Petya Ransomware Halted Maersk’s Supply ChainThe growing threat posed to supply chains was vindicated when NotPetya malware hit global businesses in approximately 59 countries in late June 2017, an attack which prevented one of the largest container shippers, Maersk Line, from taking new orders. The attack came just when the company introduced a new digitalization strategy in an industry where most of the bookings are taken via phones. The hardest hit of Maersk’s infrastructure was its APM terminal unit, which halted operations in some of the 76 ports in 59 countries around the globe. Those affected locations included New York (the largest port on the U.S. East Coast), Rotterdam – Netherland, and Jawaharlal Nehru Port (India’s biggest container port). As of this writing, Maersk has brought all of their IT systems back online after the cyber-attack but what does this attack mean to the rest of the shipping lines? Are they better secured than Maersk? Do their employees even know what to do when malware or ransomware hits their systems? It’s an eye-opening concern for organizations, as they may face a similar situation in the near future. Indeed, the NotPetya ransomware attack was just the beginning; a greater mess lies ahead if businesses continue to believe no risks threaten them due to ‘having operations at very low scale.’
Cyber Security Risks & ConsiderationsAs discussed in a workshop held by the National Institute of Standards and Technology, some of the key cyber security risks and considerations in an organization's supply chain need to be answered by every stakeholder involved in a business that utilizes cyber space.
1. Third-party service providers or vendorsWhat sort of cyber-security practices are expected from upstream suppliers? How should adherence to these expectations or standards be assessed? This is one of the basic deficits faced by the logistics industry. Global business giants have no idea how protected and updated the systems and applications used by their vendors are. Yet we promote the concept of Vendor Managed Inventory (VMI) and Collaborative Planning, Forecasting and Replenishment.
2. Poor information security practices by lower-tier suppliersHow many companies make sure that their lower-tier vendors are staying up-to-date on emerging system, network and application-level vulnerabilities?
3. Lack of cyber-security awareness among employeesCyber Security has a serious talent shortage, especially when it comes to supply chain. In my own experience, I have never come across any extensive cyber security module covered under the supply chain. In fact, most of the universities have not even introduced basic cyber security training in undergraduate or graduate logistics programs. Moreover, how many recruiters conduct an active assessment of basic cyber security knowledge when hiring individuals for key supply chain positions?
4. Software security vulnerabilities in company’s or supplier’s systemCyber criminals usually conduct a network scan to identify the weakest link. In most of the cases, it is not the strongest and most widely used system in your network that's exposed to cyber-attack. Rather, it's oftentimes the weakest of all; it may be a reserved system that might not have gotten your attention previously. This is cyber-security; it's not a kind of business strategy where you can opt for an 80/20 rule or ABC analysis to set priorities.
5. Counterfeit hardware/software with embedded malwareThis generally refers to small-scale companies that utilize BYOD to integrate the supply chain. What levels of malware protection and detection are performed on those devices? Make sure both hardware and software connected to the network are scanned by the information security team.
Now That You Know…Whether you are running a SMB or a blue-chip organization, investing in cyber security measures is a must. Remember, cyber security is an ongoing process, as cyber criminals are always finding new exploits in your network/system. They will never stop exploiting vulnerabilities. As such, the cost of not employing best cyber security practices is much higher than its implementation.