Wanted: Innovative Responses to a New Security Threat

It is now possible for cybercriminals to take control of a vessel's GPS system
It is now possible for cybercriminals to take control of a vessel’s GPS system

The recent cyber attacks and security breaches at Target and Home Depot drew executives’ attention to the vulnerability of their companies to this type of crime. The incidents exposed some 40 million and 56 million credit cards respectively, and in the case of Home Depot, occurred despite the company’s best efforts to protect the firm.

What has this to do with supply chain management? The answer is a great deal. One of the main types of supply chain innovations (SCI) entails challenging the dominant design. In this case, that means challenging the prevailing method for supply chain security in response to the cyber security threat.

High-profile breaches such as the ones cited above have spotlighted cyber security, but awareness of the actual risks involved is still relatively limited.

This is especially true with regard to the flow of information that parallels the flow of materials, and powers all supply chains. These information streams include product details, logistics data, and customer information, as well as facts and figures on factory and retail operations and financial management.

The signs are there if we look at recent incidents and imagine the potential implications for supply chains. Here are three examples to consider.

  • After being dismissed by his employer, a wastewater plant employee in Australia hacked into the organization’s plant operations remotely and altered fluids flows resulting in a sewage release into the public waterways.
  • Just a few months ago the Zombie-Zero malware attack was discovered in several logistics and robotics firms. It had been active inside the organizations for more than one year, and was being used to observe and track conveyances on their logistics journey. The malware was found in scanners that were used by each of the firms, and was apparently embedded in a Chinese supplier’s facility. Sadly, software updates provided by the manufacturer failed to rectify the vulnerability.
  • A study on ocean-going vessels showed that clever adversaries have already figured out how to take control of a vessel using the GPS system.

These examples illustrate how attackers are capable of gaining access to internal systems to not only steal operational information that drives the supply chain, but also to control the targeted operations.

Current defenses against attacks like these are based on dominant designs for security systems. What are these models?

The dominant design for protection in the supply chain domain involves physical site security for material flows and/or conveyances. But, physical measures are of little use where cyber crimes are involved. Many of the IT systems that underpin information flows are protected by password systems, but invariably these are not very robust

There is also a dominant design for responding to supply chain security breaches. This often entails a lengthy process that starts with chartering a committee to investigate, develop, and implement a solution. The process tends to proceed relatively slowly, however. For example, Home Depot responded speedily after learning of the Target breach, but their efforts to inspect, detect, and protect were not fast enough to outpace the attackers. Companies often lack the in-house tools and resources to properly evaluate their vulnerabilities, much less respond quickly.

There are also some perceptual barriers to more effective responses. Most supply chain organizations view cyber security as an IT concern. The assumption makes sense given supply chain’s traditional focus: efficiency and effectiveness in sourcing, producing, and delivering to demand, while collaborating with upstream and downstream partners.

Ironically, however, it is these activities – enabled by integrated IT systems – that make the supply chain prone to cyber attacks. But companies have not yet learned that the threat to our systems through IT is as great as any other potential disruption.

Today, cyber adversaries not only destroy information, they can commandeer systems and use them to distribute weapons and contraband. They can engage in human trafficking or turn your business into a conduit for malware and further cyber attacks. And they are in the business of aiding and abetting the theft of cargo and competitive intelligence, and doing damage by altering information on customers and shipments.

Cyber criminals include professional gangs, business competitors, ‘hackvitists’ and nationalists intent on disrupting commerce for profit and political gain. Moreover, for every $1 that a hacker spends attempting to break into your system, the firm must spend $100 to defend itself. As a result, most firms have already lost or are losing the battle to prevent illicit access to their systems; the bad guys are already inside.

The dominant design for supply chain security decision-making and response must change if organizations are to have a chance of keeping pace with the cyber security threat.

This post was written by Jim Rice, Deputy Director, MIT CTL (jrice@mit.edu), and based on his Innovation Strategies column in the November 2014 issue of Supply Chain Management Review  



Leave a reply