We saw the 1st reason of supply chain cybersecurity in the Part 1 yesterday. Now we see the remaining reasons today. In today’s world, “common criminals, organised crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect,”warns a report on the present-day state of cybercrime (PricewaterhouseCoopers, U.S. Cybercrime: Rising risks, reduced readiness).
Assessing cybersecurity risks in the supply chain
A particularly pernicious aspect of cyberattacks is the way the threats are always “on the move”, says Katherine Barrios, chief marketing officer at Xeneta.
By their very nature, attackers try to circumvent roadblocks and counter-measures.
Staying ahead of threats – like the WannaCry or WannaCrypt ransomware attack and the rapidly-moving “Petya” is challenging. “WannaCry” has affected over 230,000 computers in over 150 countries – with the most damage inflicted on the British National Health Service, Spanish phone company Telefónica and German state railways. “Petya” impacted not only Maersk Line but also the IT infrastructure of many other firms, such as pharmaceutical multinational Merck, advertiser WPP, food company Mondelez, and legal firm DLA Piper.
When a virus affects a shipping company like Maersk Line that is responsible for the flow of goods (fleet, containers), the ripple effect on the supply chain is swift and enormous (Olivia Solon and Alex Hern,“‘Petya’ Ransomware Attack: What Is It and How Can It Be Stopped? The Guardian.)
Fast-moving, hostile groups and individuals possess the “persistence, tactical skills, and technological prowess ” to damage and destroy major SCM systems, including, ominously, the logistics chain (PWC, US Cybercrime).
Whether through malware (“malicious software”), taking advantage of compromised credentials made available in the “underground” Internet, distributed denial of service (DDoS) (a bad actor’s disruption of systems) and SQL injections (the insertion of malicious code into Structured Query Language), among other tactics, hackers are inventive (Drew Smith, “Is your supply chain safe from cyberattacks?” Supply Chain Quarterly).
Also, while somewhat mitigated by employee training, it is not always possible to ward off insider events – those resulting from employee vulnerabilities. Insider events can include the phenomenon of social engineering (when a criminal gains access to buildings, systems or information by exploiting the human psychology of employees). There is also the casual use of devices by employees and the mishandling of information by workers who are not adhering to best practices (PWC, US Cybercrime).
The potential scale of supply chain cyber threats
At its core, Supply Chain Management “helps sustains human life – Humans depend on supply chains to deliver basic necessities such as food and water,” (CSCMP, The Council of Supply Chain Management Professionals, “The importance of supply chain management”).
Any disruption could cause a societal breakdown. Because of the computer failure caused by Petya, workers had to manually monitor radiation levels at the Chernobyl nuclear plant and citizens of Kiev could not access ATM machines. (Nicole Perlroth, Mark Scott and Sheera Frenkel, “Cyberattack hits Ukraine then spreads internationally,” New York Times).
The potential life-threatening risks in late June were very real – with the ransomware attack spreading to Heritage Valley Health System, which operates Heritage Valley Sewickley and Heritage Valley Beaver Hospitals in Western Pennsylvania, eastern Ohio and West Virginia, temporarily seizing up HVHS computer systems.
Fortunately, the only actual operational suspension of service occurred at the health delivery network’s lab and diagnostic imaging community sites with those services now “fully functional.” (“Updates on the cyber security incident at Heritage Valley Health system,” Latest News Posts, HVHS).
Exports and importers are still “haunted” by delays from the system shutdown at Maersk and APM Terminals facilities – with Maersk Line accordingly waiving demurrage and detention charges that occurred. (Mike Wackett, “Cyber attack still haunting Maersk as it struggles to recapture volumes,” The Loadstar).
One can only imagine a grander-scale impact from a similar trigger event in the future. The next disturbance in the movement of people and goods in the supply chain could lead to more serious societal fallout beyond mere corporate performance. (World Economic Forum, New models for addressing supply chain and transport risk: An initiative of the risk response network in collaboration with Accenture).
A further dismal reason for why we “should be scared” for the future of the supply chain/transport network is the complexity of cyber threats.
Michael Daniel details the sheer level of complexity in his article, “Why is cybersecurity so hard?” Harvard Business Review:
“Cyberspace operates according to different rules than the physical world. I don’t mean the social ‘rules’ but rather the physics and math of cyberspace. The nodal nature of a light-speed network means that concepts like distance, borders, and proximity all operate differently, which has profound implications for security.”
Because there is no such thing as typical proximity, nor typical borders, “physical world” constructs and solutions don’t work very well.
“For example, in the physical world, we assign the federal government the task of border security. But given the physics of cyberspace, everyone’s network is at the border. If everyone lives and works right on the border, how can we assign border security solely to the federal government? In the physical world, crime is local — you have to be at a location to steal an object, so police have jurisdictions based on physical boundaries.”
Not so in cyberspace. Organisations and institutions are touching upon tricky new frontiers legally and policy-wise, such as the proper division of responsibility between governments and the private enterprise to protect. Defense against risks (whether from the outside or the inside of an organisation) needs significant investment to keep up with the threats.
Combating cyber risks in the supply chain: Greater need to act
Many companies are not devoting the necessary amount of investment to cybersecurity. Alex Bau believes it comes down to behavioral economics (“The behavioral economics of why executives underinvest in cybersecurity,” Harvard Business Review). There are certainly daunting cost considerations. Worldwide spending on cybersecurity is set to exceed $1 trillion between 2017 to 2021 –with many companies not being able to keep pace. (Steve Morgan, “Cybersecurity spending outlook: $1 trillion from 2017 to 2021,”CSO).
There is also hope. Blockchain solutions, banding together to pool cybersecurity efforts, smart sensors (Marianne Mannschreck, “How smart sensors and the IoT will evolve supply chains,”ITProPortal, further training…these are all possible avenues for a better future, one in which (it is hoped) there will be less reason for fear.
The author of this blog is Katherine Barrios, chief marketing officer at Xeneta