{Author Name [first-name middle-name-initials last-name]}
{Institution Affiliation [name of Author’s institute]}
Introduction
The nature of supply chain industry demands that organizations exchange amongst themselves private and sensitive data that is necessary for the movement of the underlying goods and services. A secured environment for an exchange of such data is a major concern for the cybersecurity industry managing the supply chain networks and transactions. The risk of cybersecurity in the supply chain industry is growing as attackers and hackers become more knowledgeable and have access to latest technologies using advanced a form of hardware and software tools. The malware infections have increased by almost 50-65% in the past one year itself. The resulting impact of such threats has led to an increase in spending and efforts on the development of tools and processes such as intrusion detection and blocking software, secure communication protocols and mitigation software that all constitute for the countermeasure or control processes in the cybersecurity of supply chain industry (Rees, Deane, Rakes, & Baker, 2011; Baker, & Wallace, 2007).
The present security management approach is mostly in the form of checklists that decision makers use for risk evaluation, mitigation and performing counter measures in the event of any threats and vulnerabilities. The supply chain processes due to their inherent nature of flow of data get prone to serious threats to data security. The lapses may occur at the end of the suppliers of hardware and software services or implementation of processes at organization end. It is pertinent to have a due diligence in securing the processes to prevent security threats and vulnerabilities. Application of best practices must be employed to avoid threats and vulnerabilities that could potentially compromise supply chain system and the sensitive data. The best practices must be followed by an evaluation of those practices before implementation to achieve maximum gains from those practices (Rees, Deane, Rakes, & Baker, 2011)..
Supply Chain Risks
The Supply Chain Risks are enhanced with the complexities involved because of cyber security. The cyber treats and their sources range from intentional targeting, software and hardware errors, vendor errors, infection from malicious code to internal abuse of the system. Below are discussed some of the sources of risks for supply chain system that impact the cyber security of the system.
Third Party Software Supplier
Cyber-espionage groups target suppliers of legitimate supply chain software for large organizations. The malicious code is loaded as Trojan malware inside the legitimate software that is then deployed on the client system. The client organization is unsuspecting and unaware of any such malware coming into their system. The most common industry impacted by such practices is the energy sector. A compromised system is hard to detect even at supplier level and the client is unsuspicious of the problem. However, the onus and reliance of security are at the supplier.
Third Party Data Storage Vendors
The process of outsourcing data services to third party vendors is another major source of malicious attacks on the supply chain system. The organizations place client sensitive data including business critical and financial data on such networks. In the event of compromise or attack on third party data storage vendors, the client data is also compromised (Bowman, 2013).
Watering Hole Attacks
Watering Hole attack is the most common source of a cyberattack that works by identifying the frequently visited websites by users of a supply-chain organization. The website is compromised and using that as a source malware is deployed on unsuspecting users who are part of the targeted organization or sector like government, healthcare and defense (Cyber-security risks in the supply chain, 2015).
Insider Abuse of System Access
Insider abuse is another most common source of security threats where a compromise of the system is carried out by people who known the existing system of an organization or worse are part of it. In general, such activities are carried out by disgruntled employees or vendors (Cyber-security risks in the supply chain, 2015).
Errors and Omissions
Errors and Omissions by software vendors, operators, or service providers are the most common source of cyber threats. The errors or omissions can be done by lack of diligence in performing security steps and taking relevant measures (Cyber-security risks in the supply chain, 2015).
Network Software and Operating System Vulnerabilities
The Issues in an operating system and network software make supply chain systems vulnerable to cyber threats in cyber attacks. Most often attackers take advantage of the existing vulnerabilities in network resources and underlined OS (Cyber-security risks in the supply chain, 2015).
Organizations must know the level of care that is required for various operations related to supply chain system, data security, vendor management, and vendor selection lifecycle. Organizations that are well aware of the cyber security problems are in a good position to mitigate the risk. Inadequate information across the supply chain and non-existents business strategies for resilience hamper the security of the organization. Diligent efforts and processes must be employed to mitigate cyber security related threats and vulnerabilities. The diligence in processes includes upgradation of technology, education of the people responsible for the system and improvement of underlined security processes. A number of steps can be taken that ensures risk management of supply chain governance. A multi stake holder risk assessment process must be constituted within the organization. Independent threat assessment, advanced technological monitoring, and ability to share threat intelligence across organizations are some of the diligent processes that ensures system security (Bowman, 2013).
Cybersecurity Questions to ask Suppliers
Suppliers of software systems and processes for supply chain are the most vulnerable entities through which any organization supply chain system can be targeted by attackers. Supplier or vendor selection and its constant monitoring and management are the most important aspect of the cyber security threat mitigation. The following set of questions must be required to be asked to suppliers as part of diligent process of threat mitigation.
1. What kind of cyber risk evaluation process is followed at your company?
2. Will you take accountability for any cyber security threat or incidence occurring due to vulnerabilities in the software provided by your company?
3. Are you willing to develop collaborative processes for identifying and acting upon any data breaches?
4. Are you willing to conduct information assurance activity on a regular basis?
5. Have you taken relevant accreditations for your software processes and do you follow standard auditing processes for risk-assessment and mitigation of the software product?
Best Practices
The best practices for any organization consist of prioritizing areas of potential risk and taking action for mitigation of those risks. The best practices include actions related to prevention of Malware insertion, during programming, manufacturing or testing process. Prevention of products from tampering mitigation of risk by procuring software product only authorized vendors, regular update of operating systems, for security patches. Security must be built into the design of the system and test processes (Blanchard, 2010). There must be stringent vendor control mechanisms and tight control over software load processes into the organizational systems. Quality must be linked directly to the security of the system. There must be supply chain continuity strategies in the event of any network threat or cyber-attack incidences. The companies must have strict knowledge of the manufacturing processes, design control, supplier provided software and a robust test system that are sufficient for tracking an identifying any malicious code from any source. The operating processes must be tightly controlled by the company both at the assembly level and in transit to avoid any kind of breach. A custom component like programmable ASICs must be secured from any malicious code insertion. The best practice is to follow industry standards like supply chain risk management practices, national institute of standards and technology (NIST) SP161, NIST-800 53, SANS Consensus Audit Guideline and EU, NATO guidelines. The expected benefit by following best practices is a secured system, early detection of risk, reduced threats and vulnerabilities and an effective mitigation plan (Martin, & Shepard, 2016).
Summary and Conclusion
Cyber security threat is one of the biggest challenges that supply chain organizations phase in current times. Effective counter measures need to be applied to reduce cyber threats. The countermeasures must be complemented by effective security planning and following industry best practices. Due Diligence must be performed by an organization to mitigate security threats. An organization must distribute the onus and responsibility of cyber threats to the suppliers of Software systems. Steadfastness, Fast actions, and futuristic approach in threat management are the most effective way of countering network threats. The most common form of risk occurs from suppliers, third party data vendors and introduction of malicious code into the system. However, an organization must also safeguard themselves from internal threats like disgruntled employees.
References
Baker, W. H., & Wallace, L. (2007). Is information security under control?: Investigating quality
in information security management. Security & Privacy, IEEE, 5(1), 36-44.
Blanchard, D. (2010). Supply chain management best practices. John Wiley & Sons.
Bowman, R. (2013). Why Cybersecurity Is a Supply-Chain Problem. Supplychainbrain.com.
Retrieved 8 May 2016, from http://www.supplychainbrain.com/content/blogs
/think-tank/blog/article/why-cybersecurity-is-a-supply-chain-problem/
Cyber-security risks in the supply chain. (2015). cert.gov.uk. Retrieved 8 May 2016,
/02/Cyber-security-risks-in-the-supply-chain.pdf
Martin, C. & Shepard, K. BEST PRACTICES IN CYBER SUPPLY CHAIN RISK
MANAGEMENT. fireeye.com. Retrieved 8 May 2016, from https://www.fireeye.com/content/dam/fireeye-www/global/en
/current-threats/pdfs/rpt-best-practices-in-cyber-supply-chain-risk-management.pdf
Rees, L. P., Deane, J. K., Rakes, T. R., & Baker, W. H. (2011). Decision support
for Cybersecurity risk planning. Decision Support Systems, 51(3), 493-505.
