Why your supply chain is your biggest cyber security risk

By January 18, 2017 May 23rd, 2017 supply chain

And how to fix it

From Russia hacking Hillary Clinton’s emails to criminals stealing personal data from billions of Yahoo accounts, 2016 was the year when the issue of cyber security finally blasted into the public consciousness. But while we’re busy tweaking our Gmail passwords, we could be neglecting a much bigger problem: the threat to our industrial supply chains.
Cyber security was making headlines in the procurement world long before Trumpgate – it became one of the Top 10 Global Risks on the Allianz Insurance Risk Barometer in 2014. Many industrial systems were designed before today’s hackers were born, and over 50% of cyber attacks are carried out on country-critical infrastructures such as Electricity, Water and Oil & Gas, as well as computer-operated industrial machinery. SCADA (Supervisory Control And Data Acquisition) programs and PLCs (Programmable Logic Controllers) – the backbone control systems of industrial companies – are increasingly internet-based and notoriously easy to breach. There is even a search engine (www. shodan.com) that provides hackers with the IP addresses of all unprotected computers and networks.
The potential damage of is huge. Once an attacker is in, they can remotely take control of a company’s industrial infrastructure, often without the operator being aware. Valves can be turned on and off, flood gates opened or shut, train line crossings left open, furnace temperatures increased, production lines shut down, product mixes altered, airport runway lights dimmed. No wonder insurance companies are increasingly unwilling to insure against cyber attacks.
Unfortunately for procurement teams, the source of any outside attack is most likely to be the supply chain. Any component entering an organisation that is connected to, or gets near, its Operational Technology (OT) network – including minor patch updates, or contractor services given access – is a potential cyber attack entry point. And with hundreds of internal buyers buying from hundreds of suppliers, identifying and securing those weak spots can seem like an insurmountable task.
It isn’t – but you do need a plan. With this in mind, we’ve identified four practical, cumulative steps that will help take your cyber security from pathetic to presidential.

1 – Get visibility on your 3rd party suppliers

The first step is to gain visibility on the risk presented to your organisation by existing suppliers, and to differentiate between those pose a high risk (Tier 1), those that pose a medium level of risk (Tier 2), and those that pose minimum risk (Tier 3). This requires an analysis of equipment and services provided by suppliers, the source of supply, and their proximity to critical networks.

This is the principle behind our Cyber Risk Supply Cube, which allows you to see the cyber risk profile of each of your suppliers, what they are supplying to your organisation, where from, and to whom, all in one place. But whether you choose to use specialist software or go DIY, mapping your current danger points is the fundamental first step for improving your security shield.

Step 2 – Define policies & procedures

Once you’ve established the risk profile of your suppliers, you’ll want to create a clear set of policies and procedures that are aligned to your Source-to-Pay process. These include measures throughout the supply chain, from initial tender terms and conditions and evaluation criteria, to contract T&Cs, audit/compliance, managing delivery, installation and maintenance. Make sure to differentiate them between higher risk suppliers and lower risk suppliers, to minimise business impact during implementation.

Step 3 – Implement progressively

Time to put those policies and procedures into action. Implementation works best when rolled out in a progressively hardening cycle – in other words, start with suppliers who are easiest and highest impact, then move on to the tougher and lower priority candidates.  This will help minimise any operational business disruption and maximise the effectiveness of your protective measures.

Step 4 – Vet new suppliers

Security vetting is essential for all Tier 1 and some Tier 2 suppliers to ensure that they are not the weakest link into your organisation. This can start with creating a detailed survey that your suppliers are required to complete, followed by on-site cyber auditing, compliance vetting on the supplier sites, and eventually systems and components vetting for the most highly critical components entering into your OT infrastructure.

These four steps may seem like a lot of work, but the sooner they’re embedded as best practice, the less risk you run of being a cautionary news story in 2017. Unless, that is, you’re OK with Putin becoming your new COO.

Thoughts? Questions? Need more help? We’d love to hear from you at hello@retearn.co.uk or

Call us on +44 1344 874707