Bad robot

From the June 2024 print edition

As supply chains automate processes and rely increasingly on technology, cybersecurity is more important than ever.

The pandemic prompted a shift – employees worked from home, and companies expanded their supply chain portfolio with more local and small-to-medium suppliers. Although such changes have made companies more lean and agile, hybrid or fully remote work has become the norm post-pandemic, which hasn’t made cybersecurity any easier for companies, but rather increased the attack surface.

“A significant gap during the pandemic was a lack of visibility into the extended supply chains beyond major tier one suppliers,” says Abe Eshkenazi, CEO of the Association for Supply Chain Management. “Companies have addressed the visibility gap through digitization to tier two and beyond, traditionally small- and medium-sized companies. The digitization of these industries has increased efficiencies but also exposed them to new vulnerabilities. Unfortunately, these smaller organizations often don’t have the resources or capabilities to protect themselves or the network.

Cybercriminals are constantly looking for a way in, and unprotected digital entry points are an easy target. Organizations in these sectors are advised to implement robust cybersecurity strategies that encompass not only their own systems but also extend to their partners and suppliers.”
According to Accenture’s Cyber-Resilient CEO report, cybercrime costs in recovery and remediation grew from $3 trillion in 2015 to $8 trillion in 2023, and it’s forecasted to hit $10.5 trillion in 2025. “It’s the world’s biggest economy after the US and China,” says Sheri Williams, industry X lead at Accenture.

Cybercriminals are not bound by geography, so today’s global and digital supply chains are vulnerable at any access point. A compromised network can lead to multiple issues, like product delays and shortages, reputational damage, compliance issues, safety risks and financial loss.

These threat actors aren’t stopping at holding critical information for ransom; they can also seriously impact production. Take Stuxnet, the first known virus capable of crippling hardware. It was discovered in 2010 and generated media attention because it was allegedly created by the US National Security Agency, the CIA, and Israeli Intelligence. The original attack was aimed at Iran’s nuclear facilities where the malware sent damaging instructions to equipment controlled by the PLCs, while sending false feedback to the main controller. Anyone monitoring the equipment would have no indication of a problem until the equipment failed.

“Cyberattacks against manufacturing have increased,” says Matt Cameron, global product manager, cybersecurity services at Rockwell Automation. “The recent State of Smart Manufacturing report that we created found that cybersecurity was the third highest external risk among manufacturers. This is further supported by the Dragos 2023 Year in Review report, which found manufacturing is a prime target for cyberattacks, with over 71 per cent of all ransomware attacks on industrial organizations crippling their operations and causing financial loss.”

As cyberattacks have increased, there is better awareness of what those risks look like and companies can now be smarter, identify vulnerabilities, and manage and mitigate risks.

“I would not necessarily say that the risks have increased as companies move towards more automated operations because many of these manufacturing facilities have had some level of automation for decades,” says Cameron. “Instead, as attacks like randomware have become so wildly profitable for threat actors, the drive to hit these companies where it hurts has massively increased in order to increase their chances of getting a payout. When a company is losing hundreds of thousands of dollars per hour that they’re down, paying the ransom can quickly seem like an attractive option.”

For many businesses, IT has been working on cybersecurity for a long time. And Williams says, “The operational technology (OT) side
of a business can learn a lot from the IT side. If we create much more integration and knowledge sharing and learning between the two organizations, the OT can benefit from what the IT department already has in place.”

“It’s important that the C-suite is thinking about this and understands the risks as well,” continues Williams. “About 54 per cent of CEOs actually still believe that it’s more expensive to put in a program to protect against cybersecurity than what it will actually cost them if they’re attacked. Our data shows that is not true at all. So, it’s really important the C-Suite understands the risks and is part of the culture change to drive that through the organization.”

Indeed, the fact that CEOs think that way drives these threat actors to attack. They’re getting paid. But there are tools and services to improve a company’s cybersecurity posture, reducing the risk of an attack.

“The most basic, but arguably the most important, is to ensure that your network is properly set up and the architecture meets industry standards,” says Cameron. “Even if you have all the security in the world, if your network isn’t set up properly it won’t be as effective. And things like asset visibility – if you can’t see it, you’re not going to be able to protect it.”

Williams says, “Having a single sign on for all of your users, whether they’re logging into your OT or IT systems, poses a security risk. Make sure new technologies are set up and configured properly and do assessments on your legacy systems as they will have vulnerabilities as well.”

According to Cameron there are also things like network segmentation, where even if an attacker got into your OT or IT environment, having proper network segmentation greatly limits what they can access, and it makes it easier to implement security controls.

Even greater protection includes implementing an Intrusion Detection System (IDS), an Endpoint Detection and Response (EDR) solution, and getting managed security services to ensure these tools are tuned and managed.

“These solutions sit on the customers network and looks for deviations from what’s normal behaviour. So if there’s a device that randomly starts talking to another device on the network or a different section of the network, it would be flagged. And if a new exploit comes out and is being used across industry, it will be scanning and looking for indicators of that attack in your system as well,” says Cameron. “It’s often stated that the people
at a company can be your largest security risk, so outside of the technology available to us today, it’s extremely important to educate staff on cyber best practices or hygiene and foster a culture of security awareness.”

Get proactive
The IDS and EDR solutions are reactive. On a proactive side, Cameron says that establishing an Incident Response Plan (IRP) will prepare you for an attack and enable you to get up and running quickly.

“An IRP retainer is a formalized agreement between the manufacturer and the IRP provider. It allows you to get all of the legalities out of the way, and have the liabilities in place,” says Cameron. “In the event of an incident, the IRP provider can jump in and do the forensic work to identify what happened. They can reverse engineer the attack to identify who the threat actor may have been, how they got in, and provide a report that can be used to brief media, if required. More importantly, you can use that information to prevent future attacks.”

Today’s cybersecurity tools use some artificial intelligence (AI) to detect suspicious behaviour in the IT and OT environments. As it becomes more sophisticated it will help security operations and give greater insight to end users.

“AI will be a key technology in the cybersecurity tool kit. AI can promote better decision-making, drive efficiency, and quickly detect issues before they lead to major problems,” says Eshkenazi. “However, as businesses increasingly adopt and utilize AI, unfortunately, cybercriminals are as well.”
“That’s one of the reasons Accenture is investing so heavily in advanced technologies such as gen AI, to help clients embrace ongoing resilience.

Hackers are becoming more sophisticated through the use of digital innovations, which introduce new forms of complexity. It’s important to embed security at the core of the business to stay ahead of the curve,” says Williams.

Cameron agrees: “Once you code something to think on its own, its thinking strategically. And an AI malicious attack is trained to change their attack methods if they’re being detected. The best way to fight AI-powered attacks will involve AI-powered defenses.”

As supply chain and manufacturing become more interconnected, operations are more agile and can pivot amid disruptions. As AI and deepfake become more widespread, Eshkenazi says a holistic cybersecurity approach is essential for safeguarding digital supply chains.