Supply chain cybersecurity risks continue to rise as global trade and goods transportation become integral to the modern economy.
Supply chain and logistics are all set to remain among the most
critical industries in 2021 because of COVID-19. Vaccine and other medical suppliers are working on war footing to transport life-saving drugs to every nook and corner of the world. Many countries also need robust transport systems to take other essential items and food locally and globally.
This unprecedented rise in the importance of supply chains makes them a high-risk target for all kinds of attacks. There are already reports of vaccines stolen, medical supplies lost, and perhaps most importantly, cyberattacks to steal healthcare research and even extort money through ransomware. In 2020,
Interpol had warned global law enforcement agencies of a rise in organized online and offline crime targeting COVID-19 vaccines
This article explores why cybersecurity is a serious concern for the supply chain industry, the most common risks, and how technology manufacturers and their customers can take suitable measures to minimize threats.
Also read: How AI and predictive analytics improve supply chain
Why cybersecurity is a concern in supply chains
The modern supply chain is highly connected. Significant benefits have been brought through connecting information systems throughout the supply chain, allowing for more efficient and increasingly automated inventory management and stock replenishment.
This interconnectedness has also, unfortunately, made it highly vulnerable to cybersecurity breaches. Networked systems allow bad actors to find their way into the supply chain through its weakest link and subsequently find their way into more critical systems.
Cybercriminals may also embed malware into components integrated into devices further up the supply chain to access customer networks. All this makes a robust and diligent cybersecurity strategy integral to the supply chain industry.
1. A baseline for best practice: policies, processes, and industry standards
According to Wayne Dorris, Business Development Manager for Cybersecurity at
Axis Communications, supply chain security begins with choosing partners through a rigorous evaluation process.
This should include analyzing critical areas, such as each company’s information security policies and quality and sustainability management processes. At the very least, the company should have an ISO 9001 or IATF 16949 and ISO 27001 A.15 or NIST SP-800 161 certification.
“Industry standards set a baseline,” Dorris explained. “Documented policies and processes are a solid starting point, but if not consistently and diligently adhered to, weaknesses will quickly appear. Supplier and sub-supplier processes should also be assessed for risk management, as well as their production facilities and processes, through physical audits.”
Site visits should be made and followed up with onsite audits to check if the company meets the security requirements and standards set for approved vendor qualification. As part of evaluating any potential new partner, suppliers should also conduct an in-depth analysis of the organization’s financial position and ownership structure.
2. The human element: many cyberattacks start with the individual
Some of the most common cybersecurity threats start with an individual taking physical action. Those with malicious intent - a disgruntled employee operating alone or coerced by third-party cybercriminals - can physically introduce threats into a network or directly to the products.
“The audit process should therefore also include assessments of the physical facilities, particularly the quality assurance procedures and associated machinery,” Dorris continued. “This will ensure that products are not tampered with, or unauthorized individuals allowed access to restricted areas. For example, entries and exits must be continuously guarded, and access controls and visitor registration must be logged and stored. Some areas may require continuous surveillance, even using guards to secure the facility and surroundings.”
In addition, empowering and educating employees to ensure they have a high level of information security awareness is essential. Implementing a training program that frequently updates employees on threats and tactics is invaluable to helping protect the organization from attacks and should be present at every company within the supply chain.
3. Data transfer: a key area of risk
Data transfer in the supply chain network represents a key area of risk and must be protected by security protocols, utilizing encryption methods and authentication. Sub-suppliers and partners need to maintain a high level of information security to mitigate the risks of any gaps in the supply chain.
Having a systematic approach to identify and manage sensitive company information is critical. This system should include people, processes, IT systems, and physical locations and should comply with ISO 27001 and the General Data Protection Regulation (GDPR). This will improve awareness and enable effective risk management.
4. Tampering with and manipulating components
The physical movement of components and products as they move through the supply chain – in some cases being transported thousands of miles through distribution networks that might fall outside of an organization’s audit trail – presents additional risk.
“Surveillance products must function as designed and intended, with consistent integrity,” Dorris pointed out. “This can only be achieved if the product’s hardware and firmware are successfully protected from unauthorized change or manipulation during the product’s journey through the supply chain.”
Starting with component materials, traceability – which includes the material handling process – always ensures the status, revealing any deviations that could compromise quality and signal tampering.
Suppliers and manufacturing partners are required to maintain a traceability system for produced batches, from incoming material to the finished component. During production, the physical component will undergo multiple tests, verifying conformance and highlighting any deviations.
5. Addressing risks in the software supply chain with a Software Bill of Material (SBOM)
It isn’t just the security of devices themselves that needs assessment. A secure software development lifecycle (SDLC) is necessary to ensure that any software used is cybersecurity compliant. This helps to minimize the end customer’s exposure to vulnerabilities. There should also be a clear process of how vulnerabilities in components are identified, communicated, and patched.
However, like any other product, the software isn’t just the code from a single manufacturer but includes multiple packages of code made from many other third-party manufacturers. There’s a software supply chain as much as there is in hardware.
“The software supply chain applies to devices purchased for customer networks,” Dorris added. “For example, the device you purchase may have a web GUI interface, which makes it easy to use and configure, but which is most likely third-party software code. The device purchased could be made of hundreds of other manufacturers code as part of their overall software.”
From a cybersecurity and risk perspective, the customer accepts not only the risk of any vulnerabilities from the manufacturer but also from all the other third-party manufacturers’ code that is part of that software.
There are legislations from various standards groups worldwide that are now asking for manufacturers of devices and software to fully disclose the third-party software packages they use in their software. This is being called a Software Bill of Material (SBOM). It increases awareness of any potential vulnerabilities in all the software you are using.
Conclusion
The need for stringent cybersecurity measures to protect the supply chain will only increase in the coming years. This is not just because of the importance of the supply chain in the modern world but also because of the increasingly sophisticated nature of cyberattacks. The concerns and solutions mentioned in the article should serve as a basic guideline for supply chain solutions providers and customers as they deal with the threats.