Scared about supply chain cybersecurity? 5 reasons you aren’t scared enough- Part 2

Katherine Barrios, CMO at Xeneta

We saw the 1st reason of supply chain cybersecurity in the Part 1 yesterday. Now we see the remaining reasons today. In today’s world, “common criminals, organised crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect,”warns a report on the present-day state of cybercrime (PricewaterhouseCoopersU.S. Cybercrime: Rising risks, reduced readiness).

Assessing cybersecurity risks in the supply chain

A particularly pernicious aspect of cyberattacks is the way the threats are always “on the move”, says Katherine Barrios, chief marketing officer at Xeneta.

By their very nature, attackers try to circumvent roadblocks and counter-measures.

Staying ahead of threats – like the WannaCry or WannaCrypt ransomware attack and the rapidly-moving “Petya” is challenging. “WannaCry” has affected over 230,000 computers in over 150 countries – with the most damage inflicted on the British National Health Service, Spanish phone company Telefónica and German state railways. “Petya” impacted not only Maersk Line but also the IT infrastructure of many other firms, such as pharmaceutical multinational Merck, advertiser WPP, food company Mondelez, and legal firm DLA Piper.

When a virus affects a shipping company like Maersk Line that is responsible for the flow of goods (fleet, containers), the ripple effect on the supply chain is swift and enormous (Olivia Solon and Alex Hern,“‘Petya’ Ransomware Attack: What Is It and How Can It Be Stopped? The Guardian.)

Fast-moving, hostile groups and individuals possess the “persistence, tactical skills, and technological prowess ” to damage and destroy major SCM systems, including, ominously, the logistics chain (PWC, US Cybercrime).

Whether through malware (“malicious software”), taking advantage of compromised credentials made available in the “underground” Internet, distributed denial of service (DDoS) (a bad actor’s disruption of systems) and SQL injections (the insertion of malicious code into Structured Query Language), among other tactics, hackers are inventive (Drew Smith, “Is your supply chain safe from cyberattacks?” Supply Chain Quarterly).

Also, while somewhat mitigated by employee training, it is not always possible to ward off insider events – those resulting from employee vulnerabilities. Insider events can include the phenomenon of social engineering (when a criminal gains access to buildings, systems or information by exploiting the human psychology of employees). There is also the casual use of devices by employees and the mishandling of information by workers who are not adhering to best practices (PWC, US Cybercrime).

The potential scale of supply chain cyber threats

At its core, Supply Chain Management “helps sustains human life – Humans depend on supply chains to deliver basic necessities such as food and water,” (CSCMP, The Council of Supply Chain Management Professionals, “The importance of supply chain management”).41010392 - malware, virus, ransomware, red skull laying on hex data.

Any disruption could cause a societal breakdown. Because of the computer failure caused by Petya, workers had to manually monitor radiation levels at the Chernobyl nuclear plant and citizens of Kiev could not access ATM machines. (Nicole Perlroth, Mark Scott and Sheera Frenkel, “Cyberattack hits Ukraine then spreads internationally,” New York Times).

The potential life-threatening risks in late June were very real – with the ransomware attack spreading to Heritage Valley Health System, which operates Heritage Valley Sewickley and Heritage Valley Beaver Hospitals in Western Pennsylvania, eastern Ohio and West Virginia, temporarily seizing up HVHS computer systems.

Fortunately, the only actual operational suspension of service occurred at the health delivery network’s lab and diagnostic imaging community sites with those services now “fully functional.” (“Updates on the cyber security incident at Heritage Valley Health system,” Latest News Posts, HVHS).

Exports and importers are still “haunted” by delays from the system shutdown at Maersk and APM Terminals facilities – with Maersk Line accordingly waiving demurrage and detention charges that occurred. (Mike Wackett, “Cyber attack still haunting Maersk as it struggles to recapture volumes,” The Loadstar).

One can only imagine a grander-scale impact from a similar trigger event in the future. The next disturbance in the movement of people and goods in the supply chain could lead to more serious societal fallout beyond mere corporate performance. (World Economic Forum, New models for addressing supply chain and transport risk: An initiative of the risk response network in collaboration with Accenture).

Cyber complexity

A further dismal reason for why we “should be scared” for the future of the supply chain/transport network is the complexity of cyber threats.

Michael Daniel details the sheer level of complexity in his article, “Why is cybersecurity so hard?” Harvard Business Review:

“Cyberspace operates according to different rules than the physical world. I don’t mean the social ‘rules’ but rather the physics and math of cyberspace. The nodal nature of a light-speed network means that concepts like distance, borders, and proximity all operate differently, which has profound implications for security.”

Because there is no such thing as typical proximity, nor typical borders, “physical world” constructs and solutions don’t work very well.

“For example, in the physical world, we assign the federal government the task of border security. But given the physics of cyberspace, everyone’s network is at the border. If everyone lives and works right on the border, how can we assign border security solely to the federal government? In the physical world, crime is local — you have to be at a location to steal an object, so police have jurisdictions based on physical boundaries.”

xeneta_logo-dark (1)Not so in cyberspace. Organisations and institutions are touching upon tricky new frontiers legally and policy-wise, such as the proper division of responsibility between governments and the private enterprise to protect. Defense against risks (whether from the outside or the inside of an organisation) needs significant investment to keep up with the threats.

Combating cyber risks in the supply chain: Greater need to act

Many companies are not devoting the necessary amount of investment to cybersecurity. Alex Bau believes it comes down to behavioral economics (“The behavioral economics of why executives underinvest in cybersecurity,” Harvard Business Review). There are certainly daunting cost considerations. Worldwide spending on cybersecurity is set to exceed $1 trillion between 2017 to 2021 –with many companies not being able to keep pace. (Steve Morgan, “Cybersecurity spending outlook: $1 trillion from 2017 to 2021,”CSO).

There is also hope. Blockchain solutions, banding together to pool cybersecurity efforts, smart sensors (Marianne Mannschreck, “How smart sensors and the IoT will evolve supply chains,”ITProPortal, further training…these are all possible avenues for a better future, one in which (it is hoped) there will be less reason for fear.

The author of this blog is Katherine Barrios, chief marketing officer at Xeneta

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Infineon and Rainforest Connection create real-time monitoring system to detect wildfires

Posted on: October 22, 2021

Munich and San Jose, California, 21 October, 2021 – Infineon Technologies AG a provider of semiconductors for mobility, energy efficiency and the IoT, announced a collaboration with Rainforest Connection (RFCx), a non-profit organisation that uses acoustic technology, Big Data and Artificial Intelligence / Machine Learning to save the rainforests and monitor biodiversity.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more