Overcoming risk by improving visibility in the supply chain. By Alastair Dickson
It is impossible to discuss risk management within manufacturing without reference to the issue of supply chains and networks. Whilst the risks themselves may be cybersecurity threats, operational disruption, availability issues and even volatility in raw material prices, manufacturers have realised that these risks present a threat both within their own organization, and via the ‘community’ of suppliers, partners and even customers with which they interact.
This ‘community of risk’ is innate to manufacturing. It is an inevitable result of the process of acquiring raw materials, processing them, and turning them into something of higher value.
In the 21st century, amidst global networks of third-party suppliers and point in time ordering, and the corresponding high demands of customers wanting fast delivery, the risk (and cost) of disruption is high.
Digital risk
The infusion of technology into processes that span these networks has made supply chain cybersecurity threats the biggest risk faced by manufacturers.
There is the immediate increase in risk, as a supply chain presents more targets for would be attackers, compared to a single manufacturer.
But there is also the increased risk of diverse types of threat. It is a sad truth that the bad guys have gotten smarter: they have evolved from simple cyber-vandalism to ransomware, data theft, financial fraud, extortion and in some cases, advanced persistent threats that are built over months to compromise the entire research and development of a company.
You cannot defend against what you cannot see
To combat this increased risk – be it cyber risk or otherwise, the first step is visibility of all the relevant assets and entities. This is typically in the form of data, which is then used to assess performance against frameworks of best practice and establish a control or metric.
The objective of this visibility is continuous monitoring, rather than a periodic assessment – in order to deliver a completely up-to-the-minute picture of the risk profile of a manufacturer. Ideally this monitoring should be automated, with reports available without the risk of human intervention.
In order to span complex supply networks, the platform for visibility needs to be data agnostic, capable of monitoring any data source, ‘out of the box,’ as well as framework agnostic, capable of delivering compliance with frameworks such as NIST, PCI, MITRE, COBIT, ISO 27001, SOX, CIS, and HIPAA – either individually or in combination.
Lastly, this should be available as a managed platform or service. Few organizations have the necessary skills and resources to manage their risk across cyber security and beyond.
Addressing the problem with CCM
When this exercise is first undertaken, the initial picture that is often revealed is a dense threat map. This may highlight users who have not been offboarded, high numbers of vulnerabilities throughout the organization and partners, excessive systems administrator rights, and unpatched applications and outdated firmware. This is often a moment of sober realisation for manufacturers as they see the poor state of their security posture, the lack of visibility into assets and the subsequent exposure to risk.
It is this awakening that has driven the uptake of continuous controls monitoring (CCM) – an ongoing, automated checking of controls throughout a business to minimize risk, ensure compliance and optimize a security posture.
For manufacturers facing an ever-increasing range of threats, throughout the supply chain, CCM offers a consolidated, current view of risk that can enable meaningful action.
This is actually nothing new to manufacturers in verticals such as food or pharmaceuticals. Continual monitoring of key processes has been part of these sectors for years. CCM simply expands this throughout the enterprise and then out into the supply chain.
How big a threat and how much to trust
There is often a question of just how far into these supply chains a business needs to see: how big the risk is and thus, how much of a response is needed?
As a quick ‘rule of thumb,’ consider how much your organization currently spends on combatting malware and times it by 1.4. In January 2023, research was published showing that the number of data breaches resulting from supply chain attacks exceeded malware-based attacks by 40 percent.
From a strategic perspective, every manufacturer needs to be taking substantial, proactive steps to assess its visibility into its own supply chain, as this area of risk will only increase. Part of this needs to be using the visibility of a platform such as CCM to implement zero trust.
A zero-trust framework assumes that every access request is unauthorized until its credentials are proven. Even if a risk within the supply chain manages to get through security, the damage they could cause is limited, because even non-threats are confined to specific areas of a business.
It is this level of vigilance throughout the supply chain that will keep manufacturers secure as risks continue to increase.
Alastair Dickson
Privately owned and founded in 2018, Quod Orbis is an innovative company providing market-leading expertise in cyber security and continuous controls monitoring (CCM). CCM is a Gartner-recognized, security technology solution that delivers real-time visibility of data to identify, automate, monitor and improve the effectiveness of controls and cyber risk management.