Building Resilient Supply Networks

In today’s interconnected landscape, supply chains play a critical role in the success of large manufacturing, retail, electronics, automotive and life sciences organizations in the EU region. However, with the growing reliance on digital technologies and the uptake in sophisticated cyber threats, the concept of resilience has become vital. For CISOs, IT Managers, and Information Security Managers, ensuring the resilience of supply chains has become a top priority to safeguard the continuity of their business, ensure cohesive disaster recovery and protect against potential cyber disruptions.

Resilience reflects the ability of an organization to withstand, respond to, and recover from threats and incidents, while continuing to deliver their service and products as usual. It is more than the design, formalization and distribution of key documentation such as BCPs, DRPs and CMPs; it is an organizational state of being that is achieved and actively maintained through continuous efforts and a collection of proactive activities. In the context of supply chains at global manufacturing organizations for example, resilience involves building dynamic security measures, proactive risk management, and effective response strategies to maintain operations even when faced with business-hindering events.

Supply chains nowadays often encompass a complex network of suppliers, vendors, partners, stakeholders and other third parties, involved in the logistics, production and distribution of goods. This interconnectedness creates multiple touchpoints vulnerable to cyber threats, reinforcing how important it is for organizations to extend their security focus beyond their immediate internal networks.

Insights from The State of Supply Chain Defense: Annual Global Insights Report 2023 display that Manufacturing companies continue to demonstrate that third-party cybersecurity is a priority for their operations, with 55% of respondents stating that supply chain cyber risk was on their radar. This number however needs to increase drastically, as 93% of respondents within Manufacturing were negatively impacted by a supply chain cyber breach in 2023.

Similarly, the Healthcare and Pharmaceutical sector faces similar challenges, however have a different landscape to consider given the amount of sensitive health data that needs safeguarding, in addition to more stringent regulatory requirements. In this sector, the positive news is that respondents reported a 50% budget increase for cyber third party risk management.

The Evolving Threat Landscape in Supply Chains

From ransomware attacks halting production lines, to data breaches and supply chain manipulation, adversaries are constantly finding new and improved ways to exploit vulnerabilities in digital infrastructure.

In recent years, several cyber incidents have disrupted global supply chains. Many of these incidents involved a malware attack on various prominent manufacturing companies, causing production shutdowns for weeks, and affecting the delivery of critical components to customers. Such incidents stress the importance of robust resilience strategies. During the last six months, we have witnessed a spike in supply chain cyber attacks affecting a vast number of vendors. Identifying and addressing vulnerabilities within the supply chain is essential to enhancing Cyber Resilience. Common vulnerabilities include legacy software and firmware, weak authentication mechanisms, unsecured communication channels, and a lack of visibility into third-party security practices.

A WSJ article brings to light that wars in Ukraine and in the Middle East have been threatening flows of grain, oil and consumer goods. Climate change and mass migration have disrupted trade lanes from the Panama Canal to the U.S-Mexico border, and varying geopolitical tensions are making international supply chains ever more complex. Further, a ‘just-in-case’ strategy of hoarding inventory to avoid losing sales has been adopted instead of a ‘just-in-time’ strategy for many fashion, electronic, parts and furniture manufacturers.

Cyberint outlines some of most notable supply chain attacks over the last few years as the following:

  1. SiSense – April 2024
  2. Okta – October 2023
  3. JetBrains – September 2023
  4. MOVEit – June 2023
  5. 3CX – March 2023; and
  6. Applied Materials – February 2023.

A robust Resilience Strategy enables organizations to identify potential threats, implement preventive measures, and establish effective response practices. This aids in minimizing downtime, reducing financial losses, and protecting brand reputation. In the face of a disruption, organizations must have protocols in place to detect breaches early, respond quickly, and recover efficiently. Business processes should be designed with redundancy, and data backups should be protected and tested frequently to enable a cohesive recovery.

Building a Resilience Framework for Supply Chains

The first step in developing a strong Supply Chain Resilience Framework is to identify and classify critical processes, assets and information within the supply chain, alongside their impact tolerance. This includes outlining key suppliers, critical production processes, sensitive intellectual property, and customer data. By understanding the value, criticality, requirements and interdependencies of these assets and processes, organizations are able to prioritize their protection efforts – this is commonly done through a Business Impact Assessment (BIA) or Risk Assessment.

Further, performing a comprehensive Risk Assessment across the entire supply chain is essential to identify potential threats and vulnerabilities. Collaborate with your third parties (suppliers and partners) to evaluate their own cybersecurity protocols and ensure alignment with your organization’s standards and benchmarks. Once risks are identified, establish a risk management strategy that prioritizes Resilience efforts based on the impact and likelihood of various cyber incidents.

Clear and measurable objectives and indicators are essential to assess the effectiveness of an organization’s resilience efforts. Set specific, measurable and achievable resilience objectives, such as reducing incident response time, increasing incident detection time, aligning recovery metrics between the business and IT, improving employee awareness, increasing supply chain visibility, supplier diversification, demand forecast accuracy, or improving compliance with supply chain partners. Track these objectives using Key Performance Indicators (KPIs) to measure your progress, address any gaps, and adapt your resilience strategy appropriately.

Implementing Resilient Leading Practices in Supply Chains

A secure landscape begins with a secure network and infrastructure design. Implement strong access controls, segment networks to limit lateral movement for attackers, and regularly update and patch all network components. Additionally, deploy firewalls, intrusion detection / prevention systems (ID/PS), and encryption protocols to safeguard data in transit and at rest.

A comprehensive risk assessment process is documented within ISO 31000:2018, which is recommended to be applied to organizations’ ecosystems for supply chain risk management in relation to cybersecurity. Further, ENISA outlines the following as good practices for an ICT/OT supply chain cybersecurity risk assessment:

  • ‘Understand and document the organization’s suppliers and service providers
  • Consider supply chain risk beyond your own organization
  • Risk criteria should reflect objectives and accepted the risk level of the organization
  • Have business continuity requirements taken into consideration for supply chain risks
  • Apply good practices in risk mitigation which are based on international standards
  • Understand supply chain risks; and
  • Understand risks linked to the performance of suppliers and service providers.’

Additionally, a high-level summary of ISO 28002: ‘Development of resilience in the supply chain’ outlines a process approach for resilience management within supply chains, including:

  1. Establishing a Supply Chain Resilience Program and applying resources
  2. Defining the supply chain and resilience objectives
  3. Identifying supply chain risks
  4. Quantifying and prioritizing risks
  5. Executing risk treatment programs; and
  6. Monitoring the supply chain environment for risks.

Vulnerable software and third-party components are common entry points for cyber threats. Enforce secure coding practices in the software development lifecycle and conduct thorough security assessments before integrating third-party solutions. Implement stringent vendor management practices, requiring suppliers to adhere to established cybersecurity standards and undergo regular security assessments.

Humans remain a significant factor in cyber incidents, often unintentionally facilitating attacks through social engineering or poor security practices. Conduct regular security training and awareness programs for all employees, including supply chain partners. Educate them about the latest cyber threats, phishing techniques, and the importance of secure behavior in safeguarding the supply chain ecosystem.

SupplyChainDigital outline the ‘Top 5 Supply Chain Cyber Threats’ as the following:

  • IoT Devices – According to Symantec, IoT devices experience an average 5,200 attacks a month 
  • Ransomware – Remains a huge concern to organizations with large supply chains. The average ransomware payout in 2021 was $111,605 USD per attack
  • Cloud Security – Misconfiguration, unauthorized access, insecure interfaces, etc.,
  • Social Media – Continuing to be a medium of choice for launching cyberattacks; and
  • PDFs – An enticing means of phishing as they are cross-platform and allow attackers to engage with users.

Collaborating and Communication in the Supply Chain Ecosystem

Resilience cannot be achieved in isolation. Organizations must foster a culture of collaboration and cooperation among all stakeholders in the supply chain ecosystem. Engage with suppliers, vendors, logistics partners, and other entities to share best practices, threat intel, and incident response planning. Regular communication and joint exercises will enhance the collective ability to respond to threats effectively.

By exchanging real-time information on emerging threats and attack trends, organizations can proactively fortify their defenses. Additionally, collaboration on incident response planning and conduct joint drills ensures a coordinated and harmonized response to potential incidents.

Integrate resilience requirements into contractual agreements (such as your SLAs) with supply chain partners. Clearly outline responsibilities, incident reporting procedures, and data protection obligations. Regularly review and audit compliance with these agreements to ensure the entire supply chain adheres to the highest security standards.

Resilience is rarely solely a technical endeavor; it is also a cultural mindset. Encourage a strong resilient culture among supply chain partners by providing regular training, sharing best practices, and fostering open communication channels for reporting potential threats. Collaboratively prioritize resilience and establish it as a shared responsibility across the entire supply chain ecosystem.

Incident Response and Recovery Strategies

Crafting detailed incident response plans specific to supply chain disruptions is crucial. Work collaboratively with supply chain partners to establish clear lines of communication, escalation procedures, and predefined responsibilities in the event of an incident. Consider various scenarios and conduct tabletop exercises to validate the effectiveness of the plans.

Regular testing and simulation exercises are indispensable for evaluating the effectiveness of resilience strategies. Conduct penetration tests, red-teaming exercises, and simulated disasters to identify potential weaknesses and areas for improvement. Use these insights to refine incident response plans and enhance the overall resilience posture.

After an incident, perform a thorough post-mortem to identify root causes, evaluate response effectiveness, and document lessons learned. Share these findings with supply chain partners to foster a culture of continuous improvement. By learning from past experiences, organizations can become more resilient and better prepared for future threats.

Compliance and Regulatory Considerations

In addition to proactively implementing resilience measures, organizations must comply with relevant regulations and standards. Familiarize yourself with relevant regional and international laws, such as the General Data Protection Regulation (GDPR), NIS2 and CER Directives, DORA, industry-specific frameworks like ISO 27001, 28002, 22301, and remain abreast of upcoming regulatory considerations such as the Cyber Resilience Act (CRA).

Adopt industry best practices and guidelines related to resilience. Organizations can draw insights from frameworks and publications like ENISA, NIST CSF, CIS Controls for Supply Chain, and the World Economic Forum’s Cyber Resilience Playbook. Aligning with established standards enhances credibility and ensures a holistic approach to resilience.

Embracing Resilience for a Secure Future

Resilience remains the cornerstone of securing the supply chains of connected organizations. By building a robust Resilience Framework, implementing best practices, fostering collaboration, and embracing a resilient supply chain ecosystem, organizations can effectively counter threats and protect business continuity.

By prioritizing resilience and promoting a culture of security across the supply chain, together, we can strengthen the resilience of your organization and create a secure and prosperous future.

Get in touch to learn more!