The Notion of Supply Chain Cybersecurity
In 2012, an American chemical company reported that Chinese hackers had entered the company’s network using a phishing e-mail and gained control of servers in Germany and Canada.
For nearly three months, the hackers extracted critical pieces of company information, including customer order history, price quotations, and terms, the company’s cost structures, details about innovations about to be introduced into the market and even access to the firm’s manufacturing planning and control system.
Once the hackers had extracted what they needed, they made their move.
First, they altered the master production schedule (MPS), randomly changing order due dates, order quantities and order quality levels, wreaking havoc on critical customers who were relying on deliveries. As if by divine intervention, a new Chinese chemical firm approached these customers with “low-ball” offers for the affected products.
The result was predictable: The customers switched vendors so that they could maintain their production schedules. Almost simultaneously, the new Chinese firm obtained patents on new products identical to those the American firm was developing. The company was left reeling.
We begin with that example for a number of reasons.
First, it introduces the notion of supply chain cyber security - the need to protect the firm’s supply chain and its assets (information, intellectual property and processes) from the negative effects of hacking. As the story shows, cybersecurity is not simply a corporate concept; it is now a supply chain concept.
Second, it is not unique. In a 2018 report, the U.K.’s National Cybersecurity Centre highlighted a number of cyber attacks targeting supply chains. In one example, a cyber espionage group known as Dragonfly focused on companies in the energy sector across Europe and North America. In one of its attacks, Dragonfly “trojanized” industrial control software on the websites of ICS software suppliers. When the software was downloaded by end users, it installed malware that allowed the external seizure of a company’s systems controls. What made this attack so devastating and difficult to detect was that the malware was downloaded from a trusted source, an unwitting supplier.
Download & Read: Implementing Cybersecurity in DoD Supply Chains
Third, it should be a call to action for the supply chain management community. As the digital economy increases in importance, we fully expect the need for more research into this topic, including the identification and evaluation of techniques and approaches to either minimize the probability of a hack taking place or to reduce the effects of the breach once it has occurred. Clearly, supply chain cyber security affects supply chain risk and resilience and therefore a firm’s cybersecurity capability is one additional factor leading to enhanced resilience.
Finally, we note that cyber threats are a relatively new development. As a consequence, the topic is typified by confusion and misperceptions. Consider the heightened interest in blockchain as a panacea. While important, we contend that blockchain alone is not enough if a firm is interested in developing and deploying a comprehensive, effective cybersecurity strategy.
In this article, we will provide a structure around supply chain cybersecurity, with the goal of helping the reader better understand what it is, the reasons it’s important, and its key elements. Our message is simple:
- cybersecurity is a supply chain issue, not just a corporate issue - ignore at your peril;
- technology alone is no silver bullet; and
- justifying investments in cybersecurity is difficult, especially for anyone looking for a traditional ROI.
What is Supply Chain Cybersecurity and Why Now?
Cybersecurity is a relatively new development in a supply chain world that is rife with new digital innovation, including Industry 4.0, the Internet of Things (IoT), Cloud computing, machine-to-machine communication (M2M), 3D printing and social media. And it is growing: The World Forum estimates that by 2020 roughly 4 billion people, or 50% of the world’s population, will be connected to the Internet daily.
What’s more, the digital economy is estimated to be growing at 10% per year, with emerging markets growing between 12% and 25% per year. It’s no surprise that supply chain managers are shifting their focus from cost containment and reduction to innovation and responsiveness. To make that possible, the volume of digital communication, including real-time communication with and connection to global suppliers, will continue to grow exponentially. So too will the vulnerabilities of supply chains.
Some researchers have termed these digital developments collectively as the cyber supply chain. It promises to improve efficiency, reduce lead times, reduce order quantities, support greater order customization and reduce supply chain risk. This last benefit is the result of better inventory pooling, postponement, reduction of the bullwhip effect and other similar capabilities enabled by digitization. At the same time, the digitization of the supply chain creates three categories of critical digital assets: (1) information technology (IT); (2) intellectual property (IP); and (3) operational technology (OT). Each also presents an attractive target to cyber hackers. Let’s look at each.
Information technology (IT) describes those digital assets that deal specifically with data used to record transactions, and plan schedule and execute plans. It includes bills of material, cost structures, routings, and master production schedules. The corruption of the chemical company’s MPS described earlier is an example of a cyber attack on IT.
In contrast, intellectual property (IP) describes the intangible assets that are often at the heart of a firm. Included in this category are items such as innovation, industrial designs, customer and supplier knowledge, and the organization’s core competencies. While IT is critical to day-to-day operations, IP is critical to the long-term survival and growth of the firm.
Operational technology (OT), the final category, includes the computer-controlled processes that drive operations on the shop floor within an organization or an organization’s contract suppliers. The Dragonfly attack is an example of a cyber attack on OT. While IT attacks affect the ability to plan, OT attacks affect the ability to deliver. Past research carried out by several of the authors has found that most firms are aware of the need to protect IT and IP; yet, little attention has been paid to the need to protect OT.
Assessing Cybersecurity Attacks
If you want to appreciate the increasing importance of cybersecurity, especially within the supply chain, consider the following statistics. In recent years, 69% of firms experienced an attempted or realized a loss of data due to a cybersecurity breach, according to Accenture, and only 24% of firms believe that their security provisioning is “state-of-the-art.”
The same report found that firms had spent about $84 billion to defend against data thefts costing roughly $2 trillion - damages that could rise to more than $90 trillion a year by 2030. Yet, 36% of respondents responded that the executive team perceives the costs associated with cybersecurity as “unnecessary.” That is so even though about one-third of targeted attempts to breach a firm’s cyber defense succeed.
Those breaches are expensive: The average cost in the United States is $7.91 million, the mean time to identify a breach is 197 days, and the mean time to contain a breach is 69 days (or 276 days in total), according to a 2018 report from IBM Security and Ponemon Institute. The net result is that companies are investing significant sums to stop or minimize the negative consequences from a cybersecurity event but don’t necessarily fully appreciate the financial and reputational magnitude of the threat.
Finally, recent reports focused on combatting cyber risks in the supply chain, have noted that major recent security breaches, such as well-publicized breaches at Target and Home Depot, were the result of vulnerable supply chains. KMPG has identified vulnerable supply chain partners as the most significant gap in a firm’s ability to manage cyber risk. And, according to Accenture, between 35% and 57% of firms are now investigating business partners for the integrity of their cybersecurity provisions and preparedness if an event were to occur.
Read: Growing Cyber Threats Drive Need for Advanced Data Protection Defenses Investments
These examples highlight several important issues. One is that the digital technologies with the most promise to create significant value are also generating the data that is attractive to hackers interested in corporate espionage, including organized criminals, nation-states, insiders and hacktivists. Another is that those committing such crimes are getting bolder, more creative and more unpredictable. And, finally, the supply chain is perceived as the weakest link in a firm’s cybersecurity structure.
One recent study observed that cyber-related vulnerabilities in one tier of the supply chain undermine the integrity of the security measures taken by downstream and upstream members of the chain. That is especially the case with small-to-medium size enterprises (SMEs), which are often the most vulnerable. SMEs are often targeted because they have “disproportionate access to important information given their size within the supply chain,” according to a CERT-UK study. They typically have the weakest cyber security arrangements, given their resource and managerial limitations; yet, they are often “mission critical” because they produce niche products for their larger partners that can’t be found elsewhere.
More Than Technology
While the roots of cybersecurity threats lie in technology, technology alone is no solution: You can’t just buy a better anti-virus program or migrate to a more secure operating system and declare victory. Rather, supply chain cyber security is an integrated system that relies on a combination of technology, process, culture, and management, especially the buy-in of top management through a compelling business case. We include culture in this mix because cybersecurity ultimately relies on people doing what is required because they want to do it rather than because they must comply. As Marc Lebaron, the chairman and CEO of Lincoln Industries, once so appropriately noted: “Culture is what people do when the boss is not around.”
An integrated system should provide a complete life cycle approach to dealing with cybersecurity threats - that is, it must deal with all four stages of the cybersecurity strategy: prevention, detection, containment, and recovery.
Finally, cybersecurity must be forward-looking as opposed to backward-looking. Too often, managers and researchers base their approach to the future on what has happened in the past. The implicit assumption is that the future will be a continuation of the past. When it comes to cyber security, nothing could be further from the truth. Hackers are smart, creative and relentless, and often supported by governmental agencies. Once you think you have figured out how they have compromised your organization’s cyber system, they will come at you with a new mode of attack. Consequently, one of the goals of an effective cybersecurity system is to anticipate attacks based on anomalies rather than looking for a repetition of past patterns. It is our position that any effective supply chain cyber security system must address the three questions identified below.
The first question: “What to protect” reflects the three critical digital assets we previously discussed: IT, IP, and OT. The second: “Against what type of attack” recognizes that there are three types of attacks. A targeted attack is self-evident: The hackers want to get access to your valuable digital assets and they aren’t interested in any other organization but yours. In contrast, in a broad-based attack, the hackers are spreading a wide net in hopes of catching one or more organizations that respond to the attack - think phishing attack. Collateral damage refers to damage to the firm as a result of a cyber attack taking place elsewhere in the environment. For example, the NotPetya cyber attack in Ukraine affected companies such as Merck, FedEx, and Maersk that were not direct targets of the attack (watch the video above). An integrated cybersecurity strategy must deal with all three forms of attack.
The third question considers four areas of cybersecurity investment: (1) prevention refers to investments made to secure the system and prevent hacks; (2) detection refers to investments aimed at creating signals that breaches have either been made or have been tried; (3) containment refers to investments made to prevent the spread of the hack, once it has been identified; and, (4) recovery refers to investments made to return the system to an acceptable level of steady-state performance. Our point is that all four investments must be part of an integrated strategy.
The Problem with Blockchain
We began this article with a bold - perhaps outrageous - statement: Blockchain is vastly overrated.
Our argument is not that blockchain is irrelevant to supply chain cyber security; rather, we argue that while blockchain may be an important tool, based on the headlines, you might have the impression that it is the cure to whatever ails you, much the way RFID was touted as a supply chain wonder technology a decade ago. It is not. Here’s why.
At its roots, blockchain is structured to ensure security in an environment where trust is low and where there is a concern that someone can alter data, such as an individual altering an electronic check so that a $500 deposit becomes a $5,000 deposit.
Blockchain does this by creating multiple distributed copies, or ledgers, of the transaction. For a fraud like the one described above to be successful, all copies must be changed - something that blockchain’s structure makes almost impossible to achieve.
"Our argument is not that blockchain is irrelevant to supply chain cyber security; rather, we argue that while blockchain may be an important tool, based on the headlines, you might have the impression that it is the cure to whatever ails you."
Steven A. Melnyk, Cheri Speier-Pero and Elizabeth Connors
Viewed from this perspective, we contend that blockchain addresses some, but not all, of the concerns over supply chain security.
For example, blockchain does address threats to IT. It would have been effective for combating changes to the MPS at the chemical company we described at the start of this article because it would have been nearly impossible to change all of the ledger instances.
However, it would not have protected the intellectual property or operational technology that was also targeted in that attack. In other words, blockchain does not by itself deal with all of the dimensions of supply chain cyber security.
Download the MIT Center for Transportation & Logistics Roundtable Reports A Consensus On The Truth? Blockchain Applications in Supply Chain Management
Despite the costs paid by firms like Target following a serious breach, getting firms to take cybersecurity seriously is difficult, especially as it pertains to the supply chain. That was certainly the experience of the U.S. Department of Defense. From 2016 to 2017, the DoD attempted to enforce supply chain cyber security through a combination of mandate and threat. The mandate, DFARS 252.204-7012, was built on the NIST SP 800-171 cybersecurity framework. The threat was that if a supplier was not compliant with the framework by December 31, 2017, it could no longer do business with the DoD. In the end, the DoD found compliance with the new mandate difficult to achieve. The obstacles encountered are familiar to those in the non-governmental world.
It is new. One of the biggest challenges facing supply chain cyber security is that it is new. Consequently, while a great deal has been written about the topic, it’s difficult to separate the wheat from the chaff - to identify what is important and true from the inaccurate and exaggerated. We would argue, for instance, that a lot of what has been written about blockchain tends to fall into the greatly exaggerated category. It also takes time to build up the supporting infrastructure, which includes a network of consultants, case studies (often of successful implementations) and the support of professional societies like SME, ISM, and CSCMP, where experiences can be raised and shared and solutions distributed. Many firms tend to be risk-averse when it comes to new issues like cybersecurity, willing to wait until the confusion has cleared and they know what has to be done. This means that many firms are reluctant to invest now, despite the anecdotal evidence supporting the need for enhanced cybersecurity.
Building a business case. Investing in cybersecurity is expensive and time-consuming. This point was driven home to the authors in a recently completed study of the response of the supply chain to the DoD cybersecurity mandates.* One of the questions we posed to some 200 respondents was how much they estimated it would cost to become compliant. About 36% of the respondents answered less than $50,000 while another 33% of respondents indicated more than $500,000. That was a ten-fold difference. Further investigation uncovered that experience was the reason for the gap in expectations.
Those companies that had yet to begin the process of becoming compliant were more likely to see costs at the low end while those that had either attained compliance or were working on it were found at the upper end.
Because it is an investment, cybersecurity can be approached in one of two ways: as a constraint or a requirement that has to be met, making it another cost of doing business to be minimized; or as an opportunity, something where the benefits exceed the costs. Firms that view it as a constraint will do the minimum required - at their peril. However, before it can be viewed as an opportunity, a business case must be developed. Here’s the problem: Because cybersecurity is so new, the cost of not having cybersecurity is more difficult to calculate relative to the cost of improving cybersecurity.
What is needed is a cost of cybersecurity measure - an approach similar to the cost of quality developed in the late 1950s that convinced many firms of the need to invest more in quality improvement.
Lack of case studies. Successful case studies offer potential templates for other firms to follow; unsuccessful case studies help firms understand what works and what does not. Yet, it is almost impossible to get case studies when it comes to cybersecurity. Simply put, given the potential hit to customer confidence, a company’s share price or its borrowing costs, no one wants to share their experiences, regardless of the outcome. During our research for this article, we were struck by the number of individuals we interviewed who would only share their experiences if the identity of their firms was hidden. Without being able to capture these experiences, our ability to build better cybersecurity systems is greatly hindered.
Lack of performance measures. If supply chain cyber security is to become a fact of life, then it must become part of the performance measurement ecosystem, with regular measurements that reflect the current level of performance. As the old adage goes: “What gets measured, gets managed.” At the same time, few measures of cyber security are currently available. Without those measurements, the implied message from supply chain managers will be that cybersecurity is not important, which is a dangerous implication. One further note: It must also become part of supplier contracts and specifications.
SMEs. The final, and most important challenge is the threat posed by SMEs, which are typically firms with fewer than 500 employees. During the DoD’s compliance efforts, it found that SMEs were the least likely to comply with the new cybersecurity mandate. They (1) didn’t really understand cybersecurity; (2) didn’t have the resources to become compliant; and, (3) didn’t understand the underlying NIST framework.
In other words, they weren’t choosing not to comply, they simply weren’t capable of compliance. Without more attention to this space, SMEs will continue to be the weak link in the supply chain.
During our research for this article, we developed five critical takeaways;
- Cybersecurity is not an IT issue. Improving cybersecurity is not simply a matter of throwing more IT people or software at the problem. Rather, it must be integrated into business processes and it must become everyone’s responsibility. That includes the C-suite and the Boards of Directors to ensure that a firm’s stakeholders will not suffer from a risk that can be managed.
- Cybersecurity is a supply chain issue. Savvy supply chain managers and governmental agencies now recognize that in a digital age, the real vulnerability to their systems is a compromised tier 2 or tier 3 supplier that is part of their connected supply chain. As we previously noted, most of the major security breaks have occurred through the supply side of the supply chain.
- Cyber attacks are on the rise. No one doubts that we can expect the level of cyber attacks to increase in the future. A recent report noted that the global cost of ransomware damages exceeds $5 billion and predicted that the total costs associated with cybercrime will hit $6 trillion per year by 2021; meanwhile, the number of unfilled cybersecurity jobs is expected to triple. No wonder that Ginni Rometty, IBM’s CEO, and Warren Buffett have identified cybercrime as the greatest threat to business and consumers.
- SMEs are ground zero. We’ve said it earlier, but it bears repeating: If a firm is going to be attacked, it will be through the weakest link. Right now that is SMEs. Yet, without more research, we don’t currently understand what it will take to protect this critical link in the supply chain. We do know they are key to developing an integrated strategy.
- It’s time to act. Firms need a systematic, integrated approach to cybersecurity, and they need it now. Within this new context, we can see that blockchain is vastly overrated but supply chain cyber security is vastly underrated.
*Melnyk, S.A., Peters, C., Spruill, J. Sullivan, K.W. Implementing Cyber security in DoD Supply Chains. NDIA white paper, Manufacturing Division Survey Results, July 18, 2018.
About the Authors
Steven A. Melnyk is a professor of operations and supply chain management in the Department of Supply Chain Management, Michigan State University. He can be reached at [email protected]. Cheri Speir-Pero is the interim chairperson of the Department of Supply Chain Management, Michigan State University, and the Ernst & Young professor in accounting and information systems. She can be reached at [email protected]. Elizabeth Connors is a faculty member in the Department of Accounting and Information Systems at Michigan State University. She can be reached at [email protected].
Running Blockchain Pilots for Your Supply Chain
In 2018, Blockchain was one of the most trending technologies alongside AI.
Blockchain has managed to excite all the stakeholders in the supply chain industry. It is touted to make end-to-end visibility a reality, change B2B communications for good and automate complicated processes using smart contracts. Stakeholders understand the benefits of blockchain, but the biggest question is, how do you get started with it?
The paper "Running Blockchain Pilots for Your Supply Chain - A CIO's Guide" aims to guide you towards a first blockchain pilot. It answers important questions. How exactly is blockchain different from traditional databases and what can blockchain do for us that traditional databases cannot?
The authors take a close look at its features to discuss how they make blockchain a very effective technology when it comes to breaking down information silos, leading to transparency.
Blockchain can also act as the ultimate source of truth when there are multiple organizations participating in transactions. With its unique features and strengths, blockchain can solve the following problems effectively for the supply chain industry;
- Maintaining one version of the truth across the entire supply chain.
- Empowering organizations to trace and track assets instantly as opposed to days or weeks.
- Making end-to-end visibility possible.
Finally, the paper breaks down the basic components of a blockchain pilot;
- A blockchain network.
- Data extraction tools to extract data from your data resources (ERP databases, EDI files, etc).
- Data standards (ANSI X12, GS1 EPCIS, etc) using which you can send the data to the blockchain. This is necessary for interoperability.
- User interface application that can query the blockchain to display information to the end user.
Running a blockchain pilot will give you perspective on how blockchain will fit in with your use cases, scale, existing technologies, and your team. A newer set of ideas emerge, metrics on efficiency gains can be derived, giving you objectivity. Pilots let you shed obsolete technology and march forward with better-emerging technologies iteratively.
Download the Paper: Running Blockchain Pilots for your Supply Chain
Read: Growing Cyber Threats Drive Need for Advanced Data Protection Defenses Investments