Business Continuity, Supply Chain

Supply Chain Cybersecurity Questions and Answers

The Association for Supply Chain Management (ASCM) gathered subject matter experts to discuss cybersecurity in the supply chain in a LinkedIn Live forum. (ASCM is a non-profit, global leader in supply chain organizational transformation, innovation and leadership.) Matthew Talbert, Research Manager at ASCM, led the question-driven discussion. A summary follows below – you can find the video recording of the session here.

Just how essential is cybersecurity to supply chain risk management?

Marième Doukouré-Amoa, Procurement Director – Global IT infrastructure at State Street, noted that in large companies, dedicated IT teams handle cybersecurity. But in companies whose core competencies are not necessarily IT (small and medium sized businesses) it’s a struggle to allocate resources to cybersecurity activity.

Charlie Miller, Senior Advisor, The Santa Fe Group/Shared Assessments further outlined the cybersecurity challenge by describing how the pandemic has exacerbated every facet of any organization’s supply chain and the risks it poses.  Policies set forth by NIST both for suppliers and contractors providing services to the US government reflect regulatory and standards focus on the supply chain. (The Cybersecurity Maturity Model Certification (CMMC) being a prime example.)

Miller also pointed out that all pandemic long, managing supply chain risk has been key, and will remain so with distribution and delivery of COVID 19 vaccines – global refrigeration and dry ice companies, who will ensure for safe and potent delivery of the vaccine to all,  are now critical third parties!

Dave Morrow, Supplier Relationship Management at USAF, cited research that has proven 90% of hacks come in through the supply chain. Morrow voiced that cybersecurity is not an IT issue – it is a supply chain vulnerability issue and working remotely has only increased this vulnerability.


How could a cyberattack impact the supply chain?

Doukouré-Amoa voiced that medium and small companies perceive the data they collect and protect is not of interest to attackers (their information is critical to the business but not to hackers or the broader community). This is a myth as stolen data can be combined with other data and compiled to cause harm. Doukouré-Amoa referenced the cyberattack that struck the world’s largest shipping conglomerate (A.P. Møller-Maersk) and how it impacted their broad network of vendors and partners.

Miller referenced Shared Assessments’ IoT research with the Ponemon Institute. Findings in this research suggest that IoT Risk and Third Party Risk are hand-in-hand within the supply chain as many organizations have devices sitting on operating systems that are no longer supported (no patches, no updates).

Morrow stated that it is a must to have good infrastructure in place regardless of organization size as the majority of attacks occurring are not hitting large organizations. Anytime someone is trying to steal from you or rip you off, they are looking for lowest barrier to entry: third party vendors present great opportunity.

Are cyberattacks in data storage something companies should focus on?

Miller identified an organization’s crown jewels as customer information and IP – critical from a privacy and a regulatory fines perspective. It’s essential that every organization have an incident response plan: if ransomware takes control of your production data and systems, do you have a backup of those production systems and data, so you may not have to pay the ransom?

Doukouré-Amoa suggested that companies without internal IT teams should reach out to cybersecurity professionals who can make an assessment.  Bottomline, the company must protect all information.

Is blockchain a good defense mechanism?

Doukouré-Amoa said the devil is in the details with blockchain– how is the technology being implemented? How can we be deliberate and responsible on how we share and store information? Doukouré-Amoa advocated for using tools that are simpler and widely available: encryption, network segmentation (more specifically, separating data that is collected from your factories).

Miller pointed out that blockchain is usually deployed on particular set of applications to increase systems efficiency and security of that workflow. Broad use of blockchain in an organization can present solution to third party attacks, but need know what critical assets are protected by the blockchain?

In addition to blockchain, continuous monitoring continuous monitoring solutions can offer insights into supply chain risk (cyber and other) vulnerabilities: e.g., BitSight, FICO,  NormShield, Panorays, RiskRecon, SecurityScorecard, RapidRatings, Supply Wisdom, … are several solutions in this space.

Morrow stated the blockchain holds promise although it is important to understand what blockchain brings to the table, to understand the exchange of data to identify vulnerabilities.

What can companies do to protect themselves?

Doukouré-Amoa reiterated that behavior is the first line of defense. Training employees in responsible use of IT equipment is a great start. Be deliberate in how you implement technology by asking these questions:

  • How you are using technology in your operations and what are the goals you are trying to achieve?
  • Where are the critical control points to be mindful of?
  • Who is accessing what kind of information? Where does it make sense to segment the network?

Plan for recovery – every organization of every size can be sieged by a cyberattack.  How would you operate without technology if your network was struck?

Morrow thinks the things you can do are simple blocking/tackling and include:

  • Password management – change on a regular basis.
  • Layered security – only certain people have access to the information they need.
  • Planning for recovery – it’s not if, but when. (Only the paranoid survive.)

Supply chain professionals need to realize cybersecurity this is no longer just an IT issue – it’s everyone’s issue,.

In closing, Miller offered that all members of the organization are on the Risk Team. Make sure you have your ducks in a row when presenting to senior management – present a clear story and message. Also, collaborate with industry peers.  Raise your hand, reach out, tap a shoulder – we are all here to help. The ASCM and this LinkedIn Live event certainly embody this sentiment.