In recent years, supply chain security has been an issue of preeminent importance. We’ve even talked about it previously, though we focused more on the security of software supply chains. With high-profile supply chain attacks hitting some of the biggest names in the industry, it’s proven to be such a hard challenge to tackle. Given the nature of supply chains and manufacturing in general, any disruption in manufacturing causes delays that ripple further and further up the chain. These delays, as we’ve seen in the last year with the semiconductor shortage, can have significant ramifications on seemingly disconnected industries that still rely on those products.
Earlier this year, Japanese automaker Toyota had to suspend operations of 28 production lines across 14 plants because of a cyberattack-induced disruption to one of their parts suppliers. The supplier, Kojima Industries, is said to have suffered a ransomware attack that halted their manufacturing operations. The disruption meant that Toyota’s global output was cut down by a full third for the duration of the attack, thanks in part to their use of just-in-time manufacturing practices. Considering the scale of the production capability of auto manufacturing giants like Toyota, these interruptions can cost millions of dollars in lost productivity and sales.
The challenges of securing the supply chain
If you try to look up the definition of supply chain security, you’ll probably find a dozen different answers. It’s a broad concept because the very idea of the “global supply chain” is itself a broad and vague idea. In concise terms, securing the supply chain can mean anything from protecting critical manufacturing equipment, validating supply authenticity, ensuring the availability of supporting infrastructure, and more broadly mitigate risk derived from relying on third party vendors. Additionally, there are many challenges with securing your supply chain. Most manufacturers have little control over the actions of their downstream supply partners, making their options limited when it comes to directly protecting production lines. Big manufacturers can add security requirements to their supply contracts, but at the end of the day you are placing trust in the subcontractor to uphold their obligations to protect the availability of their production lines. Because you are relying on the trustworthiness of downstream partners, it becomes difficult to verify that all of your dozens or hundreds of suppliers are doing their due diligence.
Even if upstream manufacturers had the ability to unilaterally implement security controls on their downstream suppliers’ networks, it’s not like it’s an easy task. Unlike traditional corporate networks, manufacturing facilities can be composed of any number of legacy industrial control devices and embedded systems which can be a challenge to secure. Given the immense tooling investment in outfitting a production line with equipment, many of these embedded systems can be decades old with a reliance on long deprecated communication protocols and insecure data management practices. Further, it’s not like it’s just the security of the manufacturing devices that needs to be considered, because the production lines are supported by modern IT infrastructure that must also be protected.
How we secure manufacturing supply chains
So, we’ve established that there are many challenges with securing the global supply chain and that failure to do so can be catastrophic for unprepared organizations. What can be done to protect it? Firstly, NIST has developed the Cybersecurity Supply Chain Risk Management (C-SCRM) program in an effort to help organizations manage supply chain risk, which is a good resource. The C-SCRM program contains the SP 800-161 publication, revision 1 of which is currently in a draft has some of the best information available for building, integrating, and supporting a supply chain security program throughout the organization. Additionally, in a 2020 report titled Securing the Supply Chain, Accenture laid out 5 practical steps for implementing security controls throughout the supply chain:
- Create a dedicated Supply Chain Risk Management program office
- Get visibility into the whole supply chain
- Get an accurate understanding of the threats the supply chain faces and identify weak points
- Determine solutions to identified problems
- Maintain and monitor the program
The first step is the simplest, yet perhaps one of the hardest to accomplish depending on organizational structure. Strict corporate environments may struggle to accommodate a new program office, while the more flexible may be better able to integrate supply chain policy into their organizational operations. The second point about visibility is perhaps the most important point, though. Understanding what is on your network, what the crown jewel assets are, and how they’re vulnerable is step one during any security hardening endeavors. In order to craft policy, procedures, and technical controls throughout the supply chain you need to know exactly what systems and infrastructure you cannot afford to lose. This ties in with the third step, which requires a thorough understanding of the ins-and-outs of your threat posture and risk profile. This can be aided with automated tools like CnSight, which make reporting on key performance metrics an automated task and help prioritize security investments. The fourth step takes the information gathered in step three and implements it in systems across the organization, followed by the maintenance, re-assessment, and monitoring of step 5.
So, while it is challenging to implement a security program across the entire supply chain, steps can be taken to mitigate risk and reduce the business impact of security incidents that affect the supply chain. Using publicly available guidance and a small but dedicated security team, it’s possible to create a resilient supply chain risk management program that is capable of having substantial impact on securing upstream supply chains.