Written by Scott Wilson
What is cyber supply chain risk management? Cyber supply chain risk management is the set of processes, practices, and resources that organizations use to guard against failures or breaches in the information systems used to manage supply chain functions. With the expanding use of technology in supply chain management and the increasing sophistication of attacks, it’s a rising concern among supply chain managers and senior leaders.
Today’s supply chain doesn’t run without working cyber systems.
Every order is recorded in a database; every package is slapped with a barcode that is read at every touch point by automatic scanners; every ship, plane, train, and truck bearing cargo is monitored by GPS from departure to destination.
Supply chain management has been utterly transformed by the widespread adoption of fast, accurate information technology systems.
Managers exercise real-time command and control over those processes. Packages are re-routed instantly; products are manufactured to fill orders in near-real-time.
That kind of control offers enormous power and efficiency.
But it also introduces terrible vulnerabilities. And supply chain managers are responsible for managing the risks that emerge.
When Cybersecurity Failures Crash the Supply Chain, Entire Regions Feel the Effects
In the spring of 2021, gas stations and airport refueling farms up and down the East Coast of the United States stopped getting deliveries. The Colonial Pipeline, three tubes spanning some 5,500 miles from Houston to New York, had suddenly shut down.
As the main source for gasoline and aviation fuel, supplying more than half of all fuel consumed on the East Coast, both customers and government officials noticed the shutdown almost immediately. Pressed for reasons, the Colonial Pipeline Company was forced to admit they had been hacked.
The company’s billing systems had been penetrated and encrypted by the DarkSide hacker group. They demanded a ransom of around $4.5 million to unlock the systems.
Although Colonial paid up almost immediately, the restoration tool provided by the hackers was so slow that systems remained offline. Quickly, the airports and filling stations served by the company started to run out of fuel.
The federal government declared a state of emergency, and tankers hit the road to expand delivery capacity as much as possible. Nonetheless, gasoline prices rose to their highest rate in six years within weeks, and disruptions continued even after the pipeline was restarted, six days later.
Colonial itself was hit hard with costs associated with the shutdown. Uncertainty about the capabilities or presence of the hackers led the company to begin direct monitoring of pipeline facilities, from the air and on the ground, across 5,500 miles of pipe.
But the crisis inspired, in part, an executive order to increase software security in supply chain systems and improve incident response capabilities.
Information Systems Introduce New Kinds of Supply Chain Risks
Any kind of computer system comes with security trade-offs.
In the supply chain world, risks fall into two categories:
Supply Chain Disruption
Some kinds of hacking and security breaches may create issues within the supply chain itself. They might redirect or cancel vital shipments. They could leak proprietary data on contracts or product specifications. Or, in cruder attacks, the major damage might simply come from supply chain management software itself becoming corrupted and failing, removing a vital tool that logistics teams rely on.
Broader Corporate Compromise
In other cases, a supply chain cybersecurity breach might not impact the supply chain, but instead simply serve as an avenue to other corporate systems. This can create havoc with theft of corporate secrets, customer data, or disruption of accounting or HR systems.
Not only are these risks real and being exploited every day; they are also compounding.
Larger systems with more integration points create a bigger attack surface for hackers to go after. No longer are they restricted to big corporate mainframes with a few secured gateways; a lonely terminal in a foreign seaport could cough up the keys to the kingdom today.
In 2014, for example, hackers stole a set of login credentials for the internal systems of massive American retailer Target from a small regional HVAC vendor. The vendor only had the credentials for billing and contract as part of Target’s procurement process. Nonetheless, the tightly connected internal information systems meant the hackers could access credit card data from 41 million transactions and personal information from over 70 million customers.
Even in 2023, that hack still ranks in the top 20 of all American data breaches.
Looming Cyber Supply Chain Risks are Drawing Attention from Industry and Government
Technology adoption in the supply chain is only accelerating. The future holds more automation, more artificial intelligence, more IoT (Internet of Things) connected devices up and down the supply chain. Increasingly, remote devices from third-party vendors used for everything from container tracking to – ironically – security webcams, create points of vulnerability in supply chain systems.
With greater control comes more risk, as well.
If the nightmare scenario today is a hacker breaking in and encrypting data in your systems for ransom, imagine what happens tomorrow when the same hacker cracks the system to your automated semi guidance software.
It’s an issue keeping supply chain managers, corporate executives, and even government officials up at night.
Gartner, a major consulting firm, estimates that by 2025 more than half of supply chain organizations will use cybersecurity risk factors when making final decisions about conducting outside transactions and contracting vendors.
Yet security itself comes with costs. Both the investment in expertise and tools for cybersecurity teams can be expensive. But so can the drag they introduce into supply chain operations.
As someone once observed, the most secure computer server would be one completely disconnected from the internet and then cast in concrete so no one could physically access it. Yet at the same time, it becomes entirely useless to legitimate users too.
So, cybersecurity is always a compromise between functionality and security.
How Cybersecurity Innovation Helps Manage Cyber Supply Chain Risks
The solution is cybersecurity supply chain risk management.
It’s just the latest addition in the realm of supply chain risk management that already has to account for natural disasters, economic disruptions, and international conflicts. Adding hacking to the list is only natural.
The process has already become popular enough to earn its own acronym: C-SCRM.
NIST, the National Institute of Standards and Technology, runs a Computer Security Resource Center that has a full project devoted to developing and spreading C-SCRM best practices.
At its core, C-SCRM is just a particularly specialized kind of risk management that supply chain managers have been practicing forever. It identifies vulnerabilities, assesses their impact, and develops mitigations for those risks. Those can include:
- Additional information systems security processes
- New technologies like blockchain that provide built-in encryption layers
- Evaluating system scope and technology choices
- Developing alternatives and backup plans
- Educating the workforce and contractors
And because the supply chain extends across organizations and up and down through systems, it’s an exceptionally broad field.
A Strong Education Is at the Core of Cyber Supply Chain Risk Management
C-SCRM is already covered in most supply chain and logistics management degree programs. But when you get down into the weeds, it really requires crossover specialization and collaboration between cybersecurity pros and supply chain managers.
The technical details of cyber vulnerabilities aren’t something the average supply chain manager can be expected to master. Likewise, the full scope of logistics and operations in the supply chain is beyond most cybersecurity specialists.
There are, however, degrees that put the two together, such as a Bachelor of Science in Information Systems & Supply Chain Management with Cybersecurity concentration.
These programs combine a core of supply chain studies with cybersecurity and information systems concepts. The emphasis on the supply chain side is often highly technical, with coursework in management information systems (MIS), enterprise resource planning (ERP), and database systems. That gets thrown in with classes in ethical hacking, cybersecurity essentials, network systems security, and new technologies like blockchain and encryption.
There are also less involved programs that dive right into risks and mitigations in supply chain cybersecurity, like a Certificate in Supply Chain Safety and Security. With cyber as a major concern in overall supply chain resiliency, just about any certificate program in supply chain risk management will include at least one class focusing on cybersecurity risks.
The complexity of supply chain management systems creates expanding entry points for bad actors and other potential risks. And as long as those risks exist, experts in both supply chain processes and cybersecurity will be necessary in the field.