13 March 2020

THE CONTINUOUS ATTACKS OF THE SUPPLY CHAIN SHOWS THE NEED TO DEVELOP RELATIONSHIPS WITH LAW ENFORCEMENT AGENCIES & TO SHARE INFORMATION 

Last year, Cybersecurity Ventures predicted that cybercrime would cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Cybercriminals continue to target global corporations at the heart of their operations particularly their supply chains.

In the latest Allianz Risk Barometer 2020, cyber incidents top the chart as the top business risk for companies globally and regionally in Asia Pacific for the first time ever, after receiving 35% of responses from more than 2,700 risk management experts in over 100 countries and territories – the largest number of respondents ever.

With the increase of attacks, resilience has become a key driver in any organization who is managing a complex global supply chain. The World Economic Forum reported that in 2018, information loss and business disruption combined for over 75% of total business losses from cybercrime.

TAPA’s Worldwide Council, a global forum of experts from Americas, Asia Pacific and Europe, Middle East & Africa, agreed to develop a Supply Chain Cyber Security Standard to address the issues arising particularly with companies embarking on their digitalization transformation journeys.  

Recently, the managing director of logistics giant Toll Group has warned other CEO’s they must expect to suffer the horror of a major cyber-attack, and called for greater collaboration between business, government and regulators to tackle the growing global threat. In his first interview since his company was hit by a major ransomware attack known as Mailto on January 31, Toll’s boss, Thomas Knudsen, told The Australian Financial Review it had not yet found out where in the world the hackers had come from, but was almost through the final stages of bringing its more complex customer systems back online after five and a half weeks.

 

A Call for Greater Collaboration Amongst the Industry

Tony Lugg Chairman of TAPA APAC said, “Mr. Knudsen is right to call for greater collaboration amongst the industry and I applaud him for doing so. Cyber-attacks of this nature are becoming all too common and impacting manufacturing plans, Tier One suppliers and logistics providers. Lugg went onto say “TAPA would be working with more Law Enforcement Agencies across the region and had appointed Steve Mullins as TAPA Board Steering Committee Lead for Regional Law Enforcement Liaison and Trade Compliance to build more collaboration within and across Americas and EMEA regions”

In 2017 and 2018, according to Symantec, supply chain attacks rose 78 percent. “Cyber criminals have realised that the supply chain has many weaknesses and with the increase of digitalization and IOT, it is time for CEO’s to make cyber security at least a quarterly board room agenda item.” Lugg said.  

“The responsibility cannot be solely placed on the Chief Information Officer, those leaders in the supply chain need to ensure that their suppliers are also addressing cyber-attacks and ensure it is documented in back to back contractual agreements.” Lugg said. In 2019, Airbus’s responded after a number of their suppliers were attacked. Bloomberg reported that Airbus SE said it has taken steps to shield itself from cyber-attacks targeting the European aerospace and defense company through subcontractors’ computer systems.

 

Working closely with Law Enforcement Agencies

“With increasing reliance on data, IT systems and digitalisation, companies face a growing number of cyber challenges, including larger and more expensive data breaches, increase in espionage, hacker attack, ransomware and spoofing incidents. Companies need to stay one step ahead of cybercriminals by anticipating possible technology loopholes and challenges. Mr. Steve Mullins said.

Cyber security has more and more visibility throughout the industry, including government organizations like Customs Trade Partnership Against Terrorism (CTPAT) and as reflected in the changes to the Minimum Security Criteria. “TAPA will be working closely with Law Enforcement Agencies such as Interpol to share corporate cyber incidents data reported by our members and to keep our members well-informed on latest cyber threats” Mullins went onto say.

A report by INTERPOL on cybercrime in Southeast Asia has highlighted the key emerging cybercrime trends and threats which continues to be faced by the region today. In the fight against transnational cybersecurity breaches, TAPA’s focus would be to establish lines of communication with the Interpol Cybercrime Response Team to share real-time supply chain cybercrime incident data and identify emerging cyber threats in a similar fashion to how TAPA shares cargo crime data from its IIS (Incident Information Service) global database with Law Enforcement Agencies for purposes of the prevention & detection of crime. Mullins said, “TAPA APAC’s intention is to set up a single point of contact with these agencies to improve the exchange of crime data to help TAPA members.”

INTERPOL’s ‘ASEAN Cyberthreat Assessment 2020’ provides an in-depth analysis of the cybercrime trends and threats confronting the Association of Southeast Asian Nations (ASEAN) countries, and provides strategies for tackling them.

 

Evolving Cyber Threats with Digitalisation   

With increasing reliance on data, IT systems and digitalisation, companies face a growing number of cyber challenges, including larger and more expensive data breaches, increase in espionage, hacker attack, ransomware and spoofing incidents, and higher probability of errors or mistakes by employees.

TAPA members should take additional preventive measures to tighten supply chain security against cyber threats, including:

  • Conduct supply chain risk assessment to identify new and emerging cyber threats
  • Upgrade security monitoring and measuring systems to higher standards
  • Maintain secure back-ups for digital assets
  • Share cyber threat intelligence among industry partners and report incidents in IIS
  • Leverage on TAPA trainings to provide regular staff training for security and anti-phishing awareness
  • Purchase insurance that factors in cyber risks affecting the supply chain

 

Larger Business Interruptions from New Causes

Despite dropping to the second position, business interruption remains as one of the most significant risk with trend for larger more complex direct and indirect losses from traditional causes such as natural catastrophes, and new causes such as digital supply chains or civil unrest. The civil unrest in Hong Kong affected the region indirectly with multinational companies staying away and local employees unable to access workplace due to safety concerns.

This reflects the need for TAPA members to:

  • Maintain logistical and digital assets to prevent unexpected downtime
  • Enhance assets security by acquiring higher TAPA standards
  • Build up a redundant supplier base to reduce supplier risk and monitor credit scores
  • Review Business Continuity Plan (BCP) regularly for risks arising from new causes
  • Create a disaster recovery plan that goes beyond the BCP
  • Practice and activate BCP for staff to know how to act in case of contingencies

These top perils – cyber threats, business interruptions and climate change, have a critical impact on operational performance, financial results and reputation with key stakeholders. Planning and managing for these risks in your supply chain structure the key to business resilience in this age of digitalization. Members may also take one step further to watch for emerging new technologies such as artificial intelligence, smart objects and virtual reality that may instantly transform the supply chain industry and obsolete existing processes.

The UK’s independent authority on cyber security, The National Cyber Security Centre, provides Supply chain security guidance and proposes a series of 12 principles, designed to help you establish effective control and oversight of your supply chain. The table shown below referenced from their website gives you a series of scenarios against which to measure the security of your supply chain. “The idea is to give you some concrete examples of good and bad supply chain security, to help TAPA members and other organizations begin the process of understanding their own situation.” Mullins said.

Good

Bad

You understand the risks suppliers may pose to you, your wider supply chain and the products and services you offers Know the sensitivity of information your suppliers hold and value of projects they are supporting.

You have a poor understanding of the risks that suppliers may pose to you, your wider supply chain and the products and services it offers. You do not know what data they hold, nor the value of projects they are supporting.

Know the full extent of your supply chain, including sub-contractors.

Only know your immediate suppliers, but have limited/no knowledge of any sub-contractors.

Know the security arrangements of your suppliers and routinely engage with them to confirm they are continuing to manage risks to your contract effectively.

Have no real idea about the security status of your supply chain, but think they might be okay. Fail to review this status.

Exercise control over your supply chain, exercise your right to audit and/or require upward reporting by your suppliers to provide security assurance that all is working well. An audit request would not be your first interaction with the supplier.

Exercise weak control over your supply chain, lose sight of sub-contracting, fail to exercise audit rights, do not seek upward reporting. Often, the first engagement of your security team with the supplier will be for an audit following an incident.

Based on your assessment of risks and the protections you deem are necessary, set minimum security requirements for suppliers, telling them what is expected in contracts.

Fail to set minimum security requirements, leaving it up to suppliers to do their own thing, even though they might not have the security awareness to understand what is needed, or know how to do this effectively. Or set minimum security requirements, but fail to match these to your assessment of the risk – potentially making security unachievable for many of your suppliers.

Differentiate the levels of protection required to match the assessed risks to the specific contract. Ensuring these protections are justified, proportionate and achievable.

Set a disproportionate ‘one size fits all’ approach for all suppliers, regardless of the contract and assessed risks. Fail to ensure these controls are justified and achievable – potentially causing suppliers not to compete for contracts with you.

Require that the protections you have deemed necessary in each case are passed down throughout your supply chain. Check to ensure it is happening.

Leave security to immediate suppliers to manage, but fail to mandate and/or check it is happening.

Meet your own responsibilities as a supplier (and challenge your customers for guidance where it is lacking). Pass your customer’s requirements down and provide upward reporting.

Neglect your responsibilities as a supplier, or ignore any absence of customer guidance. Fail to pass requirements down, and/or fail to provide upward reporting.

Provide some guidance and support to suppliers responding to incidents. Communicate lessons learned so others in your supply chain avoid ‘known problems’.

Offer no incident support to your suppliers,. Fail to act or spot where ‘known issues’ might impact others in your supply chain, nor to warn others about these issues – potentially leading to greater disruption: with known issues hitting many suppliers.

Promote improvements to the cyber awareness of your suppliers. Actively share best practice to raise standards. Encourage suppliers to subscribe to the free CISP threat intelligence service so they can better understand potential threats.

Expect suppliers to anticipate developing cyber attacks offering little or no support or advice, regardless of their security awareness and capabilities.

Build assurance measures into your minimum security requirements (such as Cyber Essentials Plus, audits and penetration tests). These provide an independent view of the effectiveness of your suppliers security.

Fail to include assurance measures into your security requirements, trusting that your suppliers will do the right thing – regardless of whether they have enough knowledge or experience to know what is expected of them.

Monitor the effectiveness of the security measures that are in place. Based on lessons learned from incidents, feedback from assurance activities, or from suppliers about issues, be prepared to revise or remove controls that are proving ineffective.

Fail to monitor the effectiveness of security measures. Fail to listen to feedback. Be unwilling to make changes, even when the evidence in favour of doing so is overwhelming.

For more information on Cyber Security, please contact the TAPA members services at secretariat@tapa-apac.org