Managing supplier cyber risk

As the Internet of Things expands, managing the risk of digital attacks will become critical.

Adobe Srock

As technology life cycles shrink, advances accelerate exponentially. Technology delivers speedier communications, improved information sharing, streamlined operations, and enhanced global collaboration. For aerospace manufacturers, new technologies enable process improvement and productivity gains, allowing manufacturers and suppliers to conduct business more efficiently.

Unfortunately, technology has a dark side. Sophisticated hardware and software components live everywhere: on the shop floor and in finished products, in the back office and the C-suite. These systems and devices boast increasingly more sophisticated features and capabilities but frequently lack one critical area – security. This is especially true of process control devices, industrial robots, and other network-connected devices, typically referred to as the Internet of Things (IoT).

As a result, we live in an increasingly vulnerable world. The attack surface – or different points where an unauthorized user can try to enter data, extract data, sabotage infrastructure, or disrupt operations – keeps expanding and is subject to sophisticated threats initiated by bad actors and nation states. Impacts of compromise vary, from holding critical data hostage via ransomware, to stealing or altering sensitive data and intellectual property (IP) using stolen credentials, to causing physical damage by issuing malicious commands to process controllers.

The impact of a cyber incident goes beyond the aerospace manufacturer, potentially disrupting customers’ ability to access data, place orders, or receive parts and products. Sometimes, a breach of a manufacturer’s system allows an intruder to access customers’ systems and those of other organizations within the value chain.

When that customer is a government agency, the stakes get even higher. In its recently-published report, “Deliver Uncompromised,” the Mitre Corp. posits that technology drives changes even to the character of war. Adversaries need not engage in traditional, kinetic warfare. Instead, they may opt for asymmetric, blended operations that leverage the cyber domain to attack the supply chain. Adversaries unable to challenge the U.S. in a kinetic battle may be far more capable when waging war from cyberspace.

These cyber threats cause supply chain interruptions that introduce financial and legal implications, degrade the quality and timeliness of parts produced, and affect our country’s ability to project force. A supply chain is only as strong as its weakest link, so buy-side organizations incur risk from any suppliers. And all suppliers contribute to risk factors throughout the supply chain – up to and including the end user.

Because threats continue to become more frequent and sophisticated, organizations, especially those in manufacturing, can no longer close their eyes and pretend the problem doesn’t exist. The extent to which the industry establishes and enforces its own security standards will ultimately affect how aggressively government steps in with its own mandates and regulations.

Government directives pertaining to supply chain cybersecurity already exist. For example, the Department of Defense (DOD) has issued Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, requiring all contractors and subcontractors to implement adequate security measures to protect controlled unclassified information. These measures must address the 110 security controls defined by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Similarly, the Aerospace Industries Association (AIA) released National Aerospace Standard (NAS) 9933, which defines critical security controls to better address cyber threats and promote resilience throughout the industry.

Expect government to up the ante going forward. Today, self-attestation and trust form the basis for organizations to demonstrate security maturity and compliance. Independent validation and verification likely represent next steps, along with assignment of a score or level that serves as a qualification prerequisite to bid or participate on government programs. The Mitre report suggests the government revise DOD Instruction 5000.02 to make security a 4th pillar of acquisition planning – equal to cost, schedule, and performance.

Organizations face significant challenges along several vectors. Bringing the necessary people, processes, and systems together to achieve the requisite security improvements perhaps seems most obvious, especially for smaller businesses with limited budgets and information technology (IT) teams. But gathering the information to reflect security status becomes cumbersome because it:

  • Takes time, is labor-intensive, may not be a priority when compared to operational deadlines
  • Involves the organization’s personnel, leading to potential inconsistencies in interpretation, content, format
  • Becomes never-ending, as organizations receive repeated requests for information from multiple customers
  • Morphs into a moving target; technologies, threats, standards evolve; information to be protected, collected changes accordingly

The height of the hurdle rises exponentially. It’s not just about the security posture of the prime contractor for a government contract. Rather, it’s the security posture of the entire supply chain: the prime contractor, its immediate suppliers, its suppliers’ suppliers, and so forth. Understanding and subsequently mitigating supplier risk translates to a multi-tier or N-tier problem. Trying to solve it through manually-intensive methods quickly becomes untenable. Fortunately, software solutions can deal with complex supplier-buyer relationships across the entire supply chain that address scale and assure data security, timeliness, and consistency.

Two types of software applications provide the foundational supplier risk management functionality. Vendor qualification solutions begin with the potential engagement with a supplier. The solutions enable buy-side organizations to define the minimum criteria suppliers must meet to be considered, and to evaluate if suppliers surpass that threshold. Vendor risk management solutions sustain an ongoing presence throughout the buyer/supplier relationship. These solutions offer more performance-focused insight, such as a supplier’s cybersecurity maturity level; compliance with standards and regulations such as conflict minerals, sustainability, or NIST SP 800-171 and NAS 9933 for cybersecurity; and financial viability.

Strong vendor qualification solutions include the following characteristics:

  • Speed – Gathering and evaluating input from potential partners places a burden on buyers and suppliers. Solutions that streamline the data gathering and entry process for suppliers, recall prior supplier responses, and protect shared information save suppliers time, promote data consistency, and empower buyers to conduct more thorough, accurate reviews.
  • Adaptability – Different buy-side organizations execute different approval processes. Solutions must embody the flexibility necessary to account for unique review and approval workflows that involve all the organization’s stakeholders.
  • Open architecture – Once suppliers pass the qualification test, onboarding comes next. Solutions should easily integrate to other applications such as enterprise resource planning (ERP), customer relationship management (CRM), and supply chain management systems through application programming interfaces. This architecture leverages qualification data to accelerate onboarding with single-source-of-truth information so buyers and suppliers can rapidly begin collaborating.

Look for the following capabilities in vendor risk management solutions:

  • Identity, access management – Much of the information buyers and suppliers exchange through the vendor risk management solution is sensitive and/or proprietary. Verifying user identities with strong authentication prior to permitting entry to the solution best protects that information.
  • Community model – Most solutions are limited to a single buy-side organization and its supply chain. However, suppliers typically engage with multiple buyers across multiple enterprises. The community model reduces form fatigue and encourages quicker, more accurate supplier responses by enabling information reuse through common scoring and compliance frameworks. Additionally, a community model lets buy-side organizations quickly identify qualified suppliers who have already completed the requisite proofing, compliance, and certification processes.
  • Supplier-side access control – Suppliers often hesitate to share sensitive information for fear it ends up in the wrong hands. Solutions that empower suppliers to choose which buyers receive the information (as opposed to an all-or-nothing option) address these concerns. Solutions also must prohibit a supplier’s specific data from access by other suppliers, while providing aggregated data across the supplier base for deeper supplier insight.
  • Security compliance, scoring – Given the growing prominence of cybersecurity in the supplier risk equation, the most valuable solutions incorporate preconfigured compliance forms (such as for NIST SP 800-171) and algorithms for computing a security integrity score or assigning the supplier to a well-defined and accepted security maturity level. These capabilities raise confidence in supplier responses and best demonstrate qualification and compliance.
  • Multi-tier (N-tier) support – Most solutions focus only on a buy-side organization and its first tier of suppliers. DOD DFARS 252.204-7012 and similar government clauses on the horizon extend the risk purview across all supply chain levels. Vendor risk management solutions must follow suit.
  • Customer experience – Buyers and suppliers deal with vast and varied information that can be difficult to correlate and analyze. Solutions must minimize complexity through intuitive user interfaces and navigation, as well as standard and customizable display options such as dashboards, scorecards, and reports.

Technological advances make collaboration across the global, multi-tiered supply chain easy. The same advances also bring a level of exposure to the supply chain and the information that flows through it. Bad actors know it and pursue it by raining persistent, sophisticated cyber-based attacks that seek, find, and exploit the weakest link. The DOD, other branches of government, and the aerospace industry are implementing and requiring compliance with strict cybersecurity standards.

New rules for cybersecurity will affect every manufacturing organization as a buyer, a supplier, or both. Software solutions offer N-tier visibility for vendor qualification and vendor risk management and give forward-thinking organizations the means to reduce their vulnerability and improve their cybersecurity maturity and compliance.

Ultimately, it’s not about compliance – it’s about security. Understand the controls in the AIA NAS 9933 and NIST SP 800-171 standards, but implement the necessary policy and security tools to be secure, not merely compliant. Make sure that those who supply to you and those who supply to them are not threats to your own security or to those you serve. Don’t become a victim, and don’t wait for a mandate. Act to ensure your security by understanding and managing supplier risk before it’s too late.

Exostar
https://www.exostar.com

About the author: Stuart Itkin is vice president, Product Management, at Exostar. He can be reached at stuart.itkin@exostar.com .
 
June 2019
Explore the June 2019 Issue

Check out more from this issue and find your next story to read.