BY LUCA URCIUOLI
Adjunct Professor of Supply Chain Management at the MIT-Zaragoza Program
Supply chain cyber threats are a growing concern for companies. In 2021 alone, IT security experts identified a 15.1% increase in the average number of cyberattacks and data breaches compared to the previous year. With companies around the world embracing Industry 4.0 and process digitisation trends, these numbers are expected to rise. Therefore, global industries and governments must carefully drive these ongoing trends by ensuring the correct deployment of solutions and strategies to improve security and strengthen the robustness of the supply chain overall.
Motivations of cyberattacks
The motivations behind cyberattacks can be several. We will distinguish between three types: motivation driven by economic, ideological and geopolitical factors. Security problems like theft and counterfeiting in supply chains are not new for companies. However, building up defence with physical security measures may shift attacks to more vulnerable layers, specifically IT systems. Using cyberattacks (e.g., manipulating data, copying data, sabotaging security devices, and so forth), organised criminal groups could facilitate theft of money, intellectual property or any other type of valued company assets.
In other cases, attacks are perpetrated following specific ideologies (i.e., hacktivism), sending a message “to disrupt, embarrass, or make an example of their target — or all” (Urciuoli et al. 2013). For instance, cases have been registered of attacks made to condemn the actions of industries that do not respect sustainable goals. Terrorism and religious ideals may lie behind attacks to punish groups of people and sink a country into fear or panic.
Finally, geopolitical tensions often escalate into cyberwarfare, namely national hacking groups that cause harm by disrupting vital societal functions. Recently, Italian energy and electric operators were targeted by cyberattacks to disrupt the gas and electricity supply. Experts believe that Russian hackers are behind these attacks. In addition, hackers could steal and gather sensitive information from countries or use media and communication channels to drive propaganda to weaken existing regimes.
Anatomy of increasingly sophisticated supply chain attacks
Cyber threats are any activities aiming to perform illicit actions against individuals or organisations by means of computers, networks or hardware devices. Companies can be deprived of sensitive data — e.g., employee, customer or supplier data — but also of intellectual property like new product designs.
Cyber breaches could halt operations, affecting productivity, sales, order fulfilment and customer satisfaction. In very extreme cases, hackers could manipulate the programmable logic controller (PLC) systems of manufacturing plants, affecting quality, brand reputation and even resulting in societal safety concerns.
Looking at past events, hackers have attacked isolated supply chain nodes, causing substantial damage. For instance, on 4 December 2020, a group of hackers targeted PickPoint, an e-commerce solution specialising in package lockers, in Moscow. The parcel locker company had a network of 8,000 lockers located in Moscow and St. Petersburg in open and freely accessible spaces. Using a cyberattack, the hackers managed to open 2,732 package lockers in Moscow and steal the packages inside, demonstrating the vulnerability of the last mile in supply chains.
Another technique to attack supply chains consists of malware that can infect computers in a chain sequence. For instance, in 2017, the NotPetya virus compromised the systems of logistics conglomerate Maersk, subsequently spreading across industries and seaports, infecting more than 200,000 computers in 150 countries and causing billions of dollars of damage. When Maersk realised how quickly the virus was spreading through its network of partners and customers, it decided to shut down its system completely. The shutdown was followed by three days of silence regarding all tracking and logistics operations. Port terminals had to halt operations, leaving thousands of maritime vessels waiting at the docks or anchored at sea surrounding the port terminals. The NotPetya resembled the WannaCry ransomware, as it blocked computers showing the message “a disk contains errors and needs to be repaired.” To unblock their computers, victims were requested to pay a ransom.
Maersk managed to rebuild its entire IT infrastructure in 10 days and slowly restore its operations. However, it has been estimated that the company suffered losses of $300 million and immeasurable damage to its reputation, especially considering the media coverage after the attack.
Supply chain attacks
During the last few years, cyberattacks have become more complex and perpetrators more aware of the supply chain behind the single organisations attacked. Accordingly, many large enterprises have enhanced their protection against cyberattacks. However, hackers have understood that smaller companies that are part of the same supply chain are easier to infect and can be used as a springboard to re-infect their suppliers or buyers, among them larger groups of vendors. Cyber experts have coined the term supply chain attack to categorise these events.
For instance, in 2020, hackers managed to infiltrate SolarWinds, a supply chain software provider. They introduced backdoor malware as an update or patch for SolarWind’s Orion software and managed to further compromise the data, networks and systems of all companies using this software. This hack has affected more than 18,000 organisations and is believed to have compromised nine federal agencies and approximately 100 private sector companies. The most worrying aspect is that the insiders remained undetected for several months, probably stealing and compromising enormous amounts of data. This was not an isolated attack, since similar incidents were registered in May 2021 and July 2021 in the Colonial Pipeline and Kaseya ransomware attacks, respectively.
Important steps to secure supply chains from cyber threats
It is clear that supply chains and current trends like automation and digitalisation bring numerous benefits to companies and societies. Researchers have demonstrated in several instances that these trends can significantly improve productivity, operational cost efficiency, time-to-market, customer response time, and so on.
Information exchange across the supply chain reduces bullwhip effects and helps managers optimise safety stock and synchronise handoffs in the supply chain. Other information that supply chain companies need to share concerns new products designs and other internal documents related to strategic plans for suppliers’ development programs. This all contributes to making the supply chain more competitive and gaining market shares.
The interconnectedness between supply chain stakeholders must continue to be fostered and further bolstered by specialised cyber protection, focusing on securing the supply chain end-to-end. That is, an organisation alone cannot protect its operations and equipment without involving all of its suppliers and their IT security professionals.
Standards and certifications exist to support organisations willing to improve their protection against cyber threats. Examples are international standard ISO/IEC 27001 and NIST 800-55 from the National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce. The ISO/IEC 27001 standard includes several control procedures to ensure that organisations can ensure the security of their ICT layers. These include access control, physical security, system acquisition, maintenance procedures and supplier relationships, among others. Standard NIST 800-55 proposes a robust methodology to identify and measure the impacts of security controls in three categories: implementation, efficiency and effectiveness, and organisational impact measures.
NIST, in particular, has developed a specialised approach to address cybersecurity in supply chains, with a major focus on procurement, supplier contracting and information sharing: NIST Cybersecurity Supply Chain Risk Management (C-SCRM) practices. Consequently, activities such as supplier selection, bids, evaluation of requests for quotes (RFQs)/requests for proposals (RFPs), and contractual terms should be performed in compliance with cybersecurity requirements.
The interconnectedness between supply chain stakeholders must continue to be fostered and further bolstered by specialised cyber protection, focusing on securing the supply chain end-to-end
Likewise, supplier auditing and performance monitoring are expected to include cybersecurity risk management and trigger the re-evaluation of the contracted conditions with suppliers or the establishment of a mitigation response in the case of a breach. The guideline includes several important practices for training managers, e.g., information sharing rules, usage of workflows to publish and consume information, information sharing agreements, protection of sensitive data and ongoing support for any type of information to be shared with suppliers.
Consumer data protection
Another important responsibility of supply chain companies concerns consumer data protection. Companies operating in the e-commerce and retail sectors should have systems in place to protect their consumers’ information. Hackers can perpetrate attacks to steal identities and credit card details (millions of credit cards were stolen by hackers from Sony’s PlayStation network, for example). Privacy ensures trust in a society, respect and freedom of thought. Most importantly, it limits political power: “The more someone knows about us, the more power they can have over us.” Hence, personal data protection is even more critical from a geopolitical and national security perspective when, for example, national hacker groups steal information for propaganda schemes.
Countries in Europe are working intensively by preparing legislative frameworks to ensure the protection of personal data. Internet websites and other applications typically collect personal data (e.g., e-commerce, e-learning, and transport apps and websites). Important aspects regarding personal data protection are contained in the European Union’s General Data Protection Regulation (GDPR) — (EU) 2016/679 — which sets guidelines for “the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.”
According to the GDPR, personal data refer to information or pieces of information that could be collected together in order to lead to the identification of a particular person. Nevertheless, existing policies and regulations are not drafted to specifically govern the operations of Intelligent Public Transport Systems (IPTS). Therefore, advances in new regulatory frameworks are expected in the coming years.
In conclusion, cybersecurity plays a special role considering the ongoing transformation of supply chains as recommended by Industry 4.0 practices. Boardrooms need to address these challenges by developing new strategies that incorporate zero-trust approaches as well as systems enabling cybersecurity risk detection and response. Protection must be enhanced and extended to the whole supply chain, end-to-end, and its internal functions. Likewise, existing standards are available to implement cybersecurity measures and — most of all — harmonisation throughout the supply chain, eliminating weak holes that hackers could exploit in their attacks.
Dr. Luca Urciuoli is an Adjunct Professor of Supply Chain Management at the MIT-Zaragoza International Logistics Program. He is also an Associate Professor at the KTH Royal Institute of Technology (Stockholm, Sweden) and a Research Affiliate at the MIT Center for Transportation & Logistics (MIT CTL).
- Boyens, Jon M. 2022. Cybersecurity Supply Chain Risk Management for Systems and Organizations.
- Desai, Avani. n.d. Council Post: The Urgent Concern That Boardrooms Must Brace for in 2022: Supply Chain Cyberattacks. Forbes. Accessed September 14, 2022.
- EU Data Protection Rules. 2019. European Commission. 2019.
- Kaspersky. 2019. What Is Cyber Security? Kaspersky.com. 2019.
- Levy-Bencheton, Cédric, and Eleni Darra. 2015. Review of Cyber Security and Resilience of Intelligent Public Transport. Good Practices and Recommendations. Edited by European Union Agency for Network and Information Security (ENISA). ENISA Reports, December.
- Oladimeji, Saheed, and Sean Michael Kerner. 2022. SolarWinds Hack Explained: Everything You Need to Know. WhatIs.com. June 29, 2022.
- PlayStation Network: Hackers Claim to Have 2.2m Credit Cards. 2011. The Guardian. April 29, 2011.
- Protection of Personal Data and Privacy. n.d. Www.coe.int.
- Solove, Daniel J. 10 Reasons Why Privacy Matters. TeachPrivacy. January 20, 2014.
- Supply Chain Attack Examples.” n.d. Www.ncsc.gov.uk.
- Urciuoli, Luca, Toni Männistö, Juha Hintsa, and Tamanna Khan. 2013. “Supply Chain Cyber Security – Potential Threats.” Information & Security: An International Journal 29: 51–68.
- Walton, Hilary. n.d. The Maersk Cyber Attack - How Malware Can Hit Companies of All Sizes. Www.kordia.co.nz. Accessed September 14, 2022.