Paper

The Supply Chain Audit and Risk Management (SCARM) Initiative

 

Mhaliek Ferguson

Old Dominion University

WLC 494 – Entrepreneurship

Instructor:  Akeyla Porcher

December 9, 2023

Introduction

As described by the National Institute of Standards and Technology (NIST), a cyber-attack is any kind of malicious activity that attempts to collect, disrupt, degrade, or destroy information system resources or the information itself. There are many different forms of cyber-attacks ranging from Denial-of-Service (Dos) attacks, phishing, spoofing, and the type of attack we aim to create innovation for, supply chain attacks. Supply chain attacks are usually aimed at third-party vendors who offer a product or service that is imperative to the supply chain. There are 2 different types of cyber supply chain attacks: software supply chain attacks consist of hackers injecting malicious code into the software to have it spread to other users of an application. Hardware supply chain attacks compromise physical components needed for the system for the same purpose. Our focus is on the software side of supply chain attacks since they are more susceptible for many reasons. A successful breach could mean the potential compromise of many people’s private data. The number of people impacted by a supply-chain attack from 2021-2022 increased by 41.5%, with 422.1 million people being affected. Sources have shown that just over 1 in every 10 businesses review the potential risks with immediate suppliers. Reviews showed that companies do not go over the risks due to a lack of time and money, are unable to get the proper information required from suppliers, are unsure what to check for, are not considered a priority, do not have the proper skillset top inform their suppliers, and unsure what suppliers to check. Despite being in the domain of cyberspace, disruptions to a supply chain have left large ripple effects on production and trade with businesses. If a business were to discover that its vulnerabilities in the systems had enabled people to inject malicious code for a supply chain attack, it would leave a direct negative impact on its reputation. This not only leads to fines for not having proper cybersecurity measures in place but would have a harder time with partner companies because of the high risk that comes with doing business with a company that had once been a target of such an attack. Supply chain attacks such as these have led to massive shortages of goods due to interruptions in the ordering system, price inflation, and businesses inevitably being forced to close due to the damages done by the attacks, negatively impacting the livelihoods of many people. For the duration of the paper, the purpose is to examine cyber-attacks on the supply chain. It also discusses what occurs during these attacks and some of the real-life events that have happened due to cyber supply chain attacks. Leaving this issue unchecked could potentially lead to dangerous consequences, and the innovative model based on the mitigation techniques stemming from different technology guidelines and frameworks. The innovative model introduces the creation of the Supply Chain Audit and Risk Management (SCARM) company and the framework. The purpose, as detailed in the paper, will be the creation of an audit company that will be hired to work with companies and their third-party vendors to ensure that they are properly informed of the risks in their supply chain, enact measures in order to reduce/eliminate those risks, hold training workshops to decrease potential future risks, and to monitor the outcome of our intervention to gauge how successful the innovation model is.

 

 

 

The Issue: Cyber Supply Chain Attacks

A supply chain is a combination of all the individuals, organizations, resources, activities, and technology involved in the creation and sale of a product or service. Supply chains can encompass everything related to the initial creator of the product, the people who transport that product, and the distributor of the product itself. So, a cyber supply chain relates to the Internet aspects of a typical supply chain such as an online ordering system for companies, notification systems for deliveries, and third-party vendors that contribute hardware or software to the parent company. The main task of a cyber supply chain is to establish linkages and relationships with all the companies in the supply chain.  The cyber supply chain is an ideal environment for cyber risks to spread due to its inherent nature.  Many components that make up a company’s hardware or software system typically are not created by them but by third-party vendors. Many organizations and banks outsource their sensitive customer data, financial information, business strategy, and organizational structures to third-party companies and vendors for storage, processing, analysis, delivery, and aggregation for business decisions. Different types of crimes take place in different supply chains. For this reason, it is optimal for hackers to target third-party vendors rather than the main company vendors since they would be less likely to be detected.

Not all cyber supply chain attacks are the same, with it being dependent on the cargo transport mode and type of cargo, the location of the attack as well as the degree of expertise of the criminal organizations. Typical supply chain security threats can be classified under 1. Economic crime, 2. Ideological, political, ad-hoc crime, and 3. Facilitating crime. Malicious hackers will implement a cyber-attack by corrupting the hardware and/or software being sent to the parent company. If the corrupt technology can successfully contact the internal systems of the company, the hackers could potentially gain unrestricted access to information regarding the operations of the business. Other means of supply chain attacks typically include not considering the security risks when developing online services. The most common methods of supply chain attacks include password sniffing/cracking software (software used to gain access to a user’s password to gain unauthorized privileges), spoofing attacks (disguising a communication or identity so that it appears to be associated with a trusted, authorized source), Denial-of-service (D.o.s) attacks (a computer’s network is being intentionally blocked or degraded by another user). An unauthorized intrusion into the supply chain can result in disastrous consequences. For instance, one could cause a blackout of an ordering system, which would completely halt the deliveries of the product that is being brought to them.

Target’s Data Breach of 2013

In November and December of 2013, malicious hackers were able to successfully execute a cyber attack against Target, one of the largest companies in the United States. They were able to gain access to the company’s computer network, stole financial and personal information from as many as 110 million of Target’s customers, and removed the information to a server in Eastern Europe. The initial point of this attack came from Target giving network access to a third-party vendor, an HVAC (Heating, Ventilation, and Air Conditioning) company that did not follow the accepted information security practices of the time. The hackers stole the credentials of the company that had remote access to Target’s network regarding electronic billing. They were able to steal the credentials by using phishing tactics, sending an email infected with malware. This eventually led to malware being installed on point-of-sale terminals (E.g., card readers), which allowed the hackers to collect credit and debit card information in plaintext (unencrypted information that can be easily read) as the payment information was being processed. Because of this, the attackers were able to gain an entry point into Target’s network. Although Target’s FireEye intrusion detection system detected the malware, the company’s security team did not respond to the detection and did not enable the software to delete the malware. After some time, Target confirmed that there was an information breach and that the credit and debit accounts of up to 40 million people, and non-financial information (E.g., names, addresses, emails) of up to 70 million people had been compromised during the data breach.

NotPetya: The Disguised Supply Chain Attack

Petya is the name of a ransomware that was circulating in 2016. The victim of the ransomware attack had their system infected by a PDF file that presented itself as a resume of a job applicant. The ransomware encrypted the master file table that serves as a roadmap for the hard drive, making the computer unreachable. The victim was asked to make a Bitcoin payment to have the hard drive decrypted. Although this was initially presented as a run-of-the-mill ransomware, it was quickly shown that its true purpose was not financial gain but destabilization. It aimed to encrypt the computer networks of Ukrainian banks, firms, and government. What makes this a supply chain attack deals with the initial point of entry, with it being a backdoor planted in an accounting software called M.E. Doc, which was used by Ukrainian firms for tax reporting. This resulted in companies operating in and with Ukraine having been infected or affected.

Risks

             There are 3 main types of supply chain risks: supply risks, operational risks, and demand risks. Supply risks are the probability of an event associated with the inbound supply that might cause failures from a supplier or the supply market. The outcome of these failures is the inability of the focal firm to meet customer demand. Many times, contractors before the final assembly supply the components for the companies. Therefore, consumers are not able to know how their product’s particular components are built. The untrustworthiness or inappropriate manufacturing standards of the contractor raise concerns about the safety of the supplied component. Operational risks are the possibility that an event will affect a business’s internal ability to produce quality products and services, speed of production, and profit margin. These risks are created when there is a breach of access for information control systems, making it so the attacker could cause physical or systematic damage to impair business operations. Demand risk is described as a failure of the market/brand because of demand disruptions. Examples of demand risk are problems with federal websites on the deadline day to submit personal tax returns or votes, the collapse of ticketing systems for major events such as concerts and sporting events, and the launch of online sales events. Demand risks occur because of a lack of trust across supply chain companies. These are affected by false information relating to company websites, business licenses, trade documents, and product test certificates.

Risk response decides how to treat the risks and who is responsible for each risk to ensure proper mitigation procedures. Transfer the risk is to pay a certain amount to an insurance company if a company is subject to a supply chain attack. Doing so will transfer the responsibility of the risk to the vendor who was infiltrated. Avoiding risk is implementing security measures, allocation of budget, configuration, and certification of systems, penetration testing, updates, and backups. Sharing the risk is to allocate supply chain resources to another company, therefore segmenting the supply chain to make it harder for hackers to establish a foothold in the company’s network. Reduce the risk by training and educating people in the company, auditing partner third-party vendors, and establishing verified means of communication. Accepting the risk is acknowledging that despite preventative measures, it is almost certain that there will be a breach in their systems. So, the cyber supply chain system is to be checked regularly if there is some form of instability or malware detected.

Preventative Measures:

There are a variety of preventative measures that could be taken to combat the possibility of a cyber supply chain attack. Organizations could implement protective security measures such as passwords that should be changed after a certain period, access control, and encryption by a defined security standard. Make sure to raise awareness of security issues and electronic commerce risks among their staff, train their staff in how to use computer security systems efficiently and effectively, and improve the risks associated with their system. The organizations could also focus on improving the risks associated with their supply chain such as having technical interventions (improving technical aspects of systems), formal interventions (improving organizational aspects of systems), and informal interventions (improving human aspects and systems).

Companies should consider the security aspects of their cyber supply chain before developing their systems. They should implement additional security countermeasures to allow for full protection of their systems and the information contained within those systems. Along with this, the company should follow a supply chain risk management objectives and framework ranging from security, reliability, safety, quality, and trustworthiness. The purpose of security is to maintain an authorized state of an element and prevent violations of the authorized states. In other words, the company is to make sure that its information systems are properly secured to block outside interference. The method of doing so is through authorization to appropriately interact with a component, controlling access to the component through authorization. Reliability is to verify that a product or service is delivered and can function as it is intended, whether it be to the parent company or the consumer. The company must also go through making sure that said product or service is safe for use. If it is considered ‘not safe’, they should be able to contain it in an isolated environment to not affect any components of the supply chain. The quality objective is that the product is made to its intended specifications and elimination of defects or errors. Businesses can do this through independent validation and verification testing. Trustworthiness is the confidence that the third-party vendor or any partner company is secure in terms of cyber security and can prevent infiltration.

The SCARM Initiative

            From the gathered research, what we proposed is the creation of the Supply Chain Audit and Risk Management (SCARM) Initiative. As the name suggests, the purpose of the initiative is to create a company that conducts audits, assesses risk, and implements information systems and strategies to prevent supply chains from occurring. For the first stage of the initiative, an audit of the third-party vendor is conducted by going through the SCARM framework of objectives that the company must fulfill to be regarded as a ‘little-to-no’ risk vendor. The framework is a combination of other frameworks tailored to a supply chain’s components such as assessing the company’s external and internal security systems through means of social engineering and penetration testing. The list of products being shipped and delivered by the vendors would also be tested to see if the product itself is up to quality, safe to use, and secure to make it difficult for intruders to gain access. After doing so, it is checked on how the delivery of the product is conducted to measure the possible risk of some form of interference affecting the supply chain during the distribution phase.

After conducting the audit of the third-party vendor, the next stage of the initiative is enacted. An assessment on the vendor side of the supply chain is created through the framework. It is then sent to the business with all the guidelines of the framework to show what was inspected during the audit. If there is very little that needs to be changed and the vendor is safe, then the initiative ends with monitoring over some time to ensure nothing was overlooked. In the case improvements need to be made, another team from the SCARM initiative is sent out to perform the other half of the initiative.

For this stage of the initiative, people will go through the framework, describe the changes that need to be made, and create solutions to the problems. For instance, in the prior examples of real-life supply chain attacks, the main cause of both breaches was due to human error rather than system errors. To combat this, the goal is to bring guidelines for the vendor to follow when it comes to human security. To make sure these guidelines are implemented as intended, there would be periodical training workshops and security testing. If there are issues in the security testing, it is marked and added to the training workshop to reinforce the knowledge. If there are issues when it comes to the product or service itself, we take a closer look at what may be the root cause of why the problem is occurring and implement a system to check whether the problem is from outside or inside influence. If it is inside, we rework how the product/service is being produced to limit the number of imperfections that may cause risk. If it is due to outside influence, it would be imperative to isolate all the products/services being produced and examine them to remove any type of malware that may be affecting them. Along with this, a new (or reworked) detection system is created, implemented, and monitored to detect any forms of malicious code that may have slipped into the software. After doing so, we alert any partner companies on the supply chain of any potential risks to their operations. What sets this initiative apart from other models is that it is not limited to just cyberspace but is made up of many different parts such as engineering when it comes to hardware inspection or the creation of new/improved hardware to be used by the vendor. It also includes entrepreneurial aspects when it comes to risk management, the design-thinking process of creating new systems, and the assessment of how risks may affect the costs of a business.

The Effectiveness

To know whether the SCARM initiative is truly effective can be done through feedback on the initiative as well as long-term monitoring of the vendor as well as the partner companies. If reviews of the initiative come back positive and there are no direct issues after completion, that would be one indication of success. After completing the audit, assessment, and any necessary implementations, we would check on our end on how well the company’s security and supply chain systems are doing after some time has passed. If the company and vendor pass the check-up, that would mean that the SCARM initiative was a success.

If there was a supply chain attack that resulted in an information breach, that would mean that an objective was either under-inspected or overlooked during the assessment. If the reviews came out poorly and the work done was not up to proper standards, that would mean there are issues within the SCARM initiative itself that need to be reworked. The negative reviews could lead to a distrust of the initiative and would result in people wanting to go through with the audit due to access restrictions. For any of these listed reasons, it would be determined that the initial initiative itself was more ineffective and added more risks to the system than reducing it.

Regardless of the outcome, the initiative would be continuously changed. The reason is that cyberspace is in constant evolution and so supply chains will evolve exponentially as time progresses. To keep up with time, there would need to be changes to the initiative to make sure it is always up-to-date with current information technologies to ensure that there are no issues to a cyber supply chain.

The Feasibility

As one may have gathered, the SCARM initiative is not something that can take effect in a day, a week, or even a month. Even before the implementation of the initiative, there are many essential requirements needed before this can be put into action. As with any business, the first thing that is needed is the funding. One of the many costs that need to be considered when it comes to the creation deals with the payment of people working within the initiative. The company requires many different fields of people ranging from cyber security specialists, vulnerability testers, entrepreneurs, engineers, and many other positions. These costs would fall under costs of operation, as they are vital to keeping the business continuing. Other vital costs would be potential legal fees after assessments. If a third-party vendor company were to believe that they received an unfair assessment or that the work done was not worth the cost, it could result in a lengthy legal battle.

The plan to raise money to pay for the initial costs of operations is to receive contracts through the government to create and conduct business. It would cover most of the cost of operation, with the rest being paid for through fundraising and out-of-pocket. To continue paying for the expenses we would have consultants discuss contracts with other businesses that would need to be audited or would like to have a partner third-party vendor go through one.

The second thing that is required to make this initiative feasible is the time aspect of it. For every part of the initiative, there are a lot of time requirements that need to be taken into account. For example, the beginning portion of the initiative is conducting the audit of the third-party vendor, but before it can begin a lot of things need to happen. Some of these things include the signing of papers between each business dealing with the confidentiality of what is being assessed. Another thing that would require a lot of time is the actual checking of the vendor. Depending on the size of the vendor’s operations, it could take quite a long time to completely check everything that needs to be seen.

When it comes to the other stage of the initiative dealing with implementation and strategizing, these both could take an even longer time than the initial audit itself. For instance, if something was assessed that could be potentially harmful to the cyber supply chain, a run-through of that section would need to be reconducted. To implement a new system, time would need to be taken to understand the current system in place for the sake of the creation of a new one. Another issue with time arises if we were to discover that there is malicious code that could impact the partner company and have devastating consequences if left alone. If this were to happen, the vendor would need to temporarily shut down a portion, or possibly all, of their operations to secure the network systems, contain the infected product, and protect other systems from being infected. Having a total recall for the product and components would take a massive amount of time and would require the participation of the partner company(s) the vendor was distributing the product. If given enough funding as well as enough time, I believe that the SCARM initiative can move from being an innovative project into a reality.

Conclusion

Since supply chains are made up of many different companies with their own business objectives, tasks, and systems, there are many things that I have learned that are more important than what I had initially thought during the undertaking of this project. I learned that since many supply chain attacks are aimed towards smaller companies to gain access to larger ones, that my audience should not be aimed towards large corporations such as Target or Walmart, but the smaller businesses that do not have as many resources as a large corporation would. I had to find a way to scale down the project to where smaller companies would be able to afford the services the innovation model provides, as well as maximize the efforts of implementing a successful solution. The lesson that I learned is that when coming up with an innovative solution during the beginning phases of the design thinking process, it is very easy to get caught up in the scale of how large this project should or should not be. To that end, I now have a better understanding that instead of starting larger than needed, I should start small and gradually increase the project model in direct correlation to the business. While coming up with the model, something I would like to have done differently is the process of coming up with the innovative model. Instead of thinking about the solution, I would have liked to explore more of the problem to see where many of the issues arise and possibly create a more concise model to solve that specific problem. In the same way, that hackers attack a vital point in the supply chain, the innovative model would work oppositely to effectively repair the impaired supply chain. In doing so, it would be the direct antithesis of a cyber-attack on the supply chain.

References:

  1. Filho, N. G., Rego, N., & Claro, J. (2021). Supply chain flows and stocks as entry points for cyber-risks. Procedia Computer Science, 181, 261-268.
  2. Crosignani, M., Macchiavelli, M., & Silva, A. F. (2023). Pirates without borders: The propagation of cyberattacks through firms’ supply chains. Journal of Financial Economics147(2), 432-448.
  3. Urciuoli, L.Männistö T.Hintsa J., & Khan T.(2013).  Supply Chain Cyber Security – Potential Threats. Information & Security: An International Journal. 29(1), 51-68.
  4. Warren, M.and Hutchinson, W. (2000), “Cyber attacks against supply chain management systems: a short note”, International Journal of Physical Distribution & Logistics Management, Vol. 30 No. 7/8, pp. 710-716.
  5. Windelberg, M. (2016). Objectives for managing cyber supply chain risk. International Journal of Critical Infrastructure Protection, 12, 4-11.
  6. Yeboah-Ofori and D. Opoku-Akyea, “Mitigating Cyber Supply Chain Risks in Cyber Physical Systems Organizational Landscape,” 2019 International Conference on Cyber Security and Internet of Things (ICSIoT), Accra, Ghana, 2019, pp. 74-81
  7. Enache,G.(2022).Formulas for counteracting cyber threats in regards to computer products supply chains. Proceedings of the International Conference on Business Excellence,16(1) 1420-1428.
  8. NIST (n.d.). Cyber Attack. NIST Computer Security Resource Center. https://csrc.nist.gov/glossary/term/cyber_attack
  9. Baker, K. (2023, November 9). What is a Cyber Attack. CrowdStrike. https://www.crowdstrike.com/cybersecurity-101/cyberattacks/most-common-types-of-cyberattacks/
  10. (n.d.). Supply Chain Disruption – the Risk to Global Economic Recovery. FTI Consulting. https://www.fticonsulting.com/en/insights/articles/supply-chain-disruption-risk-global-economic-recovery#:~:text=Supply%20chain%20disruptions%20lead%20to,on%20a%20nation’s%20economic%20wellbeing
  11. ECB Economic Bulletin (2021, August). Supply chain disruptions and the effects on the global economy. European Central Bank. https://www.ecb.europa.eu/pub/economic-bulletin/focus/2022/html/ecb.ebbox202108_01~e8ceebe51f.en.html#:~:text=Supply%20chain%20disruptions%20have%20a,creates%20for%20the%20economic%20recovery
  12. Pandey, S.Singh, R.K.Gunasekaran, A.and Kaushik, A. (2020), “Cyber security risks in globalized supply chains: conceptual framework”, Journal of Global Operations and Strategic Sourcing, Vol. 13 No. 1, pp. 103-128.
  13. Lutkevich, B. (n.d.). Supply Chain. TechTarget. https://www.techtarget.com/whatis/definition/supply-chain
  14. Unites States Senate (n.d.). A “Kill Chain” Analysis of the 2013 Target Data Breach. Committee on Commerce, Science, and Transportation. https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883