Managing supply chain cyber risk
A hyper-connected world helps companies increase transparency to mitigate the physical disruption of goods. But it also opens them up to a potential digital weakness that poses another kind of disruption – cyber risk.
Lessons from the recent pandemic have accelerated digital adoption. This is now changing the security paradigm in the short to medium term. In particular, the adoption of new technologies to help drive efficiencies across the industrial sector is leading to more complicated IT ecosystems that are, in some cases, heavily integrated with partners, alliances and suppliers. This grey area of potential risk falls outside the traditional good practice guidelines leaders have come to know well. Manufacturers, distributors, and other industrial organizations must now adapt their methods and approaches to identify and manage this new cyber risk vector.
The Impact of an Interconnected World
As traditional corporate boundaries become increasingly blurred, expanding deep into the supplier landscape, trying to track who does what, and when, with data is a growing challenge. Organizations are now faced with an increased exposure presenting many unknown risks, potentially impacting daily operations.
This is a problem for the total supply chain. If one operation is hacked, all are at risk. The rise of e-commerce and non-store retailing within consumer, manufacturing, and distribution is placing huge demands on technology-driven solutions to streamline operations. To keep track of real-time stock levels, tracking software allows for improved accuracy over end-to-end manufacture to delivery to the customer. It requires non-stop communication between partners at each step, with different software systems managing the flow interdependently. Add to that the numerous back-office partners that support payroll, or settlement, or host IT systems. All of these functions require new approaches to managing risk.
Breaches in security can erode market value and damage brand reputation. The attack in 2020 on SolarWinds and the Florida-based IT company Kaseya spread through 200 corporate networks that used its software. The failure to appreciate risk in the overall end-to-end system had a significant material impact on their operations, highlighting the need to re-address the approach to risk management and look wider than an organization’s own corporate domain. Smaller companies are equally at risk. In 2021, 40 percent of ransomware victims had less than 100 employees,
Amassing data from external partners also comes with inherent risk if that data is supplied through systems integration or other means of automated updates.
A new perspective needs to be taken at the enterprise level, so all types of data are considered. Companies need to carefully think through the risk implications of financial data (price, cost, invoices, spend), product data (specifications, quality, Bills of Material), order data (quantities, data, addresses) and shipment data (location, times, carriers), that are shared weekly, daily, or even hourly up and down the supply chain.
The unknown risks in an interconnected world may also include exposed or abandoned internet-facing servers that may highlight asset management issues, or confidential documents that may be leaked due to the lack of consistent applied data classification and handling across multiple organizations.
Other dangers may come from default, out-the-box login credentials pointing to build standards not being met, or legacy hardware falling off the support radar that identify failing decommissioning processes. Further problems can arise from suppliers not informing partners about breaches they’ve identified.
“By adapting traditional approaches to managing risk, organizations can identify their exposure across the entire IT ecosystem and identify the areas of weakness they need to fix.”
All this is in addition to the need to respond to the growing regulatory focus on supply chain accountability, which is placing further pressure on already pressed resources to address ever-growing cyber risk.
How can companies now broaden their risk management processes to incorporate the increasingly interconnected supplier landscape and streamline their efforts? There are five key areas to focus on.
- Access: Be more transparent and know who has access to networks and systems. They also need to understand what partners do inside their networks and with their data and how they access it.
- Data: Understand what data is at risk. That means understanding the full end-to-end architecture that flows into and out of their own environment and identify the points of exposure that could undermine operations (outside-in scanning).
- Suppliers: Increase collaboration and take proactive measures to understand how suppliers manage their own IT estates if they are connected to others. Organizations also need to mature commercial obligations with suppliers to provide greater comfort over how they will handle data. Simply asking them to comply with basic standards isn’t enough.
- Technologies: Leverage red-teaming techniques, rigorously challenging plans, policies, systems and assumptions; attack surface scanning; and Continuous Control Monitoring to test the robustness of their controls.
- The Business: Understand what the material impact on operations would be in the event of a compromise to internal or suppliers’ systems.
By adapting traditional approaches to managing risk, organizations can identify their exposure across the entire IT ecosystem and identify the areas of weakness they need to fix. This will also enable the more efficient and effective use of scarce resources to target areas of vulnerability underpinning operations, allowing manufacturing leaders to obtain a higher degree of assurance and security in an increasingly connected world.
Shanton Wilcox is the US Manufacturing Lead at PA Consulting. Carl Nightingale is a Cyber Security Expert at PA Consulting.