Management, compliance & auditing

Supply chain threats in 2019 and beyond

Tyra Appleby
July 23, 2019 by
Tyra Appleby

Businesses do not act alone when providing services or products to their customers. They often have manufacturers, suppliers and distributors included in their network. The steps used from origin to delivery of the product or service, and the activities, entities and resources included in the process are all a part of the supply chain. 

The supply chain is an important part of potentially reducing business costs and reducing response and delivery times to customers. This means supply chain management is a vital part of a business’s success.

This also means weaknesses in the supply chain are attractive to criminals. According to Symantec, 2018 saw supply chain attacks almost doubled, with an increase of over 78%. With such a dramatic increase in attacks, supply chain management may be one of the most important security items on a company’s agenda.

Supply chain attacks can take on many forms. Criminals have used a variety of methods to exploit this weakness. This means physical assets (hardware), virtual assets (software and cloud related architecture), credentials and vendor accounts are all at risk to compromise. According to experts and researchers, there are seven supply chain security concerns to monitor and address:

  1. Theft
  2. Counterfeit goods and smuggling
  3. Cloud access mismanagement
  4. Piracy
  5. Tampering of physical devices
  6. Third-party vendors
  7. IoT compromise

 Let’s take a look at each.

Theft

In 2018, inventory theft, or what it is commonly referred to as “inventory shrink,” cost U.S.-based retail businesses almost 50 billion in losses over 2018. This is normally the result of thieves, often employees, stealing untracked inventory and reselling outside of the intended marketplace. 

Inventory loss is expected for retail stores, but high losses can cause a company to close. Criminal theft rings can be complicated and often include employees that work for the company. Drivers hired to deliver products from the manufacturing site to the distribution center could be convinced, or coerced, into delivering products elsewhere. Employees responsible for tracking inventory after arrival could provide false or misleading numbers.

In order to help minimize theft, both the physical and systemic processes used to move products must be analyzed. Examining the physical process means evaluating all of the physical aspects that can be compromised. This includes the delivery methods, storage facilities and handling of the products. The systemic process is the overarching methods used to get products from one place to another. 

Where the physical process can be compromised, the systemic process can be corrupted. This is where abnormalities and incorrect data can be found.

A solid inventory tracking system is one step in curbing theft. This includes using inventory tracking software and implementing the use of barcodes. There are many software options available to assist in implementing better inventory tracking; it’s important to do research to see which best suits your business structure.

Counterfeit goods and smuggling

Smuggling involves the illegal transportation of products. Smuggling can be disruptive to the supply chain because smuggled items take up space in delivery containers that could be used for legitimate items. 

Smuggling is also how counterfeit products are transported, and counterfeit items are still a problem in supply chain management. Only a small portion, 3-5%, of the cargo brought into the United States is physically examined for authenticity. This is how so many counterfeit items are able to sneak their way in. 

Smuggling and counterfeiting can be difficult to fight. Companies need to take proactive steps in vetting their suppliers and knowing every aspect of their supply chain. 

Cloud access mismanagement

Many companies are moving their architecture into the cloud. Cloud computing has many advantages for supply chain management, but only if assets are properly secured. Important assets are often stored behind locked doors, vaults and in some cases, security guards. 

That same level of security should be implemented to virtual assets. Proper access security controls are vital. This includes implementing access roles and limited privileges to all system users.

Piracy 

Piracy is the oldest threats on this list, but it is still one of the biggest. It is also the gravest. Piracy not only threatens goods, but the lives of those responsible for protecting and delivering those products as well. 

Piracy is dangerous, and it is not a threat that is easily fought. No amount of compliance oversight can deter piracy, and with complex shipping patterns, it can be difficult to determine when pirates will strike. 

Increased security and patrols can help deter piracy, but this does not come without increased costs. In order to reduce costs, some shipping companies are reducing the number of members in their security details, which can increase the vulnerability. This trend could cause piracy to continue to rise.

Tampering of physical devices 

If physical devices are not well-protected, they could be infiltrated by criminals. Nefarious items could be installed or implanted, chips could be tampered, or items could be destroyed. Using anti-tamper measures can be costly and chip tampering is not easily detectable. Securing physical assets is an important part of reducing the risk of tampering.

Third-party vendors as an attack avenue

This is one of the most common supply chain vulnerabilities. In the Cyber Risk Report issued by the Ponemon Institute, it was found that third-party vendor misuse was the second biggest security threat for 2019. 

The Target breach of 2014 is still one of the most well-known third-party vendor attacks. This was caused by one of Target’s HVAC vendors, which had minimal security implemented. Once an attacker gained access, they were able to elevate their privileges. 

This type of scenario has happened with other companies as well. The Ponemon Institute also conducted a survey in 2018, which found that 56 percent of the organizations interviewed had a third-party vendor breach.

Allowing third-party vendors access to your network can be an important part of doing business. However, you have no control over how that company manages their security risks. Even after a vendor relationship is terminated, there is still risk. 

There have been reported cases of leaked information even after a company severed ties with a vendor. Many companies put thought into what processes to follow after the termination of an employee, but not often is the same consideration put into the end of vendor relationships. 

Stringent and proper oversight is the best way to reduce third-party vendor risks. This involves evaluating the security hygiene and policies in place with the vendor before allowing access.

IoT compromise

The use of Internet of Things (IoT) devices has increased dramatically over the years. These are non-traditional IT devices that have the ability to access the internet. 

IoT devices are also often used in inventory management. IoT devices are used to monitor the environment around them. They can monitor temperature, humidity levels, movement, handling and speed. This is useful in determining the condition of productions while in transit or storage, tracking items while in shipment, and determining when shipments arrive. 

IoT use is still relatively new technology, meaning its vulnerabilities are still being discovered as well. IoT sensors are used to connect to networks and send information. These sensors can be hacked, sending that information into the wrong hands. This information is also normally sent back into the cloud, which is another reason why cloud security is important. As with all IT devices, it is important to install all relevant security updates.

Some of the other vulnerabilities associated with IoT devices include:

  1. Improper use: This is still relatively new technology, so there are often implementation errors. The full security features are not always used
  2. Lack of encryption: These devices can store personal information about their user(s). Information is often sent back to cloud storage devices. If this information is sent plaintext, it makes it easy for potential hackers to intercept
  3. Unreliable interfaces: These devices often connect to various interfaces, web, cloud and mobile interfaces, to name a few. Using an interface creates an additional avenue for hackers to gain access. If these interfaces are minimally secure, this creates an additional vulnerability
  4. Minimal security features: Some of these devices have minimal, or at times no additional security features, including encryption or intrusion detection and similar

Some suggestions to offset these issues include:

  1. Performing Red Team exercises on IoT devices in use
  2. Receiving current U.S. Computer Emergency Readiness Team (US-CERT) alerts and/or alerts directly from the vendor
  3. Create data flow diagrams to help perform risk assessments and ascertain vulnerability points

Conclusion 

Supply chain management is a very important part of security. It is important that businesses understand their supply chain from start to finish and work to minimize the risks to their business. It’s also important to research all vendors, confirm their security practices, use properly vetted software and IoT devices and implement anti-tamper measures on physical assets. You cannot completely wipe out any risk — that’s the cost of doing business — but you can reduce it.

Sources

Tyra Appleby
Tyra Appleby

Tyra Appleby is a CISSP certified lover of all things cybersecurity. After serving 4 years in the Navy as a Cryptologic Technician, she continued supporting various DoD and government agencies as a Systems Security Engineer. She has a passion for writing and research, particularly in the areas of Reverse Engineering and Digital Forensics. When she’s not working, you can find her at the beach with her Rottweiler Ava.