- The NotPetya cyberattack was not a one-time fluke, but rather an indication of coming "indirect supply attacks," wherein a small supplier embedded within a larger system is corrupted in order to attack its host, as was the case with A.P. Moller - Maersk by Ukrainian tax software M.E.Doc, according to a Booz Allen Hamilton report, Supply Chain Quarterly reported Tuesday.
- A further trend potentially affecting supply chains are extortion attacks on industrial control systems (ICS), such as when hackers gain access to a manufacturer's ICS and demand a ransom to prevent or mitigate further disruption. Automakers Nissan and Renault suffered such an attack in 2017, as did pharmaceutical company Merck.
- Alarming incidents by committed by Eastern European criminals using similar techniques against chemical manufacturing facilities have also been reported.
The threat of cyberattacks that plagued both the shipping and manufacturing industries in 2017 remains, though better preparation — and therefore resilience — have become common.
Despite the rise of cyberattacks in 2017, they remain a behind the scenes disruption, with few organizations willing to escalate the matter to the boardroom. A cyberattack can cause at least a 55% loss in productivity and the economic damage can skyrocket into the tens of millions.
However, recovery is possible, as evidenced by both Maersk and FedEx.
"We saw multiple breaches in 2017 that would have been the largest breach of the year if it had happened in any other year,” Brian Vosburgh, a Chief Strategist on Booz Allen Hamilton’s Cyber4Sight team told Supply Chain Dive. “The companies that minimized the potential damage executed a well-practiced plan and informed the public in short order with straightforward facts and data. This approach required less damage control and instead provided the companies an opportunity to showcase their ability to handle a crisis with action and resilience."
Things may be changing from a strategy standpoint, however, due to the scope of the 2017 attacks. In other words, the boardroom may not remain out of the loop for long.
"Operations gained an increased understanding of the level of depth and breadth a breach can have on an organization,” Vosburgh said. "It now has a better understanding that it can't address the breach alone. Security is everyone’s responsibility, it has to be a cross organizational initiative, sponsored at the most senior levels."