BLOCKCHAIN IS VASTLY OVERRATED; SUPPLY CHAIN CYBER SECURITY IS VASTLY UNDERRATED.
In 2012, an American chemical company reported that Chinese hackers had entered the company's network using a phishing e-mail and gained control of servers in Germany and Canada. For nearly three months, the hackers extracted critical pieces of company information, including customer order history, price quotations and terms, the company's cost structures, details about innovations about to be introduced into the market and even access to the firm's manufacturing planning and control system.
Once the hackers had extracted what they needed, they made their move. First, they altered the master production schedule (MPS), randomly changing order due dates, order quantities and order quality levels, wreaking havoc on critical customers who were relying on deliveries. As if by divine intervention, a new Chinese chemical firm approached these customers with "low-ball" offers for the affected products. The result was predictable: The customers switched vendors so that they could maintain their production schedules. Almost simultaneously, the new Chinese firm obtained patents on new products identical to those the American firm was developing. The company was left reeling.
We begin with that example for a number of reasons. First, it introduces the notion of supply chain cyber security--the need to protect the firm's supply chain and its assets (information, intellectual property and processes) from the negative effects of hacking. As the story shows, cyber security is not simply a corporate concept; it is now a supply chain concept.
Second, it is not unique. In a 2018 report, the U.K.'s National Cyber security Centre highlighted a number cyber attacks targeting supply chains. In one example, a cyber espionage group known as Dragonfly focused on companies in the energy sector across Europe and North America. In one of its attacks, Dragonfly "trojanized" industrial control software on the websites of ICS software suppliers. When the software was downloaded by end users, it installed malware that allowed the external seizure of a company's systems controls. What made this attack so devastating and difficult to detect was that the malware was downloaded from a trusted source, an unwitting supplier.
Third, it should be a call to action for the supply chain management community. As the digital economy increases in importance, we fully expect the need for more research into this topic, including the identification and evaluation of techniques and approaches to either minimize the probability of a hack taking place or to reduce the effects of a breach once it has occurred. Clearly, supply chain cyber security affects supply chain risk and resilience and therefore a firm's cyber security capability is one additional factor leading to enhanced resilience.
Finally, we note that cyber threats are a relatively new development. As a consequence, the topic is typified by confusion and misperceptions. Consider the heightened interest in blockchain as a panacea. While important, we contend that blockchain alone is not enough if a firm is interested in developing and deploying a comprehensive, effective cyber security strategy.
In the following pages, we will provide a structure around supply chain cyber security, with the goal of helping the reader better understand what it is, the reasons it's important and its key elements. Our message is simple: (1) cyber security is a supply chain issue, not just a corporate issue--ignore at your peril; (2) technology alone is no silver bullet; and, (3) justifying investments in cyber security is difficult, especially for anyone looking for a traditional ROI.
What is supply chain cyber security and why now?
Cyber security is a relatively new development in a supply chain world that is rife with new digital innovation, including Industry 4.0, the Internet of Things (IoT), Cloud computing, machine-to-machine communication (M2M), 3D printing and social media. And it is growing: The World Forum estimates that by 2020 roughly 4 billion people, or 50% of the world's population, will be connected to the Internet daily. What's more, the digital economy is estimated to be growing at 10% per year, with emerging markets growing between 12% and 25% per year. It's no surprise that supply chain managers are shifting their focus from cost containment and reduction to innovation and responsiveness. To make that possible, the volume of digital communication, including real-time communication and connection to global suppliers, will continue to grow exponentially. So too will the vulnerabilities of supply chains.
Some researchers have termed these digital developments collectively as the cyber supply chain. It promises to improve efficiency, reduce lead times, reduce order quantities, support greater order customization and reduce supply chain risk. This last benefit is the result of better inventory pooling, postponement, reduction of the bullwhip effect and other similar capabilities enabled by digitization. At the same time, the digitization of the supply chain creates three categories of critical digital assets: (1) information technology (IT); (2) intellectual property (IP); and (3) operational technology (OT). Each also presents an attractive target to cyber hackers. Let's look at each.
Information technology (IT) describes those digital assets that deal specifically with data used to record transactions, and plan, schedule and execute plans. It includes bills of material, cost structures, routings and master production schedules. The corruption of the chemical company's MPS described earlier is an example of a cyber attack on IT.
Intellectual property (IP), in contrast, describes the intangible assets that are often at the heart of a firm. Included in this category are items such as innovation, industrial designs, customer and supplier knowledge and the organization's core competencies. While IT is critical to day-to-day operations, IP is critical to the long-term survival and growth of the firm.
Operational technology (OT), the final category, includes the computer-controlled processes that drive operations on the shop floor within an organization or an organization's contract suppliers. The Dragonfly attack is an example of a cyber attack on OT. While IT attacks affect the ability to plan, OT attacks affect the ability to deliver. Past research carried out by several of the authors has found that most firms are aware of the need to protect IT and IP; yet, little attention has been paid to the need to protect OT.
Assessing cyber security attacks
If you want to appreciate the increasing importance of cyber security, especially within the supply chain, consider the following statistics. In recent years, 69% of firms experienced an attempted or realized loss of data due to a cyber security breach, according to Accenture, and only 24% of firms believe that their security provisioning is "state-of-the-art." The same report found that firms had spent about $84 billion to defend against data thefts costing roughly $2 trillion-damages that could rise to more than $90 trillion a year by 2030. Yet, 36% of respondents responded that the executive team perceives the costs associated with cyber security as "unnecessary." That is so even though about one-third of targeted attempts to breach a firm's cyber defense succeed. Those breaches are expensive: The average cost in the United States is $7.91 million, the mean time to identify a breach is 197 days, and the mean time to contain a breach is 69 days (or 276 days in total), according to a 2018 report from IBM Security and Ponemon Institute. The net result is that companies are investing significant sums to stop or minimize the negative consequences from a cyber security event but don't necessarily fully appreciate the financial and reputational magnitude of the threat.
Finally, recent reports focused on combatting cyber risks in the supply chain, have noted that major recent security breaches, such as well-publicized breaches at Target and Home Depot, were the result of vulnerable supply chains. KMPG has identified vulnerable supply chain partners as the most significant gap in a firm's ability to manage cyber risk. And, according to Accenture, between 35% and 57% of firms are now investigating business partners for the integrity of their cyber security provisions and preparedness if an event were to occur.
These examples highlight several important issues. One is that the digital technologies with the most promise to create significant value are also generating the data that is attractive to hackers interested in corporate espionage, including organized criminals, nation-states, insiders and hacktivists. Another is that those committing such crimes are getting bolder, more creative and more unpredictable. And, finally, the supply chain is perceived as the weakest link in a firm's cyber security structure.
One recent study observed that cyber-related vulnerabilities in one tier of the supply chain undermine the integrity of the security measures taken by downstream and upstream members of the chain. That is especially the case with small-to-medium size enterprises (SMEs), which are often the most vulnerable. SMEs are often targeted because they have "disproportionate access to important information given their size within the supply chain," according to a CERT-UK study. They typically have the weakest cyber security arrangements, given their resource and managerial limitations; yet, they are often "mission critical" because they produce niche products for their larger partners that can't be found elsewhere.
More than technology
While the roots of cyber security threats lie in technology, technology alone is no solution: You can't just buy a better anti-virus program or migrate to a more secure operating system and declare victory. Rather, supply chain cyber security is an integrated system that relies on a combination of technology, process, culture and management, especially the buy-in of top management through a compelling business case. We include culture in this mix because cyber security ultimately relies on people doing what is required because they want to do it rather than because they must comply. As Marc Lebaron, the chairman and CEO of Lincoln Industries, once so appropriately noted: "Culture is what people do when the boss is not around."
An integrated system should provide a complete life cycle approach to dealing with cyber security threats--that is, it must deal with all four stages of the cyber security strategy: prevention, detection, containment and recovery.
Finally, cyber security must be forward looking as opposed to backward looking. Too often, managers and researchers base their approach to the future on what has happened in the past. The implicit assumption is that the future will be a continuation of the past. When it comes to cyber security, nothing could be further from the truth. Hackers are smart, creative and relentless, and often supported by governmental agencies. Once you think you have figured out how they have compromised your organization's cyber system, they will come at you with a new mode of attack. Consequently, one of the goals of an effective cyber security system is to anticipate attacks based on anomalies rather than looking for a repetition of past patterns. It is our position that any effective supply chain cyber security system must address the three questions identified in Figure 1.
The first question: 'What to protect" reflects the three critical digital assets we previously discussed: IT, IP and OT. The second: "Against what type of attack" recognizes that there are three types of attacks. A targeted attack is self-evident: The hackers want to get access to your valuable digital assets and they aren't interested in any other organization but yours. In contrast, in a broad-based attack, the hackers are spreading a wide net in hopes of catching one or more organizations that respond to the attack--think phishing attack. Collateral damage refers to damage to the firm as a result of a cyber attack taking place elsewhere in the environment. For example, the NotPetya cyber attack in the Ukraine affected companies such as Merck, FedEx and Maersk that were not direct targets of the attack (see sidebar). An integrated cyber security strategy must deal with all three forms of attack.
The third question considers four areas of cyber security investment: (1) prevention refers to investments made to secure the system and prevent hacks; (2) detection refers to investments aimed at creating signals that breaches have either been made or have been tried; (3) containment refers to investments made to prevent the spread of the hack, once it has been identified; and, (4) recovery refers to investments made to return the system to an acceptable level of steady-state performance. Our point is that all four investments must be part of an integrated strategy.
The problem with blockchain
We began this article with a bold--perhaps outrageous--statement: Blockchain is vastly overrated. Our argument is not that blockchain is irrelevant to supply chain cyber security; rather, we argue that while blockchain may be an important tool, based on the headlines, you might have the impression that it is the cure to whatever ails you, much the way RFID was touted as a supply chain wonder technology a decade ago. It is not. Here's why.
At its roots, blockchain is structured to ensure security in an environment where trust is low and where there is concern that someone can alter data, such as an individual altering an electronic check so that a $500 deposit becomes a $5,000 deposit. Blockchain does this by creating multiple distributed copies, or ledgers, of the transaction. For a fraud like the one described above to be successful, all copies must be changed--something that blockchain's structure makes almost impossible to achieve.
Viewed from this perspective, we contend that blockchain addresses some, but not all, of the concerns over supply chain security. For example, blockchain does address threats to IT. It would have been effective for combating changes to the MPS at the chemical company we described at the start of this article because it would have been nearly impossible to change all of the ledger instances. However, it would not have protected the intellectual property or operational technology that was also targeted in that attack. In other words, blockchain does not by itself deal with all of the dimensions of supply chain cyber security.
Cyber security challenges
Despite the costs paid by firms like Target following a serious breach, getting firms to take cyber security seriously is difficult, especially as it pertains to the supply chain. That was certainly the experience of the U.S. Department of Defense. From 2016 to 2017, the DoD attempted to enforce supply chain cyber security through a combination of mandate and threat. The mandate, DFARS 252.204-7012, was built on the NIST SP 800-171 cyber security framework. The threat was that if a supplier was not compliant with the framework by December 31, 2017, it could no longer do business with the DoD. In the end, the DoD found compliance with the new mandate difficult to achieve. The obstacles encountered are familiar to those in the non-governmental world.
It is new. One of the biggest challenges facing supply chain cyber security is that it is new. Consequently, while a great deal has been written about the topic, it's difficult to separate the wheat from the chaff--to identify what is important and true from the inaccurate and exaggerated. We would argue, for instance, that a lot of what has been written about blockchain tends to fall into the greatly exaggerated category. It also takes time to build up the supporting infrastructure, which includes a network of consultants, case studies (often of successful implementations) and the support of professional societies like SME, ISM and CSCMP, where experiences can be raised and shared and solutions distributed. Many firms tend to be risk-adverse when it comes to new issues like cyber security, willing to wait until the confusion has cleared and they know what has to be done. This means that many firms are reluctant to invest now, despite the anecdotal evidence supporting the need for enhanced cyber security.
Building a business case. Investing in cyber security is expensive and time consuming. This point was driven home to the authors in a recently completed study of the response of the supply chain to the DoD cyber security mandates.* One of the questions we posed to some 200 respondents was how much they estimated it would cost to become compliant. About 36% of the respondents answered less than $50,000 while another 33% of respondents indicated more than $500,000. That was a ten-fold difference. Further investigation uncovered that experience was the reason for the gap in expectations.
Those companies that had yet to begin the process of becoming compliant were more likely to see costs at the low end while those that had either attained compliance or were working on it were found at the upper end.
Because it is an investment, cyber security can be approached in one of two ways: as a constraint or a requirement that has to be met, making it another cost of doing business to be minimized; or as an opportunity, something where the benefits exceed the costs. Firms that view it as a constraint will do the minimum required--at their peril. However, before it can be viewed as an opportunity, a business case must be developed. Here's the problem: Because cyber security is so new, the cost of not having cyber security is more difficult to calculate relative to the cost of improving cyber security. What is needed is a cost of cyber security measure--an approach similar to the cost of quality developed in the late 1950s that convinced many firms of the need to invest more into quality improvement.
Lack of case studies. Successful case studies offer potential templates for other firms to follow; unsuccessful case studies help firms understand what works and what does not. Yet, it is almost impossible to get case studies when it comes to cyber security. Simply put, given the potential hit to customer confidence, a company's share price or its borrowing costs, no one wants to share their experiences, regardless of the outcome. During our research for this article, we were struck by the number of individuals we interviewed who would only share their experiences if the identity of their firms was hidden. Without being able to capture these experiences, our ability to build better cyber security systems is greatly hindered.
Lack of performance measures. If supply chain cyber security is to become a fact of life, then it must become part of the performance measurement ecosystem, with regular measurements that reflect the current level of performance. As the old adage goes: "What gets measured, gets managed." At the same time, few measures of cyber security are currently available. Without those measurements, the implied message from supply chain managers will be that cyber security is not important, which is a dangerous implication. One further note: It must also become part of supplier contracts and specifications.
SMEs. The final, and most important challenge is the threat posed by SMEs, which are typically firms with fewer than 500 employees. During the DoD's compliance efforts, it found that SMEs were the least likely to comply with the new cyber security mandate. They (1) didn't really understand cyber security; (2) didn't have the resources to become compliant; and, (3) didn't understand the underlying NIST framework. In other words, they weren't choosing to not comply, they simply weren't capable of compliance. Without more attention to this space, SMEs will continue to be the weak link in the supply chain.
During our research for this article, we developed five critical takeaways.
Cyber security is not an IT issue. Improving cyber security is not simply a matter of throwing more IT people or software at the problem. Rather, it must be integrated into business processes and it must become everyone's responsibility. That includes the C-suite and the Boards of Directors to ensure that a firm's stakeholders will not suffer from a risk that can be managed.
Cyber security is a supply chain issue. Savvy supply chain managers and governmental agencies now recognize that in a digital age, the real vulnerability to their systems is a compromised tier 2 or tier 3 supplier that is part of their connected supply chain. As we previously noted, most of the major security breaks have occurred through the supply side of the supply chain.
Cyber attacks are on the rise. No one doubts that we can expect the level of cyber attacks to increase in the future. A recent report noted that the global cost of ransomware damages exceeds $5 billion and predicted that the total costs associated with cyber crime will hit $6 trillion per year by 2021; meanwhile, the number of unfilled cyber security jobs is expected to triple. No wonder that Ginni Rometty, IBM's CEO, and Warren Buffett have identified cyber crime as the greatest threat to business and consumers.
SMEs are ground zero. We've said it earlier, but it bears repeating: If a firm is going to be attacked, it will be through the weakest link. Right now that is SMEs. Yet, without more research, we don't currently understand what it will take to protect this critical link in the supply chain. We do know they are key to developing an integrated strategy.
It's time to act. Firms need a systematic, integrated approach to cyber security, and they need it now. Within this new context, we can see that blockchain is vastly overrated but supply chain cyber security is vastly underrated.
The NotPetya cyber attack targets the Ukraine
The rest of the world pays the price
In June 2017, the Russian GRU Military spy agency launched the mock ransomware virus NotPetya. This virus, which looked like ransomware, was anything but ransomware. Its goal: Destroy all of the data on any infected computer. Once the inflected computer was turned on, it was doomed. The target was the Ukraine and the goal was to wipe data from the computers of banks, energy firms, senior government officials and airports. Once released, however, the virus spread to the computer systems of companies located in Denmark, India, France, the United Kingdom and the United States (however, more than half of those affected where in the Ukraine) -- computers that were linked through supply chain relationships to those of the Ukraine. The resulting costs made this attack the most devastating cyber attack in history.
The costs were estimated as:
* Merck, pharmaceutical company: $870,000,000
* FedEx, delivery company: $400,000,000
* Saint-Gobain, French construction company: $380,000,000
* Maersk, Danish shipping company: $300,000,000
* Mondelez, snack company: $188,000,000
Total damages attributed to NotPetya: $10 billion
* Melnyk, S.A., Peters, C., Spruill, J. Sullivan, K.W. Implementing Cyber security in DoD Supply Chains. NDIA white paper, Manufacturing Division Survey Results, July 18, 2018.
Steven A. Melnyk is a professor of operations and supply chain management in the department of Supply Chain Management, Michigan State University. He can be reached at email@example.com. Cheri Speier-Pero is the interim chairperson of the department of Supply Chain Management, Michigan State University, and the Ernst & Young professor in accounting and information systems. She can be reached at firstname.lastname@example.org. Elizabeth Connors is a faculty member in the department of Accounting and Information Systems at Michigan State University. She can be reached at email@example.com.
FIGURE 1 Supply chain cyber security: The key questions WHAT TO PROTECT? Information Intellectual property Processes AGAINST WHAT TYPE OF ATTACK? Targeted Broad-based Collateral damage WHAT TO INVEST IN? Prevention Detection Containment Recovery Source: Authors
|Printer friendly Cite/link Email Feedback|
|Author:||Melnyk, Steven A.; Speier-Pero, Cheri; Connors, Elizabeth|
|Publication:||Supply Chain Management Review|
|Date:||May 1, 2019|
|Previous Article:||A DIGITALLY-CONNECTED, CONSUMER-DRIVEN Supply Chain: Lessons learned at Princess Auto Limited when it implemented "flowcasting.".|
|Next Article:||The supply chain planner of the future.|