Experts on cybersecurity and supply chain management (SCM) like to draw attention to the fact that operating systems are only as strong as their “weakest link.” The “weakest link” argument is evoked with good reason when discussing risk management.
It does not matter how strong your network security is – if there is fragility within it, that’s all that matters, that’s all it takes. Whether the vulnerability stems from poor internal security control or external danger, a compromised link can put the entire global supply chain at risk.
The vulnerability of the supply chain in the midst of the biggest cyber security breach to hit the shipping industry – the breach on Danish maritime giant AP Moller-Maersk’s information technology systems in June 2017 – is nerve-racking to say the least.
From one ransomware attack, near catastrophic failure of global supply chain systems resulted. Terminals in the ports of New York, New Jersey, Miami, Los Angeles and Rotterdam were closed. Terminals operated by Maersk Line, such as the Jawaharlal Nehru Port Trust near Mumbai, India's biggest container port, couldn't load or unload because they were unable to track the origins of shipments. The Port of Gothenburg and many other ports reverted to manual processing for several hours. A freeze on deliveries at the South Florida Container Terminal caused retailers' orders (including some critical goods) to be delayed.
Reputational impact on Maersk was high and the financial loss from disrupted production and deliveries of goods to customers in several countries for many companies was immense.
In almost every industry, companies are more dependent than ever upon suppliers, intermediaries, cloud- based communication systems, third-party service providers and vendors in the supply chain network. “The demand for constant online communication creates enormous opportunities for hackers to exploit weak vendor security practices as a point of entry into their ultimate target,” adds Steve Bridges, Senior Vice President of JLT Speciality, an insurance brokerage firm focusing on cyber insurance.
The role and risk of vendors in security lapses in the supply chain were further highlighted by the recent data breach at Verizon, the US’s largest wireless communications carrier. Verizon had been employing Israeli-based telephonic software and data firm NICE Systems to carry out customer service analytics. The incident was discovered in late June 2017. An employee from NICE Systems had left the data of millions of customers exposed on an unsecured Amazon server for the previous six months.
A particularly pernicious aspect of cyber attacks is the way the threats are always “on the move”. By their very nature, attackers try to circumvent roadblocks and counter-measures.
Staying ahead of threats – like the WannaCry or WannaCrypt ransomware attack and the rapidly moving “Petya” - is challenging. When a virus affects a shipping company like Maersk Line that is responsible for the flow of goods (fleet, containers), the ripple effect on the supply chain is swift and enormous.
Fast-moving, hostile groups and individuals possess the persistence, tactical skills and technological prowess to damage and destroy major SCM systems, including, ominously, the logistics chain.
Also, while somewhat mitigated by employee training, it is not always possible to ward off insider events – those resulting from employee vulnerabilities.
Insider events can include the phenomenon of social engineering (when a criminal gains access to buildings, systems or information by exploiting the human psychology of employees). There is also the casual use of devices by employees and the mishandling of information by workers who are not adhering to best practices.
A further concern is the complexity of cyber threats.
Michael Daniel details the sheer level of complexity in his article, “Why Is Cybersecurity So Hard?” Harvard Business Review: “Cyberspace operates according to different rules than the physical world. I don’t mean the social ‘rules’ but rather the physics and math of cyberspace. The nodal nature of a light-speed network means that concepts like distance, borders, and proximity all operate differently, which has profound implications for security.”
Because there is no such thing as typical proximity, nor typical borders, “physical world” constructs and solutions don’t work very well.
Organisations and institutions are touching upon tricky new frontiers legally and policy-wise, such as the proper division of responsibility between governments and the private enterprise to protect. Defence against risks – whether from the outside or the inside of an organisation – needs significant investment to keep up with the threats.
