Supply Chain Matters provides another deep-dive perspective on the ten outlined 2018 Predictions for Industry and Global Supply Chains unveiled in mid-December. Blog readers can now download our complimentary full research report in our Research Center.
In this installment, we dive into 2018 Prediction Four: Cyber Risk and Information Security Safeguarding Needs Consume Supply Chain Risk and Advanced Technology Investment Considerations.
With every passing month, the increasing frequency and sophistication of cyberattacks, some by state-sponsored players, threaten to do harm to major brands, services providers, and their customers. Many specialists in the field of cyber security are predicting that 2018 will present even more challenges for data and information breaches, and some have raised alarms that the next potential threat will reflect control of devices within physical manufacturing, utility, or transport networks. 
We in turn, are predicting that cyber-related risk and information security safeguarding will consume business, IT, and industry supply chain teams, not so much by choice, but from compelling needs dictated by stockholders, boards, and C-Suite executives. Brand and reputational risk is now a significant top-of-mind concern for businesses and budgets will likely reflect supporting mitigation efforts as a top priority. Such concerns will strain budgets and available resources and will especially consume the time and attention of procurement and supply management teams.
Background
One of the largest retail data breaches in history occurred in 2013 when personal credit card information concerning upwards of 40 million Target shoppers was stolen by hackers. The hackers gained initial entry from a refrigeration repair services supplier’s login credentials which granted open access to Target’s business systems where the hackers were able to eventually find customer credit card data. Target incurred a reported $60 million in expenses directly related to the retailer’s response to the credit card information breach and it cost the jobs and reputations of the brand, its CIO, and its CEO, the latter two being forced to resign.
Looming Threats
In late 2017, in what was described as a watershed cyber-attack, suspected state-sponsored hackers targeted Triconex industrial safety technology provided by Schneider Electric. The incident which was confirmed by Schneider and prompted a security alert to customers, is an application used in energy generation facilities including nuclear and oil and gas-powered plants. Sources with knowledge of the attack, prudently declined to identify the source or location of the attack, and published speculation indicates a possible Middle East based target. According to a published Reuters report, the incident marked the first report of a safety system breach at an industrial plant.
In late 2017, news surfaced that a skilled Vietnamese hacker, reportedly utilizing the credentials of a third-party contractor, penetrated the operational systems of the agency supporting Australia’s Perth International Airport and stole what is described as a “significant amount” of sensitive security information including building plans. This incident occurred in 2016 and report surfaced after the hacker was arrested and tried by a Vietnamese military court. While systems directly involved in supporting flight operations were not reportedly involved, the airport has since invested $2 million (AUD) in additional security measures. The reported Australian incident surfaced after London’s Heathrow Airport officials launched a reported urgent investigation after an unprotected USB memory stick containing security information regarding that airport’s security measures to protect the Queen were found on a London street.
Such incidents are in the shadow of the massive information breach that occurred at Equifax exposing sensitive personal information of untold millions and the U.S. Federal Government’s Office of Personnel Management data breach compromising information on federal employee’s security clearance files. Both incidents provided more sobering reminders of increased cyber security threats.
As we pen this deep-dive into this prediction, the news that Intel, the globe’s largest producer of computer processing chips, disclosed that all modern processors can be attacked by techniques described as Meltdown and Spectre, potentially exposing crucial data such as passwords and encryption data. Enterprise technology providers are now scrambling to push out patches and fixes for servers, PC’s, laptops, smartphones, and other devices. Such patch actions and updates will obviously be of high priority for internal IT teams and operational executives to monitor and report on in the months to-come.
Industry Supply Chain Specific
More closely related to global supply chain management, in late June 2017, a sophisticated ransomware attack that gained entry from a legacy payroll application spread from Europe across multiple countries. The result was a multi-day interruption in operational services of some European based logistics and transport firms as well as the globe’s leading ocean container line. In the latter case, A.P. Moeller Maersk discovered that the attack spread across many of its linked operational systems, including its business subsidiary, APM Terminals, disrupting a reported 17 individual port operations including those of Rotterdam, New York- New Jersey, Los-Angeles-Oakland, and Mumbai. The virus spread so quickly that the company’s IT teams were forced to immediately shutdown all systems.
In late November 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security predicted an increase in the number and impact of data breaches. Steve Durbin, Managing Director of ISF indicated to business media that attacks in 2018 will be far more expensive for organizations of all sizes.
“In 2018, we will see increased sophistication in the threat landscape with the threats being personalized to their target’s weak spots or metamorphosing to take account of defenses that have already been put in place. These days, the stakes are even higher than ever before.”
The ISF outlined five global security threats, two which were described as the following:
“The supply chain will remain the weakest link in risk management.” The ISF indicates that as information continues to be electronically shared up and down and across the global supply chain, organizations will need to focus on the weakest links in information security.
The Internet of Things (IoT) will further add unmanaged risks. With the expected increased interest in IoT enablement of enterprise business and supply chain decision-making processes, there is a reality that such devices are sometimes not secure by design. The ISF observes that when data breaches occur, organizations are likely to be held liable by customers and government regulators. In worst-case scenario situations, IoT devices embedded in industrial or product control systems could lead to physical harm and death.
Further observed is that misalignment between corporate boards and the C-Suite regarding the realities of a fully secure organization as an unattainable goal despite substantial investments implies that if and when a major incident occurs, it is likely to affect the reputation of the brand, board members and senior management.
All of the above compels us to add this cyber risk and information security safeguarding prediction due to its implications to the entire business.
Actions to Consider
In our detailed research report, now available for complimentary download (see above web link), we outline actions that industry supply chain teams should consider. They include close coordination with IT, a thorough review of older legacy applications for security vulnerabilities, and the existence of a well-defined, multi-functional and multi-line-of-business continuity responsibilities and action plans.
Supply chain teams currently utilizing or considering Cloud-based applications and B2B Business Networks need to ensure that the platform provider adheres and conforms to highest data security standards, and in mission critical business applications, the use of data encryption techniques. Keep in-mind that some Cloud-based applications providers source their Cloud platform with an external enterprise platform provider.
Cyber security is not the sole responsibility of corporate security and IT teams, instead it involves broader involvement and accountability across all functions and line-of0business groups. In 2018, looming cyber-security threats will be an obvious primary concern and objective for senior management leaders, and that will cascade to the most high-profile risk exposure, that being domestic and global supply chain applications and systems.
Bob Ferrari
© Copyright 2018. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.
Hello Everyone,
We share a follow-up to our 2018 Prediction regarding the elevated priority of cyber attacks and information security.
Today’s Wall Street Journal (Boards Seek Bigger Role in Thwarting Hackers) shares data from the National Association of Corporate Directors indicating that one in five corporate directors indicate they are dissatisfied with the quality of cyber risk information that boards receive from senior management. Further cited is an analysis indicating that just four Fortune 100 companies operate one named committee dedicated to information technology risks.
The report indicates that the boards of Volvo AB and Schneider Electric are considering reallocating specific cybersecurity oversight duties among board committees in 2018.
Meanwhile, CFO Magazine (Cybersecurity Tops Boards 2018 To-Do List) reports that law firm Akin Grump Strauss Hauer and Field has cited Cybersecurity as the hottest topic for boards of directors in 2018. The prime motivation is that the U.S. Securities and Exchange Commission has recommended that public companies designate a committee responsible of overseeing cybersecurity risk and that boards have a t least one cybersecurity expert or consultant as part of said committee.
Bob Ferrari