CYBER SECURITY IN SUPPLY CHAIN

Why supply chain is important

IT system and technology in Supply chain
affect whole business and hence attack on
supply chain has potential to disrupt
following :

• Purchasing activity and order management

• Customer and supplier relation ship
management
• Demand and inventory monitoring and
forecasting
• Management of financial flows
 Supply chain : cyber security risk and challenges
The Key Cyber Supply Chain Risks, as determined
Who’s the real risk, Man or Machine?
by NIST are:

• Logistics data has been increasingly digitized over the past few
years. As more data moves into more online systems, often shared
and integrated across entities, transportation becomes a bigger
target
• Poor information security practices by lower-tier suppliers.
• Compromised software or hardware purchased from
suppliers.
• software security vulnerabilities in supply chain management
or supplier systems.
• Counterfeit hardware or hardware with embedded malware.

Due to the complexity of globally functioning supply chains,

“Cybersecurity is never just a technology
pinpointing and avoiding cyber-related supply chain risks is
problem, it’s a people, processes and
nearly impossible.
knowledge problem.”
Equally volatile to infrastructure security is the potential for human
error.
 Solutions
• Compliance and Governance of suppliers, vendors, third-party
actors, partners, traders, manufacturers and contractors.
continuously assess risks of actors involved in the sharing of cyber-
based information, hold all parties to a clear standard level and
prepare incident response plans accordingly.
• Presence of Robust IT security solutions internally is a method of
establishing clear and limited access guidelines for supply chain
vendors. Standard IT solutions like antivirus, anti-spyware and
firewall technologies, DNS filtering, network access control, limited
network access for relevant vendors, exception altering, public key
encryption algorithms and API security should be used.
• Training/sharing security best practices with staff and vendors
• Ensuring IoT sensors and cloud service providers provide latest
security features
• Certification of International Standards is probably one of the often-
overlooked elements of ensuring cyber security in business
operations. Achieving and bearing certifications of ISO standards
such as ISO 27001 represents a level of competency, and provides a
point-of-reference for the proper handling of information security.
 Basic elements of security program

Sources:
• https://www.supplychaindive.com/news/supply-chains-tech-savvy-cybersecurity/552769/
• https://www.supplychainbrain.com/blogs/1-think-tank/post/30282-cybersecurity-risks-in-supply-chain-management
• https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf
• https://www.researchgate.net/publication/327142143_Towards_a_Reliable_and_Accountable_Cyber_Supply_Chain_in_Energy_Delivery_System_Using_Blockchain
 USE CASE : e-procurement site security
Introduction :Internet enabled procurement means transaction on public domain, e-Procurement process is about data
sharing, communication & is competitive .security of such a system is of paramount importance

Why security is important Security requirements : Sample activities inside portal

• The legal nature of orders and
payments, security of data is
critical in e-Procurement systems.
• Identifying and authenticating
the user who places an order.
• In order to encourage buyers and
suppliers to engage in e-
Procurement, it is critical that
both parties have complete
confidence and trust in the
underlying security infrastructure
• No unauthorized person has access
to data
• All sensitive data is encrypted
• Minimal possible time in case of a
disaster or system crash.
• The login passwords of all the users
and the suppliers are also encrypted
at the database level.
• Secure Administrator Access
• Process Validation
• All the data is encrypted and cannot
be hacked/misused by anyone (128
bit SSL Certificate from Verisign)
• Detection system
e-procurement : network security
Network security requirement is taken care by firewalls. Firewall data is integrated in SIEM and SOC for
Realtime monitoring and running analytics for better threat detection and monitoring

Security Operation Centre

e-
procurement
site
E-procurement : authentication
Various security tools for authentication
 e-procurement : application security
Authentication Requirement
•Any purchasing system must support
authentication of users so that individual
transaction can be traced back to the relevant
person.

Solution
Guidance and recommended practices
• User name and password is not enough
• Digital Signature (issued by a licensed CA)
• Digital Signature Certificate
• Personal Identification Number (PIN) or
biometric
• Control of technical vulnerabilities
(Firewalls)
• Network authentication
 e-procurement : data security
Authentication Requirement
•Any purchasing system must support
authentication of users so that individual
transaction can be traced back to the relevant
person.

Solution
Guidance and recommended practices
• User name and password is not enough
• Digital Signature (issued by a licensed CA)
• Digital Signature Certificate
• Personal Identification Number (PIN) or
biometric
• Control of technical vulnerabilities
(Firewalls)
• Network authentication
end
Problem There are many ways a supply chain
breach could occur. For example,
• a software manufacturer could be
breached via malware that modifies
source code that is then distributed
to enterprises that use the software.
• Another common compromise
vector might be the theft of a
vendor’s credentials that grant
remote access to an enterprise the
vendor works with, leading to
infiltration of the enterprise network
from an already trusted source (the
vendor network)