Lurking behind the real-time benefits of interconnected technologies and trading partners are the disruptive dangers posed by threat agents armed with ransomware as a service.
Behold, the wonders of the digital, integrated supply chain! Real-time visibility through automated, connected access to information shared between suppliers, customers and third-party service providers and to data exchanged between automated equipment, systems and technologies. The opportunities—for greater collaboration, faster decision making, flexible inventory management, more informed planning through data analytics and improved resilience amid unpredictability—appear limitless.
Unfortunately, that same interconnectedness also offers cybercriminals limitless opportunities to attack, breach, infiltrate and disrupt operations up and down supply chains. All that transparency is making partners across supply chains feel a little exposed.
Cybersecurity, historically under the umbrella of information technology (IT) departments, is increasingly playing an important role in logistics and supply chain management as companies recognize the risks posed by threat agents (formerly known as hackers). In Gartner’s latest Supply Chain Technology User Wants and Needs Survey, 90% of respondents indicated plans to increase cybersecurity spending.
While that may be reassuring, there are still a number of challenges to overcome in order to keep digitized and interconnected supply chains secure. Companies are utilizing a number of strategies and technologies as they work to keep cybercriminals at bay.
The Supply Chain Cybersecurity Disconnect
The first challenge facing supply chain leaders might be convincing their counterparts in IT that cybersecurity doesn’t have a one-size-fits-all solution. There are multiple security solutions and a variety of connection points—yet very little standardization across cybersecurity practices.
That supports an assertion by Steven A. Melnyk, Ph.D., professor of supply chain and operations management at Michigan State University. He notes that cybersecurity across supply chains is fundamentally very different from cybersecurity within a company.
“When it comes to cybersecurity, most large firms have got religion. They understand the importance of it, and they understand how to protect themselves,” he explained.
The disconnect, he continued, is a failure to realize that larger players within supply chains often partner with small- to medium-sized companies.
“One mistake that larger operations often make when they look at supply chain cybersecurity is they assume that small firms are just like big firms—only smaller. That’s wrong,” he said. “They also fail to realize, in many cases, that threat agents aren’t interested in the supplier per se. They’re just using the supplier as an access point so they can infiltrate a larger target.”
Cyber attackers frequently will exploit a smaller third-party service provider or a supply partner’s software or system vulnerabilities to penetrate a larger organization’s systems and data, agreed David Schiffer, CEO at RevBits, a cybersecurity firm. These incidents can manifest in a variety of ways.
“They install malicious code that spreads across the network. This allows them to target and compromise more privileged and substantial targets that can significantly impact operations,” he explained. “Attackers will exploit single sign-on services, which enable users to access multiple systems with a single set of credentials. They will also attempt to compromise digital certificates, applications and web services.”
Increasing deployments of Internet of Things (IoT) devices throughout manufacturing and distribution facilities give threat agents yet another entry point to access more critical systems, continued Schiffer. “They will flood traffic to overwhelm networks, services and servers, causing a denial of service and disrupting an organization’s operations.”
Other cyber breach strategies include watering hole attacks, in which a threat agent infects a website that a target frequently visits in order to infect the target’s computer, and leapfrog attacks, in which the attacker identifies a vendor with weak cybersecurity and easily sidesteps their defenses. The objective is to gain access to personal data, organizational databases, passwords, or user identifications (IDs) that access the larger organization.
Phishing is yet another means to gain access. Instead of exploiting a technical vulnerability, a perpetrator impersonates a legitimate business or reputable person and manipulates an internal staffer to open a malicious email or divulge private and sensitive information—such as personal identification numbers (PINs) or passwords. The United States Cybersecurity and Infrastructure Security Agency (CISA) believes phishing is the method used in 90% of all cyberattacks.
Ransomware on the Rise
Once they’re in, threat agents identify and encrypt critical data with ransomware, rendering it inaccessible. They then offer to restore access for a price, or ransom. In the U.S., the average ransom payment in the fourth quarter of 2023 was $568,000, a decline from the previous quarter’s high of $850,000, according to Statista Research.
“Ransomware has grown in importance because of three factors,” explained Steve Stasiukonis, managing partner of Secure Networks Inc., a cybersecurity assessment and penetration testing service provider. “Number one, threat actors can go on the dark web and buy RaaS, ransomware as a service. Number two, payouts are being demanded in cryptocurrency, which is untraceable. And, number three, certain nations—such as Russia, North Korea and China—are safe havens for crypto accounts, as well as have bulletproof hosting servers.”
A ransomware situation will literally bring a business to its knees, Stasiukonis continued. “These are the most sophisticated criminals in the world. They understand supply chains, and that businesses run on certain systems and applications. They know that if they create as much disruption as possible—say by blocking access to the billing system, the customer database or the payroll system—the business won’t function, and then they’ve won.”
Although the cybersecurity breaches that affect large operations are the ones that make headlines, no company is immune. “The size of the target has become less important to many threat actors, because money is money,” he added. “They know most companies have cyber insurance and it’s an easy payday. Depending on where in the world they live, like former Soviet bloc countries, scoring $100,000 on a ransom is more money than they might otherwise make in a decade.”
Strategies for Improving Supply Chain Cybersecurity
Stopping a cybersecurity attack before it breaches the supply chain network relies on endpoint detection and response, Schiffer said. Yet the sheer number of endpoints—devices that connect to and communicate with a network, like computers, mobile devices, tablets, servers and virtual environments— across supply chains is daunting.
“A supply chain organization’s servers, systems and applications are diverse and run across multiple clouds, on-premises, hybrid and air-gapped environments. That’s why implementing more robust access controls across all environments with sensitive data is imperative for critical security,” he continued.
Schiffer advised several strategies to enhance cybersecurity across supply chains. They include:
- Restrict access to only those who need it. “This helps reduce the risk of unauthorized access. This is where zero-trust networking, identity access and privileged access management for accounts, users and credentials play critical roles in using policies to enforce user and device access restrictions,” he explained.
- Establish zero-trust security from the edge and through multi-cloud hybrid environments. “Zero-trust security must support on-premise and remote workers, third-party contractors and suppliers with restricted access to desired resources and applications within a network that controls direct user authentication,” noted Schiffer.
- Encrypt sensitive data during transmission or storage. “Converting data into a code to prevent unauthorized access using encryption protects data if an attacker gains access because they won’t understand the data without the decryption key,” he said.
There are a variety of cybersecurity technologies available, added Stasiukonis. “They’re all great products, as long as they’re installed correctly and configured properly,” he cautioned. “The problem is that a company will buy the product, implement it and not understand that if it isn’t properly configured, it’s worthless.”
To verify a solution’s effectiveness, Stasiukonis advised penetration testing at a “red team” level. Red teams use sophisticated techniques to simulate real-world attacks and dismantle an organization’s cybersecurity defenses. The goal is to help the company identify and fix weaknesses in their systems, operational strategies and defenses.
“Don’t cheap out on the services! Spend the money to test your network like an adversary and find every exposed vulnerability,” he urged. “And test regularly and routinely. Cybersecurity is definitely not ‘set it and forget it.’”
Employee training on cybersecurity hazards such as password strength, software updates and avoiding phishing schemes is also essential, added Stasiukonis. He recommended making the message relevant to users on an individual basis, instead of as employees.
“The same cybersecurity best practices at work also apply at home, only they don’t have an IT department to call if their banking app is compromised and their account emptied,” he said.
Click here to read the full feature.