If you connect it, protect it.
That's the theme of this week, the first in National Cybersecurity Awareness Month, and it's become even more critical as supply chains ramp up digitalization and many employees access work applications from remote servers.
The National Security Agency and the Cybersecurity and Infrastructure Security Agency issued a joint advisory in July, warning that cyberattacks against critical operational technologies and infrastructures have been on the rise during the COVID-19 pandemic.
In the supply chain, those operational technologies could refer to robotics moving parcels in a facility or temperature controls within a warehouse, which are often cloud-based and interconnected via IoT, according to Marty Edwards, former director of ICS-CERT and vice president of operational technology security at Tenable.
"This isn’t a warning about the possibility of attacks. This is a warning that attacks have occurred and are ongoing as we speak," Edwards said. Just within the last weeks, cyberattacks hit shipping line CMA CGM, as well as the International Maritime Organization.
The layering of old and new technologies, often from a variety of vendors with varying degrees of security, and the distribution of company devices to employees working from home, has opened security gaps that supply chain experts say are being exploited in the pandemic.
Attacks from the supply chain to the customer
Cyberrisks have "only gotten exponentially worse," said Curtis Simpson, chief information security officer at Armis and former global CISO at Sysco. "One of the things that worries me is that … a lot of documentation that's supposed to be well controlled is being downloaded onto personal machines."
This information can be edited and reuploaded to various software as a service platforms or collaborative communications tools. And while digital collaboration can be a strategic advantage in a remote work environment, companies can’t always ensure their employees devices, internet access or credentials are secure, Simpson said.
"Smaller organizations can be used as a conduit to target our downstream customers as part of a larger attack."
Chief Information Security Officer at Armis
This kind of vulnerability is particularly concerning among supply chains in industries where a few large players dominate the market. Simpson gave the example of foodservice, where Sysco, US Foods, Gordon Food Service and Performance Food Group are the major players, and the remaining companies in food distribution are small.
Smaller players often don’t have the budget to develop robust security capabilities, Simpson said. "Having witnessed many different acquisitions at Sysco, these smaller organizations can be used as a conduit to target our downstream customers as part of a larger attack," he said.
Simpson said if he were a bad actor, knowing that supply chains are under strain, he would target employees’ personal devices through their email or software platforms and go after large companies’ smaller supply chain partners. Email remains the foremost point of entry for hackers looking to gain access to companies’ systems, according to Verizon’s 2019 Data Breach Investigations Report, accounting for 94% of detected malware attacks.
Is old hardware safer?
Beyond email and personal devices, an attack could involve hacking into IoT climate control sensors and raising the temperature in refrigerated warehouses, thereby destroying food, pharmaceuticals or eventually a coronavirus vaccine.
Hackers could compromise asset tracking devices or software and disrupt freight movements, or shut down customer platforms, any of which could cause millions of dollars worth of damage before a company can respond.
IoT, robotics, ELDs and other commonly used supply chain hardware that often feed into digital databases "never were really built with security in mind," Edwards said.
Because of these vulnerabilities, there is a notion in the supply chain and manufacturing industries that using older devices or fewer IoT technologies makes the sector less vulnerable to cyberattacks, Edwards said.
"This perception of security through obscurity … [that] you're secure because you're using something that's esoteric or obsolete, I think it's false,” he said, adding that companies that clearly understand their networks will be most able to detect abnormalities.
Detection capability is key, according to Simpson, because hackers can alter information feeding to company dashboards to make it look as though everything is normal. If supply chain managers are unable to prevent a hack, being able to detect it quickly is the next best thing.
"I believe that these criminals are going to start to strategically target industries that are of high value," Edwards said, pointing to medical and food industries that are of particular value during the pandemic.
Focusing on cybersecurity in the pandemic
As supply chains grapple with ongoing disruption to their operations, firms may not be able to afford new technology or security upgrades. But there are low-cost ways to improve security without purchasing expensive digital band-aids.
"Something that the security people should be doing is going through each and every contract where they have leased technology or other equipment that isn't under their direct ownership [so] they understand the security requirements," Edwards said.
This is something that cost small organizations very little, Simpson said, and can pay off in identifying and patching vulnerabilities in existing systems without going out and layering on more expensive technologies.
Now is the time to do those security audits on the digital side as well, Edwards said. He said most companies are "woefully under invested" in operational technology. "They may not even know what devices are attached to their networks," he said.
"Criminals are going to start to strategically target industries that are of high value."
Vice President of Operational Technology Security at Tenable
Collaborating closely with other supply chain partners can help improve security, as well. As data sharing initiatives via blockchain platforms or other digital means become more common, ensuring supply chain managers can trust the security of their counterparts in other organizations can not only improve the efficacy of data sharing but help prevent a cyberattack in one link of the chain from spreading up or downstream.
It is also important to recognize the element of human error. Many companies have invested in training to help employees develop stronger passwords, better digital security practices online and the ability to identify and report potential phishing attempts as a way to shore up what are often the front lines against digital attacks, personal cell phones and computers.