• Advertise
  • Contact Us
  • About Us
  • Supplier Directory
  • SCB YouTube
  • Login
  • Subscribe
  • Logout
  • My Profile
  • LOGISTICS
    • Air Cargo
    • All Logistics
    • Express/Small Shipments
    • Facility Location Planning
    • Freight Forwarding/Customs Brokerage
    • Global Gateways
    • Global Logistics
    • Last Mile Delivery
    • Logistics Outsourcing
    • LTL/Truckload Services
    • Ocean Transportation
    • Rail & Intermodal
    • Reverse Logistics
    • Service Parts Management
    • Transportation & Distribution
  • TECHNOLOGY
    • All Technology
    • Artificial Intelligence
    • Cloud & On-Demand Systems
    • Data Management (Big Data/IoT/Blockchain)
    • ERP & Enterprise Systems
    • Forecasting & Demand Planning
    • Global Trade Management
    • Inventory Planning/ Optimization
    • Product Lifecycle Management
    • Sales & Operations Planning
    • SC Finance & Revenue Management
    • SC Planning & Optimization
    • Sourcing/Procurement/SRM
    • Supply Chain Visibility
    • Transportation Management
  • GENERAL SCM
    • Business Strategy Alignment
    • Education & Professional Development
    • Global Supply Chain Management
    • Global Trade & Economics
    • HR & Labor Management
    • Quality & Metrics
    • Regulation & Compliance
    • SC Security & Risk Mgmt
    • Supply Chains in Crisis
    • Sustainability & Corporate Social Responsibility
  • WAREHOUSING
    • All Warehouse Services
    • Conveyors & Sortation
    • Lift Trucks & AGVs
    • Order Fulfillment
    • Packaging
    • RFID, Barcode, Mobility & Voice
    • Robotics
    • Warehouse Management Systems
  • INDUSTRIES
    • Aerospace & Defense
    • Apparel
    • Automotive
    • Chemicals & Energy
    • Consumer Packaged Goods
    • E-Commerce/Omni-Channel
    • Food & Beverage
    • Healthcare
    • High-Tech/Electronics
    • Industrial Manufacturing
    • Pharmaceutical/Biotech
    • Retail
  • THINK TANK
  • WEBINARS
    • On-Demand Webinars
    • Upcoming Webinars
    • Webinar Library
  • PODCASTS
  • VIDEOS
  • WHITEPAPERS
Home » Blogs » Think Tank » Making Critical Infrastructure Supply Chains Secure by Design

Think Tank
Think Tank RSS FeedRSS

Making Critical Infrastructure Supply Chains Secure by Design

cyber crime
A person types at a keyboard. Photo: Getty Images.
July 19, 2022
Ian Bramson, SCB Contributor

The phrase “a chain is only as strong as its weakest link” has become a truism for a reason.

Whether we’re talking about steel rings or companies, each link in a chain is a potential weak spot that can be exploited to the detriment of the whole. The validity of this truth has come into stark focus as high-profile disruptions such as 2021’s Suez Canal blockage rocked industries across the globe, and cyberattacks on operational technology (OT) environments have brought critical infrastructure to a standstill.

While companies may be hard-pressed to anticipate a disruption like the one in the Suez Canal, cyberattacks are a different story. The number of attacks on global supply chains is skyrocketing. In 2021 alone, businesses fell victim to 50% more cyber attacks than the previous year, and many of these attacks were carried out thanks to the Log4j vulnerability. This issue left hundreds of thousands of customers and companies vulnerable to breaches by bad actors looking to exploit that weak link. 

The Log4j vulnerability and others like it demonstrate the risks of working with suppliers with poor cyber hygiene practices. With this potential for exposure in mind, it’s time for all supply chain entities, from original equipment manufacturers (OEMs) to developers and those at the point of installation, to invest time and effort into reducing the risk passed from one company to the next.

Double Trouble

There are two types of cyberattacks to watch out for: those on the supply chain and those through it. Attacks on the chain are meant to disrupt a single link in the chain directly, causing a ripple effect by delaying both suppliers and outgoing deliveries. These target a single company providing a critical link in the chain. Attacks through the supply chain occur when a component is compromised by a cyberattack and then passed down the chain to other companies who fail to identify the threat when installing the component. As a result of these two threats, organizations should protect themselves from threats coming down through the supply chain, as well as ensuring they aren’t the weak link in the chain themselves.

When building components or integrating other companies’ products into their own, companies should consider the safety and security of each aspect of the design. They can begin by evaluating any third-party components or software they may be integrating into their own build. That means investigating, testing and verifying that any equipment a company receives works as intended, and does so without anomalies. Before integrating any third-party components, companies should:

  • Perform acceptance testing. When first receiving equipment, companies often just incorporate the component and move along to the next step. While they use this opportunity to make sure the equipment turns on and functions, they should also use it as an opportunity to vet for cybersecurity issues, by investigating the core components and putting the device through its paces. When a company fails to do this, it is essentially accepting the risk of the entire supply chain before it without any insight into possible complications.
  • Authenticate the specs. Teams should work alongside OEMs to understand the equipment’s key metrics and functions. Doing so can help illustrate the component’s functions, the specifics of the product, and its unique operating procedures. Establishing a baseline for the equipment’s behavior provides metrics for evaluating performance and possible anomalies in the future.
  • Monitor for anomalies. Once the baseline is set, companies have the opportunity to look for deviations from the standard. This information can help teams in OT environments determine the source of an anomaly should one occur.

Testing complete components received or used in equipment is helpful. Still, it doesn’t account for all inadequate testing practices and procedures that might have occurred earlier in the chain. It’s up to each entity to investigate and verify the security practices of all of the companies that came before it.

Upstream Accountability

Production flows down the supply chain, yet risk management needs to move the other way. When a company accepts a component, it is inheriting the risk of the suppliers before them, and insight into each link in the supply chain can help to mitigate that risk. When making purchases and partnering with suppliers, it’s in the best interest of each contractor to work with those organizations whose security practices they can vet and verify. The most effective way to do that is by building a supply chain that is secure and accountable from the start. Critical infrastructure providers and contractors should design the bidding and proposal process to reward proper cyber hygiene from its earliest stage. After all, the sales team might not know the origins of every piece of equipment they use, but they’ll find it in a hurry if it’s required to win a contract.

Asking all bidding suppliers to outline the origins of their components and subcomponents as a condition of the request for proposal (RFP) process will set the stage for better defense down the line. Having insight into the origins of equipment gives organizations the chance to turn down bids that might have a higher risk of being compromised. This process may start with individual companies outlining rating systems that weigh scores in favor of better cyber hygiene within their RFPs, but ideally the industry should come together to do this on a wider scale. Still, both versions could go a long way toward creating a market that rewards good practices and that will encourage suppliers to go beyond basic compliance to proactively adopt security practices that better protect their assets and put themselves ahead of their competitors for competitive bids.

The current reality is that 100% of risk won’t be visible in the RFP process, and it’s up to the organization to manage that risk in a way that works pragmatically with operations.

Of course, it’s equally crucial that organizations take measures to better ensure they’re good upstream suppliers for others. To be secure by design, companies should take a clean-build approach that mitigates the risk of introducing errors and vulnerabilities during assembly. Information and details about the project should be kept secure, components should be installed correctly to help ensure that any security measures in place continue to work, and teams should continuously monitor equipment for any issues that might arise so they can respond in real time.

On the Front Lines

OT environments are the front lines of the cyberwar being waged in the background of the critical infrastructure sector. While the public may associate attacks on water treatment plants or power grids with supervillains or sci-fi movies, those in the industry understand that such attacks are far from fictional. The battle for our public infrastructure has already begun. The threat to the companies that offer critical services to the public is real, as threat actors set their sights on huge ransom payouts from companies looking to protect lives and the environment.

While notable events like the Colonial Pipeline attack of 2021 raised the alarm, many companies are still falling short when adopting practices to protect their company assets and the public from cyberattacks coming through the supply chain. The best way to achieve that goal is to encourage industrial operators to change their approach to cyber hygiene, and shift their relationships with manufacturers and vendors to promote sound cybersecurity practices for decades to come.

Ian Bramson is global head of industrial cybersecurity at ABS Group.

Quality & Metrics Regulation & Compliance Supply Chain Security & Risk Mgmt Supply Chains in Crisis

RELATED CONTENT

RELATED VIDEOS

Subscribe to our Daily Newsletter!

Timely, incisive articles delivered directly to your inbox.

Popular Stories

  • A MEDLEY OF IMAGES OF GRAPHS AND CHARTS SUPER-IMPOSED OVER A HUNDRED DOLLAR BILL

    How Companies Can Avoid Competing Solely on Price

    Logistics
  • A RED AND WHITE FRITOS DELIVERY TRUCK IS PARKED IN THE LOADING ZONE OF A PARKING LOT NEXT TO AN ORANGE TRAFFIC CONE.

    Climate Change Threatens a World Without Doritos

    Global Supply Chain Management
  • Managing-Supply-Chains-in-the-Face-of-Climate-Disaster.jpg

    Watch: Managing Supply Chains in the Face of Climate Disaster

    Regulation & Compliance
  • Is-There-a-Right-to-Work-Remotely.jpg

    Watch: Is There a ‘Right’ to Work Remotely?

    HR & Labor Management
  • SYMBOLS OF TRADE AND RISK HOVER OVER TWO HANDS TYPING ON A KEYBOARD

    Navigating Supplier Risk Challenges to Shore Up Cyber Defenses

    Supply Chain Visibility

Digital Edition

Scb may 2023 lg

2023 Supply Chain ESG Guide

VIEW THE LATEST ISSUE

Case Studies

  • JLL Finds Perfect Warehouse Location, Leading to $15M Grant for Startup

  • Robots Speed Fulfillment to Help Apparel Company Scale for Growth

  • New Revenue for Cloud-Based TMS that Embeds Orderful’s Modern EDI Platform

  • Convenience Store Client Maximizes Profit and Improves Customer Service

  • A Digitally Native Footwear Brand Finds Rapid Fulfillment

Visit Our Sponsors

Antuit Zebra Anvyl Brother
Cleo Data Capture E2open
Eva Air Enveyo GAINSystems
Generix Geodis GEP
GreyOrange Here Holman Logistics
Infor Inmar Kinaxis
Locus Robotics Logility LogistiVIEW
Lucas Systems MCA Connect MPO
Old Dominion OneRail Overhaul
PartnerLinQ (Visionet) Port of Virginia Ryder E-commerce by Whiplash
Saddle Creek Logistics SAP Shyft
Sourcemap Tecsys TGW Systems
Verusen Workshop
  • More From SCB
    • Featured Content
    • Video Library
    • Think Tank Blog
    • SupplyChainBrain Podcast
    • Whitepapers
    • On-Demand Webinars
    • Upcoming Webinars
  • Digital Offerings
    • Digital Issue
    • Subscribe
    • Manage Your Subscription
    • Newsletters
  • Resources
    • Events Calendar
    • SCB's Great Supply Chain Partners
    • Supplier Directory
    • Case Study Showcase
    • Supply Chain Innovation Awards
    • 100 Great Partners Form
  • SCB Corporate
    • Advertise on SCB.COM
    • About Us
    • Privacy Policy
    • Contact Us
    • Data Sharing Opt-Out

All content copyright ©2023 Keller International Publishing Corp All rights reserved. No reproduction, transmission or display is permitted without the written permissions of Keller International Publishing Corp

Design, CMS, Hosting & Web Development :: ePublishing