Of late, it seems to this Editor that the topic of the threats and implications of cyberattacks has been far more prevalent in 2017, for very good reasons.

There are many facets of supply chain risk and major disruption, and combating cyberattacks is clearly becoming top-of-mind.

A new reminder to such threats comes from a recent, albeit disturbing, ABC News-Associated Press report indicating that incidents of malware attacks have been specifically targeting industry supply chains that predominately are managed by just-in-time (JIT) inventory and production processes

The report profiles a North Carolina automotive transmission supplier that was impacted by a malware attack a year ago, literally shutting-down the production line until the company paid a ransom to the hackers. It seems that today’s hackers fully understand the JIT principles where supply chains manage inventory and production to hourly or daily replenishment needs, and little more. Thus, any significant disruption has a disruption further up and down the supply chain, one that can translate to a rather expensive exposure. In the specific case of the North Carolina automotive supplier, it was upwards of $270,000 in lost revenue and wages for every hour the factory was not shipping parts to nine Toyota Motor car and truck assembly plants.

As Supply Chain Matters has noted in prior commentaries related to either specific cyberattacks or Internet-of-Things enabled manufacturing processes, many of today’s factory systems and networks are aging and do not necessarily have all the latest information security safeguards installed.  Some data and application interfaces have not been updated in months or years, some have technology no longer supported by the original provider. That places a difficult burden on internal IT support teams to ensure that continuous production uptime is maintained, not to mention marshaling an effective response when a malware attack was to occur. That is especially an ongoing concern for specialty or mid-sized manufacturers who do not necessarily have access to a large in-house IT support team.

The AP report cites a Cisco Systems survey of nearly 3000 cybersecurity executives conducted last year indicating that one out of four (25 percent) of manufacturing organizations reported cyberattacks that cost them money in the prior 12 months. No doubt, that number is a lot higher since many companies tend to treat such information as confidential and not for disclosure.  Other data cited indicate that cyberattacks that target industrial control systems have double in the past year, in the U.S. alone.

In a Supply Chain Matters July posting, Actions to Consider in Cyberattack Defense and Mitigation, we reinforced the obvious takeaway that the frequency and scale of cyberattacks are indeed on the increase, with many more to come. This is a multi-billion-dollar problem, and now we know that hackers are sophisticated enough to understand industry supply chain process vulnerabilities, weak points that provide lots of leverage in securing ransom demands.

In our July commentary, we outlined four mitigation actions that supply chain teams should be actively working on. Given this latest reminder of targeted vulnerabilities, we are compelled to reiterate:

  • Scope and continually understand your company’s supply chain risks.
  • Factor the age of legacy systems, particularly those related to older factory control systems.
  • Determine in-advance, the specific roles and responsibilities in Business Continuity Management.
  • Insure active training, questioning and inquisitiveness with internal and external teams regarding information as to unusual or suspicious activities, security awareness and action plans if and when a cyberattack occurs.

 

Hackers are indeed becoming more sophisticated in many dimensions including an understanding of supply chain vulnerabilities.

Bob Ferrari

© Copyright 2017. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.