. This talk revolved around shifting leadership mindsets from reactivity to proactivity; powering operational excellence through integrated planning & execution; aligning SCM strategies with business strategies in the current scenario.
Engaging panel discussion underway during the event
THE MAGNIFICENT AWARDS SAGA
In between such an engaging affair, Quantic team awarded accolades to the deserving companies and individuals who have shown resilience and achieved breakthroughs in their respective fields. These awards bolstered their confidence and inspired fellow professionals to follow suit. Winners took away the crowning glory in categories such as Warehousing & Logistics Excellence; Manufacturing & Operations Excellence; Supply Chain & Procurement Excellence Awards.
With the promise to be bigger and better than its previous editions and offering a much needed platform to SCM leaders, this event successfully carried forward the baton of aspirations, exceptional benchmarks and intriguing insights.
