Supply chain technology is advancing quickly, but are cybersecurity systems keeping pace? The answer is a resounding no.
Given the interconnected nature of the supply chain, a hacker can knock out one or two nodes and a hack becomes hugely problematic, potentially jeopardizing an entire business.
With reports of data hacks constantly in the news, it may seem like cybersecurity incidences are increasing, Jon Boyens, who leads the government’s National Institute of Standards and Technology’s (NIST) Cyber Supply Chain Risk Management (C-SCRM) program, told Supply Chain Dive. Hacks may have been just as frequent in the past, but now they have a greater impact since there are more technology connections.
Are supply chains prepared for breaches?
Cyber hacks have varied purposes, said Shane MacDougall, a principal threat analyst for cybersecurity services company Mosaid451:
- Industrial espionage, for corporate information gathering.
- Using the infrastructure to launch attacks on other organizations, which can bring them offline.
- Using the infrastructure to access computing resources like for Bitcoin mining, or to store illicit things online, like child pornography.
Companies don’t pay enough attention to cybersecurity, MacDougall said. "It’s almost always an afterthought," he said.
MacDougall has seen some of the world’s largest distributors appear unconcerned about hacking, saying "what are they going to do, get our widgets?" What they don’t understand, he said, is wiper attacks using malware don’t just take a company’s code or formula for making products.
"It takes down your systems and erases them. Unless you have a really good backup system, you’re not going to recover," said MacDougall. And companies pay little attention to disaster recovery and backup, he said, estimating 90% of companies that undergo a wiper attack are down for months.
"Employees are the first line of defense."
Shane MacDougall
Principal Threat Analyst, Mosaid45
Companies that don’t store credit card or HIPAA data are sometimes less concerned than those who do, thinking they’re not beholden to any real standards. They think they’re not liable under privacy laws. But that would be an erroneous way of thinking. "If you lose customer data, the impact is that you’ll probably get sued. You’ll probably lose customers. You’ll lose proprietary data," MacDougall said.
Losing data that controls parts of manufacturing or logistics can be devastating to the entire supply chain. And organizations that rely heavily on technology for their products or services tend to care about a secure supply chain, since it’s their lifeblood. "If they don’t, they’ll go out of business," Boyens said. Even the most sophisticated organizations struggle with cybersecurity, partly because companies are divided into organizational units. "Cyber supply chain risk management is a multidisciplinary activity," he said. All departments in a company should be involved.
How secure is your supply chain?
According to NIST, major cybersecurity supply chain risks are caused by:
- Inferior information security practiced by lower-tier suppliers.
- Third-party service providers and vendors that have virtual access to information systems.
- Compromised hardware and software.
- Software vulnerabilities in supply chain management systems.
Security is only as strong as the weakest part of the supply chain, said MacDougall. "Just this week, I found a client transferring critical data via FTP," he said. A lot of companies still use FTP, while the more secure SFTP encrypts the data and the user’s credentials. "I see a lot of companies downgrade their security so they can connect with clients or partners instead of working with them to get them to upgrade their infrastructure. It’s very common for companies to get caught, not because of what they’ve done in-house, but because of the clients and suppliers they’re connected to." Credentials might be shared with someone else, or a person uses the same password for multiple accounts. This makes it easier for a hacker to use a person’s credentials and easily login because they have the password.
Some companies also have misperceptions about security based on a company being domestic. "We try to discourage the geolocation and geopolitics of the supply chain world," Boyens said, as it’s difficult to differentiate security risks for foreign versus domestic suppliers and vendors. Foreign companies manufacture in the U.S. with American or foreign workers, and vice versa. “It’s not a good indicator for security.”
Instead, Boyens recommends building a trustworthy supply chain by vetting suppliers.
How to improve cybersecurity in your supply chain
Companies should know what assets they have and need to protect. Then they can put their resources behind protecting the most critical assets, those that support essential business functions, said Boyens. That includes technology that aggregates data, which would have a high value for adversaries. It also includes technology that is sensitive, including intellectual property. It includes any technology not understood by the user, as that poses a great risk.
The most vulnerable technology is older technology, especially when the software is embedded in the hardware. "They don’t provide updates, or they’re limited," MacDougall said.
Some software or machines may also be running on outdated platforms. "It’s very common for me to go to a factory and still find systems running Windows 95," because it won’t run on a newer platform. There are ways to protect the system, so if there’s a problem, it can be caught early and localized, with a quick restoration. The company can localize credentials to just that machine.
When rolling out a new IT system, a significant amount of time should be dedicated to its security, said MacDougall. He recommends giving vendors security questionnaires prior to signing contracts, to confirm they’re running antivirus programs, for example.
"It’s very common for companies to get caught, not because of what they’ve done in-house, but because of the clients and suppliers they’re connected to."
Shane MacDougall
Principal Threat Analyst, Mosaid45
Evaluating future partners and vendors is not just ensuring they’re trustworthy from an organization level, including basic due diligence that they’re financially sound, not in legal trouble, have a good reputation and have positive references. The evaluation should drop down a tier, Boyens said, to look at standard practices they use for supply chain cybersecurity with their partners. Find out if they’re auditing their vendor’s services and testing the software products to certain standards.
If a supplier or vendor isn’t up to par security-wise, it’s important to explain why it’s important to both parties. Helping to find a security vendor, and even offering to pay part of the cost, can make a difference. If the supplier can’t meet a company’s basic security requirements, "think long and hard about using them," MacDougall said. "If you don’t, it’s a matter of time before you get hacked."
The other cybersecurity issue is a human one. Deploying leading-edge technology with secure software only works if the humans using it halt intruder access. "If I can saunter on to your premises and look like an employee, access your network or have someone go to a website I tell them to, which is extremely easy to do, all that time and effort to protect your network is useless," MacDougall said. It’s important to train employees to trust their instinct and react if something doesn’t feel right. "That’s really hard to do in this environment, with the fear of reviews making it so much easier for hackers to social engineer the company. Employees are the first line of defense."