Cybersecurity in supply chain is no longer optional

Supply Chain Café by PICS Belgium 10/10/2021
Moderator & writer: Jan De Kimpe, VP Pics Belgium

Presented by Thomas Heyman, security expert at Toreon, a security architect with 15 years of experience in both academia and industry. Thomas has a PhD in secure software engineering, and has experience in secure architecture, governance and compliance, and bringing IT and OT (Operational Technology) together. 

Today supply chains are totally dependent on computers/servers/IoT/automated processes/AI/…. These are used to link systems between customers and suppliers, but also partner such as carriers. There is mention of a strong growth in “attacks” in supply chain networks: 2021 counts more than 4 times the number of cases of 2020. If in a chain there is one weak spot through which hackers can enter, it becomes quite easy to infect the supply chain partners this one is connected to. A well-known hacking case in Belgium is Picanol, but also TNT suffered from a similar cyber-attack, putting pressure on the business. How do we protect critical components from not only infecting our systems, but also going through our links to supply chain partners? What is the impact if you aren’t properly doing it? And how does proper protection lead to competitive advantage? Cyber security can be an asset to both gain more customers and prevent losing existing ones.

Lots of collaboration agreements between partnering companies in a supply chain cover topics like confidentiality, intellectual property and how to deal with each other. Only seldom cyber security and each partners responsibility in this is covered, although the impact of poor cyber security of one of the parties can be catastrophic. Insurances exist to cover these risks, but the premiums are high if the cyber protection is low. Legal responsibility of cyber-attacks passing from one network to another are currently unclear. But it is clear that damage can be high, not only blocking the business but also the reputation damage towards partnering companies is very high once been “under attack”.

ISO27001 sets a norm for cyber security setting rules for assets, information security and service delivery. It is recommended to use this as a framework to work on cyber security in the supply chain. When partnering one thinks of roles and responsibilities. When tackling cyber security topics as system patches, incident management, access to assets, scope of service and avoiding surprises and cost should be on the table. It is important to not only be a trusted partner through products and services, but also through protection of systems and information.

NIST is a US framework for operational continuity in this case. It states to identify threats, take measure to protect against these, detect measure and respond but also think of how to recover from damage.

It is important to start from the business need and rely on a framework such as ISO27001 or NIST to start work on this. And challenge your supply chain partners. For ICS environments, the IEC62443 standard can be put forward as a basis for cyber protection between parties in a chain. But most important: be aware of the risks and act and invest accordingly.

The PICS Supply chain Cafés are 1 hour’s interactive lunch sessions, where an industry expert is invited to present a supply chain topic in 20 minutes, followed by a lively debate among all participants.