Accurately understanding what goes into a software supply chain becomes increasingly important when it comes time to secure it. If your definition is narrowly scoped around one or two of these pieces (for example, dependencies), it becomes difficult to implement security controls that can adequately protect the entire supply chain from being breached.
Supply chain attacks: when things go wrong
If you think about what happened over the past one-and-a-half years, we had a pretty good supply of food and other goods, right? So the supply chain did work, but for a lot of companies it meant struggling with in-bound logistics, their own sites, and distribution. They really needed to step up and make sure that the supply chain is flowing so we can deliver to our customers, and to your point earlier, the conversation made it to the boardroom. For example, we helped a couple of clients implement the business continuity management, and one CEO, who never talked about the supply chain before, even addressed it in his last two investor presentations.
The attention has shifted from it not only being a function that is valuable when something goes wrong but can really help us to be better. That client I mentioned, they increased their market share, because they did much better than their competition and could even sell more. And in a pandemic situation, that was an amazing result.
Knut Alicke: We did run a survey among supply-chain executives and wanted to understand what they did during the last one-and-a-half years and what they want to do going forward. One topic that Sebastian just mentioned was really high on the agenda. They want to have transparency, and want to be able to decide fast, and decide to do the right thing. What do we need for that? We need to invest in digital planning. Almost 80 percent of the participants said they need to improve, and to invest in digital planning to increase supply-chain visibility to make sure they have the ability to plan and to decide.
Knut Alicke: That is what we see in terms of the future of work in supply chain. We have the demand planner. Now in the future, we will probably havea combination of someone who knows the business very well, and then we also need to have a data scientist who is able to come up with an algorithm. But this data scientist also needs to have somekind of translator skills to understand the business. If you think about an order manager, for example, we now have someone who is architecting the partthat entails robotic process automation. This means there are new roles and a lot of new skills necessary to define the future of the supply-chain planners and the future of the supply-chain organization.
Knut Alicke: We currently see a lot of bottlenecks, and to resolve them will take some time. We see that some commodities are short, semiconductors are short, even containers themselves are short and vessels do not have enough capacity. Basically, everything is in short supply, and it will take a couple of months to get out of this. Then hopefully we will not go back to the super-efficient, just-in-time supply chain but more to a resilient one. There will be probably another natural disaster, which is what global warming tells us, and with this we could have a heat wave or flooding. We have the next disruption around the corner.
One of the biggest cybersecurity concerns over the last few years has been the supply chain, especially the software supply chain. The attack on SolarWinds made it clear just how pernicious supply chain attacks can be. Just one third-party vendor with poor cybersecurity can put hundreds of connected companies at risk. But these risks can be different for upstream and downstream organizations.
Supply chains are networks between an organization and others who provide materials or products eventually destined for a consumer. A supply chain can be complex. Besides physical resources, it can also handle things like digital information, entities, and even people. Depending on the size of a particular organization, they can have entire teams dedicated to overseeing a supply chain. It can be a vital component to the operation of any business.
Why is supply chain security important? If there is no product, there is no business. Disruptions to the supply chain can cripple an organization. Not only do they need to be concerned about their suppliers, but they also need to guard their systems. Supply chain cyber attacks can fracture lines of communication, records of transactions, inventory, and forecasting for the future. Cyber criminals have found supply chains to be a source of valuable information about an organization's current or future plans, as well as being a source for general confidential information not intended for outsiders. If you work with your organization's supply chain, how can you protect yourself? How can you ensure business runs to forecast? We have some tips for staying safe and operational.
In the blink of an eye, business is put on hold. You cannot bring in new products, your clients cannot buy from you, and you have lost your inventory plan for the year. These are just some of the repercussions of an attack on an organization's supply chain.
To understand supply chain cyber security, you must first know how it can infiltrate a system. These types of attacks do not go for the front door. In other words, they do not try to steal your password to gain entry. Cyber criminals are getting smarter. They know you likely have a strong password, two-factor authentication, and all of the other basic security necessities in place. Instead, they prefer backdoor entry, injecting malicious code or components into one of your trusted pieces of technology (hardware or software). Once in place, cyber criminals can not only cripple your supply chain, but they can also obtain critical information about your suppliers and clients, creating a chain reaction of damage.
Supply chain cyber security threats can come from many directions. These systems often interact with suppliers, manufacturers and even clients, meaning the amount of touch points opens up the room for potential breaches. Three of the most common risks faced by supply chain systems include:
SushiSwap allows users to run a platform where they can buy and sell crypto currency and other assets. According to Kraken, "users first lock up assets into smart contracts, and traders then buy and sell cryptocurrencies from those pools, swapping out one token for another." They are a crypto supply chain in that they house several different currencies (including their own "SUSHI") and facilitate the exchange between end users.
Risks to supply chains can come in many forms. Beside cyber security, which we have already talked about in detail, organizations will also need to consider natural disasters, terrorist attacks or government dealings, such as Brexit in the U.K.
If the COVID-19 pandemic has taught us anything, it is that things can happen quickly, and preparation is key. Therefore, it should come as no surprise that Koray Köse, a Senior Analyst at Gartner, says that, "90% of organizations plan to put money and time into making their supply chains more resilient over the next two years."
If you are "on the fence" about investing in supply chain risk management software, the time to implement one is now. Supply chains are the heartbeat of an organization, and treating it with the utmost care is vital. This type of software allows you and your team to remain focused on what matters most, while leaving the monitoring and mitigation of cyber security threats to them.
Supply chains are critical to the function of any organization that employs one. Protecting it through in-house due diligence or via risk management software can prevent downtime and stolen data by identifying any supply chain vulnerability. In today's technologically inclined environment, protecting supply chains goes beyond worrying about natural disasters, terrorist attacks, and government interference. It also means carefully considering cyber security and the threat posed by bad actors on the Internet.
The SolarWinds hack was a major event not because a single company was breached, but because it triggered a much larger supply chain incident that affected thousands of organizations, including the U.S. government.
The hackers used a method known as a supply chain attack to insert malicious code into the Orion system. A supply chain attack works by targeting a third party with access to an organization's systems rather than trying to hack the networks directly.
SolarWinds was a perfect target for this kind of supply chain attack. Because their Orion software is used by many multinational companies and government agencies, all the hackers had to do was install the malicious code into a new batch of software distributed by SolarWinds as an update or patch.
The SolarWinds supply chain attack is a global hack, as threat actors turned the Orion software into a weapon gaining access to several government systems and thousands of private systems around the world. Due to the nature of the software -- and by extension the Sunburst malware -- having access to entire networks, many government and enterprise networks and systems face the risk of significant breaches.
In the aftermath of the attack, the U.S. Cybersecurity and Infrastructure Security Agency issued guidance on software supply chain compromise mitigations. The guidance provides specific tactical recommendations on what organizations should look for to identify and remove potentially exploited components.
As it turned out, the SolarWinds incident was one of multiple attacks in 2020 and 2021 that highlighted risks with supply chain security. Incidents such as the Colonial Pipeline attack in May 2021 and the Kaseya ransomware attack in July 2021 demonstrated how attackers were able to exploit vulnerabilities in components of the software supply chain to affect a wider group of vendors.
However, these operating model choices sometimes led to unintended consequences if they were not calibrated to risk exposure. Intricate production networks were designed for efficiency, cost, and proximity to markets but not necessarily for transparency or resilience. Now they are operating in a world where disruptions are regular occurrences. Averaging across industries, companies can now expect supply chain disruptions lasting a month or longer to occur every 3.7 years, and the most severe events take a major financial toll. 2ff7e9595c
Comments