Not so long ago, supply chains could succeed without much technological intervention. Loading up stock into shipping containers, parking it in warehouses, trucking it the last mile to points-of-sale or, in the case of e-commerce, the buyer’s drop-off point – it was all unmistakably physical. Granted, you’d have some technology like ERP and WMS software governing the entire process, but stores and warehouses could still operate even if those systems encountered difficulties.
Fast forward a few years and the supply chain incorporates more technology into its backbone than a Terminator. From “track and trace” and other sensors to real-time inventory management and provisioning, supply chains now rely on digital technology to not only keep their operators competitive, but keep their owners in business. That means, of course, that any outages to those technologies becomes akin to dipping the proverbial cyborg in molten lava – it’s now a case of terminal hasta la vista, baby.
Every supply chain operator knows this, of course. Most employ cybersecurity defences with great and deliberate rigour throughout their organisations. But what if the greatest vulnerability to the digital supply chain isn’t within the operator’s network, but outside it? What if that critical point of failure is, in fact, inherent to the very architecture of the modern supply chain?
Frenemy at the gates
The greatest cyber risk to the supply chain comes from its weakest vendor. Most businesses shore up their organisational cyber defences, but forget that supply chains are chains – they connect numerous different parties to deliver goods from A to B. And in today’s hyperconnected market of hyperactive consumers, even a relatively simple shipment can involve multiple warehouse operators, forwarders, customs agents, last-mile shippers, and couriers to make it to the recipient’s location in the specified time. And each of those are running their own software – and increasingly with the Internet of Things, hardware – systems with only basic integration between one another at best.
The result is a threat surface far wider than any one organisation – and certainly far beyond what any business can hope to secure on its own. All it takes is for malicious actors to find a weakness somewhere along that conga-line of platforms and systems, or human error to create one, and the entire supply chain finds itself potentially compromised. The risk rachets up as more actors, vendors or partners are involved, multiplying the vectors that cyber threats, like malware or malicious code, can be injected in. And let’s not forget other eyebrow-raising vulnerabilities, like bad password hygiene or exploitable code, that may be inherent in these third-party systems. Added up, the full flow-on impact of those vulnerabilities to other operators’ data and systems may prove challenging, if not impossible, to map out after a breach or exploit.
In other words, the digital supply chain is only as secure as its weakest link – and the very nature of supply chains means there’s a lot of links to cover. It’s up to IT to work with the larger business to identify the cyber-risks of these links, and begin deploying the right countermeasures and defences. It’s enough to make any business take their supply chain in-house. Reducing the risks posed by these “frenemies”, however, is often easier than it may seem.
Test everyone, backup everything
First, businesses should make strong cybersecurity an essential criterion for any vendor involved in their supply chain. If a vendor isn’t willing to disclose their cybersecurity measures, or have them independently audited to at least some extent, they shouldn’t be trusted with handling your goods – plain and simple, no exceptions. IT can play a big role here by developing cybersecurity checklists and tests for vendors, but it’s up to those at the C-level to draw a clear line and enforce these policies. Given the importance of the supply chain to any manufacturer or retailer – almost, if not on par to cash flow – this tough stance can often save businesses from catastrophe.
IT can back up that stance by testing everything. Any net new installation should be put through its paces on a stable guest network with dummy workloads before it goes live. That includes both hardware (like sensors, trackers, or other devices) and software (like ERP or analytics platforms): apart from exposing potential vulnerabilities, these tests may also reveal integration or usability issues that could lead to outages or breaches in the long run. It’s important that IT establish a clear baseline of what “normal” looks like in the supply chain before running any tests.
Finally, IT should implement a rigorous backup and failover policy for the entire supply chain’s operations and data, guided by the NIST framework. Businesses could begin by defining an ‘optimum state of recovery’ first, and work backwards to design the right response and recovery plan or policy needed to reach that state. That policy should not only be known and enforced, but – to labour the previous point – frequently tested to ensure sufficient responsiveness and comprehensiveness in the event of a breach. Make sure the policy’s familiar to not only IT and logistics personnel within the organisation, but also those at key vendors along the supply chain. In the event of a cyber emergency, it’ll take quick and confident cooperation between both internal and external parties to bring operations back online and minimise disruption to customers.
The importance of (cyber) safety culture
The best cyber defence for the supply chain, however, is culture. If an organisation can weave security and cyber hygiene into the basic principles and values of its staff, it’ll find itself much less vulnerable to most threats that prey upon the unprepared or unknowing business. And in that respect, supply chains have an advantage over other business operations: those involved in running them already adhere to strict codes of physical and workplace safety. If businesses can incorporate cyber-safety into those existing codes and processes, and push for similar standards as table stakes amongst their vendors, they’ll find themselves well-placed to meet any cyber threat – even from the future.