Many organizations and supply chain experts are concerned about cyber security. The risks stemming from supply chain cyber threats are real. In fact, the danger is more frightening and potentially harmful than we realize. Here’s why.
Assessing Cyber Supply Chain Security Vulnerabilities
Experts on cybersecurity and supply chain management (SCM) like to draw attention to the fact that operating systems are only as strong as their “weakest link.” The “weakest link” argument is evoked with good reason when discussing risk management.
It does not matter how strong your network security is -- if there is fragility within it, that’s all that matters, that’s all it takes. Whether the vulnerability stems from poor internal security control or external danger, a compromised link can put the entire global supply chain at risk.
The vulnerability of the supply chain in the midst of the biggest cyber security breach to hit the shipping industry - the breach on Danish maritime giant AP Moller-Maersk’s information technology systems in June 2017- is nerve-racking to say the least. The breach is still causing the international shipping industry to reel.
From one ransomware attack (a variant of “Petya,” originating from a malicious Ukrainian software update, plus phishing emails), near catastrophic failure of global supply chain systems resulted. Terminals in the ports of New York, New Jersey, Miami, Los Angeles and Rotterdam were closed. Terminals operated by Maersk Line, such as the Jawaharlal Nehru Port Trust near Mumbai, India's biggest container port, couldn't load or unload because they were unable to track the origins of shipments. The Port of Gothenburg and many other ports reverted to manual processing for several hours. A freeze on deliveries at the South Florida Container Terminal caused retailers' orders (including some critical goods) to be delayed.
The backlog of containers continues. Reputational impact on Maersk is high. The financial loss from disrupted production and deliveries of goods to customers in several countries for many companies is too costly to enumerate at this point. Given that 90% of world trade is transported by sea (Maersk runs close to 600 container vessels and 25% of containers shipped to and from Asia and Europe) (Jacob Gronholt-Pedersen, “Maersk Says Global IT Breakdown Caused by Cyber Attack” Reuters.com), the impact from such a digital disruption in the communication systems of an increasingly interdependent and complex supply chain is far-reaching. Reuters, “Global Shipping Giant Maersk is Reeling From the Ransomware Fallout,” Fortune.
“Not to overstate it, but there’s a lot of truth to the idea that networked models of security ‘are only as strong as the weakest link,’” writes Paul Martyn, “Risky Business: Cybersecurity And Supply Chain Management,” Forbes. “And because big business will continue to outsource and pursue new markets of customers and supply, the scope of the problem is exploding.”
In almost every industry, companies are more dependent than ever upon suppliers, intermediaries, cloud- based communication systems, third-party service providers and vendors in the supply chain network. “The demand for constant online communication creates enormous opportunities for hackers to exploit weak vendor security practices as a point of entry into their ultimate target,” adds Steve Bridges, Senior Vice President of JLT Speciality, an insurance brokerage firm focusing on cyber insurance (Martyn, “Risky Business.”).
It was through one of Target’s vendors – a HVAC company –that a hacker was able to infiltrate the system causing “the nightmare before Christmas” for the retailer and its customers (stolen credit card and debit card information of up to 70 million people) in 2013 (Maggie McGrath, “Target Data Breach Spilled Info On As Many As 70 Million Customers,” Forbes.)
The role and risk of vendors in security lapses in the supply chain were further highlighted by the recent data breach at Verizon, the US’s largest wireless communications carrier. Verizon had been employing Israeli-based telephonic software and data firm, NICE Systems to carry out customer service analytics. The incident was discovered in late June 2017. An employee from NICE Systems had left the data of millions of customers exposed on an unsecured Amazon server for the previous six months. (Todd Haselton, “Verizon Responds to Breach that Affected Millions of Customer Accounts,” CNBC.)
Both buyer and vendor face potential disaster in the supply chain ecosystem. A weighty burden has been placed on buyers to ensure extreme thresholds of security from all vendor partners. In turn, vendors are at constant risk of legal liability from customers should a security problem be traceable to them. (Martyn, “Risky Business.”)
Assessing Cybersecurity Risks in the Supply Chain
A particularly pernicious aspect of cyberattacks is the way the threats are always “on the move”.
In today’s world, “common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect,” warns a report on the present-day state of cybercrime (PricewaterhouseCoopers, U.S. Cybercrime: Rising Risks, Reduced Readiness).
By their very nature, attackers try to circumvent roadblocks and counter-measures.
Staying ahead of threats – like the WannaCry or WannaCrypt ransomware attack and the rapidly-moving “Petya” is challenging. “WannaCry” has affected over 230,000 computers in over 150 countries – with the most damage inflicted on the British National Health Service, Spanish phone company Telefónica and German state railways. “Petya” impacted not only Maersk Line but also the IT infrastructure of many other firms, such as pharmaceutical multinational Merck, advertiser WPP, food company Mondelez, and legal firm DLA Piper. When a virus affects a shipping company like Maersk Line that is responsible for the flow of goods (fleet, containers), the ripple effect on the supply chain is swift and enormous (Olivia Solon and Alex Hern, “'Petya' Ransomware Attack: What Is It and How Can It Be Stopped? The Guardian.)
Fast-moving, hostile groups and individuals possess the “persistence, tactical skills, and technological prowess ” to damage and destroy major SCM systems, including, ominously, the logistics chain (PWC, US Cybercrime).
Whether through malware (“malicious software”), taking advantage of compromised credentials made available in the “underground” Internet, distributed denial of service (DDoS) (a bad actor’s disruption of systems) and SQL injections (the insertion of malicious code into Structured Query Language), among other tactics, hackers are inventive (Drew Smith, “Is your supply chain safe from cyberattacks?” Supply Chain Quarterly).
Also, while somewhat mitigated by employee training, it is not always possible to ward off insider events – those resulting from employee vulnerabilities. Insider events can include the phenomenon of social engineering (when a criminal gains access to buildings, systems or information by exploiting the human psychology of employees). There is also the casual use of devices by employees and the mishandling of information by workers who are not adhering to best practices (PWC, US Cybercrime).
The Potential Scale of Supply Chain Cyber Threats
At its core, Supply Chain Management “helps sustains human life – Humans depend on supply chains to deliver basic necessities such as food and water,” (CSCMP, The Council of Supply Chain Management Professionals, “The Importance of Supply Chain Management”).
Any disruption could cause a societal breakdown. Because of the computer failure caused by Petya, workers had to manually monitor radiation levels at the Chernobyl nuclear plant and citizens of Kiev could not access ATM machines. (Nicole Perlroth, Mark Scott and Sheera Frenkel, “Cyberattack Hits Ukraine Then Spreads Internationally,” New York Times). The potential life-threatening risks in late June were very real - with the ransomware attack spreading to Heritage Valley Health System, which operates Heritage Valley Sewickley and Heritage Valley Beaver Hospitals in Western Pennsylvania, eastern Ohio and West Virginia, temporarily seizing up HVHS computer systems. Fortunately, the only actual operational suspension of service occurred at the health delivery network’s lab and diagnostic imaging community sites with those services now “fully functional.” (“Updates on the Cyber Security Incident at Heritage Valley Health System,” Latest News Posts, HVHS).
Exports and importers are still “haunted” by delays from the system shutdown at Maersk and APM Terminals facilities - with Maersk Line accordingly waiving demurrage and detention charges that occurred. (Mike Wackett, “Cyber Attack Still Haunting Maersk as it Struggles to Recapture Volumes,” The Loadstar). One can only imagine a grander-scale impact from a similar trigger event in the future. The next disturbance in the movement of people and goods in the supply chain could lead to more serious societal fallout beyond mere corporate performance. (World Economic Forum, New Models for Addressing Supply Chain and Transport Risk: An Initiative of the Risk Response Network In collaboration with Accenture).
A further dismal reason for why we “should be scared” for the future of the supply chain/transport network is the complexity of cyber threats.
Michael Daniel details the sheer level of complexity in his article, “Why Is Cybersecurity So Hard?” Harvard Business Review:
“Cyberspace operates according to different rules than the physical world. I don’t mean the social ‘rules’ but rather the physics and math of cyberspace. The nodal nature of a light-speed network means that concepts like distance, borders, and proximity all operate differently, which has profound implications for security.”
Because there is no such thing as typical proximity, nor typical borders, “physical world” constructs and solutions don’t work very well.
“For example, in the physical world, we assign the federal government the task of border security. But given the physics of cyberspace, everyone’s network is at the border. If everyone lives and works right on the border, how can we assign border security solely to the federal government? In the physical world, crime is local — you have to be at a location to steal an object, so police have jurisdictions based on physical boundaries.”
Not so in cyberspace. Organizations and institutions are touching upon tricky new frontiers legally and policy-wise, such as the proper division of responsibility between governments and the private enterprise to protect. Defense against risks (whether from the outside or the inside of an organization) needs significant investment to keep up with the threats.
Combating Cyber Risks in the Supply Chain: Greater Need to Act
Many companies are not devoting the necessary amount of investment to cybersecurity.
Alex Bau believes it comes down to behavioral economics (“The Behavioral Economics of Why Executives Underinvest in Cybersecurity,” Harvard Business Review). There are certainly daunting cost considerations. Worldwide spending on cybersecurity is set to exceed $1 trillion between 2017 to 2021 --with many companies not being able to keep pace. (Steve Morgan, “Cybersecurity Spending Outlook: $1 Trillion from 2017 to 2021,” CSO. )
There is also hope. Blockchain solutions, banding together to pool cybersecurity efforts, smart sensors (Marianne Mannschreck, “How Smart Sensors and the IoT will Evolve Supply Chains,”ITProPortal, further training…these are all possible avenues for a better future, one in which (it is hoped) there will be less reason for fear.