Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, December 16, 2009

Supply Chain Security Threats: 5 Game-Changing Forces

Supply chain security is being remade by black swan events, economic blahs, and more.  What can a CSO do to keep goods and information flowing?  As any CSO knows, it’s not enough to mind your own business.  You have to look after your business partners as well, across all links that connect to your supply chain—-whether that chain is physical or virtual.  And that goes double in times of rapid change and high stress.  “The threat environment is constantly changing,” says Ryan Brewer, CISO for the Centers for Medicare and Medicaid Services “Sometimes it’s hard to put your finger on what’s most important.”  Who would have thought three years ago that piracy on the supply chain would be such a big concern?  Sometimes the big worry is terrorism, sometimes it’s natural disasters, lately it’s malware.  Here are the top five developments CSOs say have the biggest potential to wreak havoc on their supply chains.

No. 1 Game-Changing Force: ‘Black Swan’ Events As Nassim Nicholas Taleb explained in his 2007 book of the same name, the term “black swan” refers to an event that is high-impact, hard to predict and rare.
Black swans need not be negative (as in the case of 9/11) and can present times of great opportunity, but CSOs rightfully spend their time worrying about the former scenario.  When it comes to the supply chain, black swan events can include everything from disastrous weather to global pandemic to terrorist attacks.

The problem is, if you prepare for the worry du jour, you may leave yourself exposed on other fronts.  Warned that a large-scale outbreak of Asian bird flu would put supply chains at risk, global businesses braced for the worst.  Executives discussed how the supply chain might be affected if the flu broke out in China.  Their plans rested on transporting and storing materials in other places around the world.  Then, early this year, H1N1 flu broke out in Mexico and spread quickly to unexpected regions like Australia. 

“Companies had to immediately reassess their plans because they were based on specific scenarios,” says Adam Sager, senior manager of business continuity consulting at Control Risks, a security consulting firm in Washington.  “Companies realized they needed to better prepare for unexpected events and increase their knowledge of how their organizations could be impacted.  If something is emerging on a global basis, they need to act before it affects their supply chain,” says Sager.

When a crisis hits—-no matter where on the globe—-you need to be able to understand and assess the situation using firsthand country- and location-specific information, says Sager.  And you need bi¬≠directional communication between crisis managers and the locale where the event is occurring.  Sager notes that companies are discovering gaps between their crisis plans and their operations.  “They had security management and crisis management plans in place, but the missing link was integrating them with the business so people around the world could understand management’s position regarding critical things such as uptime, issue resolution and who’s responsible,” he says.  This type of information is often not conveyed to the field in advance, a crucial error.  Management needs to empower local decision-makers in advance to take action quickly to mitigate damage if certain conditions are met.

The plans have to address not just key supply chain nodes and specific scenarios that could occur, but also emerging security vulnerabilities.  “That is a different mind-set and way of planning,” Sager says.  “The security department has to come together with the operational/financial side of the business,” looking at all aspects of the supply chain, including where the different components are located and alternative sourcing arrangements.  Sager puts his clients through tabletop testing, in which executives sit in a conference room and go through a scenario point by point with the key decision-makers, reviewing how they would respond.

Marc Siegel, commissioner for the ASIS International Global Standards Initiative, is leading the charge to develop an ISO standard for supply chain resilience.  ASIS has already published SPC.1, its first organizational resilience standard, which it expects will be ready by the end of the year.  “We think standards are the answer for dealing with [black swans],” Siegel says.  “Companies have to develop a comprehensive [supply chain resilience] strategy because their resources are limited… This allows you to look at the full picture, rather than just separate out the different things.”

Organizations need to approach risk from a holistic standpoint, Siegel adds.  “The problem with the risk du jour is that the likelihood of it happening varies so greatly between organizations that it can divert your attention away from doing a comprehensive risk assessment.”  In short, it can make you take your eye off the ball.

No. 2 Game-Changing Force: The Rise of Malware Information security matters also weigh on CSOs’ minds, though they are not as visibly related to the supply chain as physical security is.  An organization (and therefore its supply chain) can be brought low by an attack on its information network as surely as it can be hurt by an attack on its cargo.  Many CSOs say they are worried about botnets; two of the most pressing threats related to botnets are spam/phishing attacks on employees and the possibility of a resurgence in the denial-of-service (DoS) attacks that first appeared 10 or more years ago.  Ed Amoroso, CISO of AT&T, blames rampant technological complexity for the rise in malware.  “The primary root cause for almost everything we deal with—-commercial customers and everything—-is complexity.  The computers and networks that people set up and use have become way too complicated,” says Amoroso.  “DoS used to be about large-volume traffic hitting your network,” says Lee, an officer for the National Incident Response Team and assistant vice president at the Federal Reserve Bank of New York.  Rena Mears, a partner in security and privacy services for Deloitte & Touche, believes the malware supply chain is itself approaching maturity.  Lee, for one, does not believe that network service providers can adequately protect against the threats posed by new-breed malware.  Many CSOs expect the associated threat pool to continue to widen.

Although the economy is forecast to improve slowly in the coming year or two, many experts expect the reshaped landscape will not necessarily signal a return to prosperity for all, or even most, of society.

This is certainly true in the food/beverage/agribusiness industry, due to the obvious importance of maintaining a food supply that’s safe from contamination, whether malicious or innocent.

Posted on 12/16