7 minute read
SUPPLY CHAIN
Reimagining supply chains to build long term resilience in a post-Covid world
By Richard Morgan, Country Manager, Genpact
Advertisement
The Covid-19 pandemic has disrupted all facets of supply chains. Whether it is in the retail, telco, or transport industries both global and local supply chains have been severely tested, having to adapt to new demand patterns, supply constraints and logistical challenges.
This unprecedented disruption has only magnified changes in consumer behaviour, under-investment in supply chain tools, technology, and people that were already challenging organisations. As the risk landscape is set to only get more uncertain and complex in the future, building resilient and more agile supply chains is crucial.
Learning the Covid-19 lessons
If Covid-19 has taught us something is that the strength of a supply chain is only as good as its weakest link.
Organisations must use the current disruption as an opportunity to do a full audit and assess how well its supply chain functions can better respond to future disruptions. To build long term resilience companies must re-examine their old supply chain assumptions and evaluate the strength of their end-to-end supply chains. Businesses need to fine tune demand planning, search for deeper visibility of material planning, test supply planning technologies and continuously evaluate logistics plans. Supply chains must move from executors and a cost centre to a source of competitive advantage that unlocks operational margins and builds stability in an uncertain world.
Stabilising supply chains: a cross collaboration with risk management teams
To address the volatile nature of current - and likely future - supply chain operations, organisations should start by mobilising a dedicated crisis and risk management team that can help advise supply chain teams.
A cross collaboration with risk management experts can help build focused risk scenarios and assessments, as well as design new processes and frameworks for rapid replanning, demand forecasts, supplied engagement and reporting and governance. Working side by side with risk management teams will also help supply chain teams prioritise issues for resolution.
Using technology and data-driven decisions to build long term resilience
In today’s connected world, making informed decisions is highly dependent on being able to
analyse and make sense of data points collected throughout the supply chain. Implementation of digital and data-driven technologies such as artificial intelligence (AI) is what will allow businesses to reimagine and future-proof their supply chains in an unstable world. The differing impact of Covid-19 across states, countries, and regions has created more hyper-local and time-sensitive demand patterns, making demand-sensing abilities more critical than ever. Therefore, all dimensions of demand-sensing data must improve – in terms of accuracy, timeliness, completeness, reliability, and relevance Demand-forecasting models must be fine-tuned to ingest these unique patterns and rapidly revise demand forecasts.
In addition, current conditions have highlighted the need for better visibility of the availability and capacity of suppliers and contract manufacturers across multiple tiers. Organisations should combine control-tower solutions, capacity data, and deliv ery-performance data to analyse and assess their cumulative risk across supplier tiers for parts, ingredients, and finished products. Understanding these risks will help organisations create a vertically integrated risk profile of finished products that enables proactive corrective actions such as finding alternate suppliers, minimizing SKU proliferation, and simplifying input material design and production. Finally, as demand forecasting and deeper material planning continue to respond to new patterns, organisations should sweat their existing technology landscape to provide more robust analysis for allocating and distributing finished products. Modelling tools such as Kinaxis, E2open, OM Partners, and o9 can provide extensive allocation-scenar io analysis, and flag fulfilment risks so help take corrective actions for production plants and suppliers. Over the past few years, the guiding principle of cost efficiency has had a major impact on supply chain design. Higher-risk tolerances have been sacrificed to reduce costs. The pandemic has highlighted this approach’s fragility, leaving no other options but to look at other models to build long-term resilience. A closer collaboration with risk teams, as well as a better end-to-end management of data across complex supply chains is what will reduce cost and risk,
The IoT supply chain risk: Why everyone should pay attention to Ripple20 vulnerabilities
By Michael DeCesare, chief executive officer and president, Forescout.
We see IoT and connected devices all around us – there are billions of them, and they are hard to miss. I speak all the time about the cybersecurity challenges these devices pose, and advocate for organisations to protect themselves.
But sometimes the threat lies under the surface. The reality is that when you buy an IoT device, you are buying a lot of embedded components and you do not really know where those components come from. For a variety of reasons, most IoT devices do not run standard Windows operating systems. Instead, they use organically developed and various third-party sourced code libraries for essential functions such as network communication.
These code libraries pose just as much of a risk as the devices themselves, if not more so because a user or company likely has no idea what lies under the hood. Forescout Research Labs has been working closely on the disclosure of vulnerabilities of this type that could potentially impact tens of millions of IoT and OT devices. Working closely in partnership with JSOF, who first discovered the Ripple20 vulnerabilities, our researchers have leveraged the 12 million devices in our Device Cloud data lake to together identify nearly 100 vendors that are potentially affected. The Ripple20 vulnerabilities are in a software library and TCP/IP networking stack made by Treck. You probably haven’t heard of Treck, but the company has been around for 20+ years and its TCP/IP stack is used in many common devices, including industrial control systems, medical devices, VoIP phones, printers, etc. In total, JSOF estimates these vulnerabilities could affect tens of millions of IoT and OT devices.
Given the widespread nature of the findings, JSOF has been working closely with the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), national CERTS (Computer Emergency Response Teams), as well as Treck to ensure a proper disclosure and fix. It’s not super common for researchers who found a vulnerability to partner in this way with other security vendors during discovery and disclosure. This innovative approach was necessary because of the nature of the supply chain. There is no public bill of materials for IoT and OT devices, meaning vendors do not have to disclose what parts make up their devices. In many cases the code library has spread through the supply chain in embedded, rebranded and repackaged components. Sometimes the vendors themselves do not even know what is running inside the devices. All these factors can make identifying devices that could be compromised exceedingly difficult for any one company or even government organisations. To identify potentially vulnerable devices and manufacturers, Forescout researchers used network traffic signatures and TCP/IP fingerprints provided by JSOF to analyse the 12 million devices in our large data lake – the Forescout Device Cloud. Some of the more prevalent devices Forescout identified that are vulnerable to Ripple20 include medical infusion pumps, a UPS frequently used in data centres, and printers (which can be found in nearly every enterprise). Nearly a dozen vendors in total have already been confirmed, including HP and Intel, though together with JSOF we have identified nearly 100 more that could also potentially be affected. The bigger picture here is that these are just some of the risks living under the surface of the billions of IoT and OT devices permeating our enterprise networks today, risks we are finding out more and more about through disclosures like this one. While there’s been a growing amount of focus on securing IoT devices overall, we also need to ensure we are securing every piece of the device’s supply chain. Fixing these vulnerabilities presents its own set of challenges, even once they have been identified on the network. Some already have patches available. But there are also complicating factors. With these types of supply chain vulnerabilities and embedded components, the vendor that is creating the patch is not necessarily the one that will release it.
That can delay the issuance of a patch. There are also no guarantees that the device vendor is still in business, or that they still support the device. The complex nature of the supply chain may also mean the device is not patchable at all, even if it needs to remain on the network. In such cases, mitigating controls such as segmentation will be needed to limit its risk.
This is a real challenge. To help, we are releasing detection and mitigation templates for our products to specifically identify and protect devices using Treck. That way security teams can find and inventory devices that could be impacted and take appropriate mitigation actions, such as segmentation and containment, to limit their risk. These protection templates are available today to all Forescout customers.
supply chain vulnerabilities discovered as IoT and OT devices become more widespread. While the embedded systems that underlie them are not new, we are just beginning to open our eyes as a security industry to the risk they pose. Let us all make sure we are paying attention.
