At a Glance:
- More connectivity and digitization make organizations and supply chains more vulnerable to cyber threats.
- As a result of a ransomware attack or data breach, organizations need to regain access to their systems and data, but also face adverse effects from loss of production and general disruption.
- UL has an assessment tool that evaluates suppliers’ security posture. The assessment culminates in a documented supplier Trust Level rating for each supplier in the chain.
Among the many strategies for addressing supply chain risk, the imperative to have a uniform method for scoping and monitoring risk is key.
In developing that framework, researchers identify three areas that continue to be tricky to navigate. According to McKinsey’s strategic management consultants, those topics are supply base transparency, scope and scale of risks, and proprietary data restrictions. When identifying the range of suppliers, the significant time investment, severity of the risk and limited access to information tend to impede the process of creating a robust risk assessment that effectively minimizes disruption, they said.
In the following Q&A, Gonda Lamberink, a supply chain expert at UL (Underwriters Laboratories), references McKinsey’s report and other constructive research to discuss challenges and potential solutions.
Part of Lamberink’s role at UL is to engage with the North American Transmission Forum (NATF), National Association of State Energy Officials (NASEO) and the National Association of Regulatory Utility Commissioners (NARUC) to help unlock a set of rules that can be applied across industries. Lamberink explains how the development of a new audit-based assessment solution known as Supplier Cyber Trust Level—designed to help utilities comply under NERC CIP-013—has created a workable, transferable framework.
Machine Design: What are the main risks at play around the interconnecting facets of a company’s security infrastructure system?
Gonda Lamberink: Supply chains are generally susceptible to cyberattacks. A 2019 study by Carbon Black found that half of all cyberattacks are aimed at supply chain partners. Attackers want to gain access to an organization’s entire system, including partners and suppliers, and/or exploit partners and suppliers in order to gain entry to an organization’s internal systems. Resilience360’s 2020 Annual Risk Report lists cyberthreats as one of the biggest issues facing global supply chains in 2020, with COVID-19 having weakened supply chains generally, and as supply chains are becoming much more digitized.
Although effectively all organizations are aware of the fact that they might be at risk through a third party, a Crowdstrike 2019 study finds that a majority still do not vet suppliers’ security, although the number of organizations doing so is growing. And that also doesn’t mean that organizations today don’t make an effort to inventory their supply chain’s security posture, but supply chains may not be fully covered, information may be partial and/or information may only be minimally consulted for decision-making on suppliers and supplier choice.
MD: Can you discuss a case study that demonstrates the costs of a damaged reputation due to a cyber breach?
GL: Without discussing specific companies, major organizations within industrial manufacturing, automotive, pharmaceutical/chemicals and technology, banking, retail and healthcare, along with their supply chains, have all been impacted by ransomware, data breaches and activities of adversarial hacker groups. More connectivity and digitization make organizations and supply chains more vulnerable to cyber threats.
As a result of a ransomware attack or data breach, organizations need to regain access to their systems and data, but also face adverse effects from loss of production and general disruption. Reputational brand losses add to the total cost of these attacks and breaches. As part of a recent report by Weber Shandwick/KRC Research, “The State of Corporate Reputation in 2020,” global executives on average attribute 63% of their company’s market value to their overall reputation.
At the same time, 2019 research by Radware shows that 43% of organizations suffer negative customer experiences and reputation loss as a result of a successful cyberattack. All in all, the impact of cyberattacks on shareholder value can be substantial and sustained, with some organizations showing a fall of 25% in their market value over the year following an attack, as measured by Pentland Analytics and Aon in 2018.
MD: Why are enterprises not compliant and what will it take to get there?
GL: Supply chains present a weak link for cybersecurity, as many organizations struggle to control security controls or measures taken by supply chain partners. Suppliers often are the target as they can be less aware of or not adequately protected against potential threats, due to a lack of resources, among other reasons. Organizations may have their enterprise security goals covered, but need to ask their IT/OT (Operational Technology) suppliers, and their suppliers’ suppliers, across the entire value chain, to have a similar level of adequate security in place.
A report by McKinsey, “A Practical Approach To Supply-Chain Risk Management,” suggests that a common problem is that organizations don’t know what they don’t know, and most organizations don’t know where to start in order to know what they’re dealing with. Supply chains may have hundreds or thousands of suppliers, and to achieve transparency into the security posture of all suppliers is hard. Suppliers may not want to share security proprietary information with their end customers either, and internal security teams may become quickly overwhelmed to assess suppliers and their products or services.
MD: What exactly is UL’s Supplier Cyber Trust Level assessment tool? How does it enable manufacturers and integrators to manage and evaluate their suppliers’ security posture?
GL: UL’s Supplier Cyber Trust Level is a security assessment solution that enables organizations to obtain a holistic view of their suppliers’ security posture through a fair and consistent assessment method. Thus far no single framework or standard adequately addresses the complexities of securing an organization-wide supply chain.
A UL Supplier Cyber Trust Level assessment analyzes suppliers’ security practices, resulting in a documented supplier Trust Level rating for each supplier. This rating demonstrates the robustness of suppliers’ practices holistically, across their software and hardware development lifecycles, hosted systems and information management systems.
Through use of the Supplier Cyber Trust Level solution, organizations minimize their own cybersecurity risk by focusing on the effectiveness and cybersecurity posture of their suppliers’ security practices. Suppliers also benefit, through independent, third-party review of their self-assessment, UL-assisted assessment or a full UL assessment, to improve their security and be more competitive in procurement processes.
MD: How can organizations minimize risk when they focus on the effectiveness of their suppliers’ security practices?
GL: The security of supplied components, products and/or services is something that is typically not under the control of the purchasing entity. An organization may have full control over its own operations and the secure development and maintenance of products and services developed in-house. However, in today’s complex, diversified and connected supply chains, end products and services may contain components and inputs from many different suppliers that can pose a security risk, which an organization often still only minimally controls.
Ideally, organizations should ensure that any sourced component meets the right security requirements, both at a component-level and also provided by a security-mature supplier with secure product development processes. Additionally, having visibility into suppliers’ security practices allows organizations to partner with best-in-class suppliers, which motivates suppliers to improve their security posture in order in order to ensure future business.
Gonda Lamberink is a senior business development manager with UL.