By Sedar M.T. LaBarre, Vice President, Booz Allen Hamilton
Prevent Your Supply Chain From Becoming a Cyber Attack Chain
Hidden Risks and Higher Expectations
Supply chain functions have traditionally been seen as internal operations— something that happened behind the scenes for customers, as long products were delivered on time and in good condition. But that’s starting to change in today’s connected society. Governments are realizing that attackers can use supply chains to quietly infiltrate their networks, while large corporations are looking at supply chain security as part of their vendor risk management. Both have dramatically increased expectations and scrutiny over vendors, suppliers, and partners, driven by high-profile cyber breaches and shareholder demands.
Meanwhile, threats are becoming more sophisticated and varied. Although global companies and governments are discovering critical supply cyber vulnerabilities, adversaries have known about them for a long time. Nation states, hackivists, organized criminals, and lone wolves are scanning supply chains for weak points. If one of your suppliers lacks security controls, you could inherit their vulnerabilities. And, once you accept their components, you also accept the risks of being attacked or passing along an attack to your customers. If a cyber attack occurs, you will own the impacts—including brand damage, operational stoppage, legal exposure, canceled sales, and government sanctions.
You might have a top-notch cyber security program, but if you don’t have a strong supply chain cyber risk capability, you are leaving yourself open to an attack and passing along critical vulnerabilities to customers. Securing the supply chain is essential to decreasing vulnerabilities and creating a competitive advantage that helps your business thrive.
Although standards and guidelines are evolving to create consistency among cyber security programs, there is no formula for security. Standards and frameworks can help identify the landscape and set a minimum level of performance; however, standards often force you to be either compliant or non-compliant. If not used in the appropriate context, standards are a static solution for a pre-determined problem set. Instead, supply chain risk management should be intimately tied to strategy and operations: It must be personalized to your organization.
Rather than focusing on standards, look at your program through a maturity lens. Focusing on maturity allows you to identify where your program stands today, where it must be in the future, and how to get there.
Conduct a maturity assessment to build a roadmap.
Supply chain cyber risk maturity assessments are simply gap analyses between how well your program operates today compared to how it should operate in a target state. To effectively evaluate this, you need to identify the key controls that apply to supply chain risk management. Next, identify key objectives for each control that you plan to evaluate. From there, conduct a baseline assessment of your current state—an honest assessment, backed by examples. The outcome of your maturity assessment should be a roadmap to enhance your program that accounts for quick wins and long-term priorities. It should also help address the key requirements that your customers demand.
Identify key risks throughout your supply chain lifecycle.
Breaking down your supply chain lifecycle into discrete phases can help identify key risks, since each phase presents its own vulnerabilities and risks. For example, during the distribution phase, threat actors can intercept physical deliveries of products, place malware in cyber sensitive components, and allow the shipments to continue to end customers. As you identify risks for each phase, assess the likelihood and impact of each risk. This prioritized list becomes your risk agenda and helps determine what to address first to enhance your supply chain cyber risk management program.
Decompose some of your key product lines.
To help you assess the visibility, control, and risks in your supply chain, try selecting a few key product lines and decomposing them into their cyber-sensitive components. Then see how much information you can collect on their manufacturing sources, acceptance testing, suppliers, and intended customers. You will likely find that your internal systems and policies are prohibiting you from this level of visibility; however, it is this level of visibility that customers will be demanding in the future, if not already. With that visibility, you can assess the processes, controls, and risks associated with those cyber sensitive components.
A maturity approach is not “one size fits all.” Using a maturity model allows you to answer the questions that are not yet asked by compliance while aligning your supply chain to your business strategy. It allows you to focus on increasing your overall security ahead of government requirements.
Creating the right balance of security and resilience in your supply chain will allow you to build a foundationally stronger supply chain cyber risk program—to not only differentiate you from competitors but to also better understand the areas that are key to your success. Companies that successfully manage and protect their supply chains will have the advantage in the market.
Sedar LaBarre is a vice president with Booz Allen Hamilton where he leads the firm’s commercial High-Tech Manufacturing, Retail, and Otherpractice. He has more than 18 years of practical consulting experience—providing clients with unique advisory services equally balanced in strategy and functional expertise. Sedar leads a multi-disciplinary team focused on helping companies realize technology-enabled growth from advanced analytics, military-grade cyber, and cutting-edge IT transformation. He is a recognized international expert in cyber security standards and was the chief architect of Booz Allen’s CyberM3 reference model. He has worked extensively within all sectors of the U.S. government (cabinet-level agencies, all branches of the military, the intelligence community, as well as several small to micro government agencies); public sector clients in the United Kingdom, Europe, and the Middle East; and within the private sector areas of financial services, retail, telecommunications, consumer products, industrial manufacturing, and automotive.