The war in Ukraine has brought the issue of cybersecurity into the mainstream of public opinion, with increasing media coverage of actual and potential Russian cyberattacks on businesses and infrastructure—often, far from the fighting.
These threats are very real, but for many companies they are not entirely new. Supply chain cyberattack risks, in particular, have been growing for some time, especially for companies in life sciences and other industries with sophisticated supply chains. And they can come from states like Russia, or from criminals.
A sampling of recent articles sheds light on the threats. The digital technologies that have made supply chains more efficient and responsive also make them vulnerable to bad actors. “The level of automation in the pharmaceutical industry makes it a prime environment for attacks. These environments are complex, and they haven’t been built to defend against nation-state attacks,” one security expert recently told the Biospace news site. The growing connection of operational technology to the network is also a factor, because it means bad actors can not only steal or damage data, they can also disrupt production and operations.
The variety of partners typically involved also makes the supply chain an attractive target. That’s because it increases the number of potential entry points, and it also means that a single attack can quickly move through the network to affect numerous partners.
Recent events have made this even more of a problem, as COVID and Ukraine have disrupted supply chains and forced companies to quickly turn to new, and often unknown, suppliers. As one security expert recently told Supply Chain magazine, this is a problem for medical devices manufacturers, “because on-time production and delivery can be a question of life or death. Supply chain is already the weakest link in any organization, even at the best of times. But for complex medical devices, where there is a multi-layered supply chain of hardware and software? For them, changing suppliers, or adding to them, significantly increases the exposure to risk.”
In short, cybersecurity will be a key supply chain concern for years to come. As a recent Forbes article noted, “Cybercriminals will continue to capitalize on the world’s heavy reliance on supply chains, infiltrating entire chains and not just individual companies…. More than ever, cybersecurity vulnerabilities are showcasing how interconnected we all are—as well as the fragility of many of these connections.” As a result, the article explained, supply chain cybersecurity should be a board-level issue.
Staying on top of the threat will require a multipronged defense.
Companies need to continue to harden their information and operational technology landscapes, through everything from zero trust security and education to combat social engineering, to security assessments, improved vetting of suppliers, and the comprehensive inventory of supply-chain assets. At the same time, they should prepare for the real likelihood that there may be a cyberattack on their supply chain and build the resilience to get back up and running quickly in the event of a problem.