Before the 2020s, logistics and supply chains weren’t a top concern for the C-suite of an organization. Of course, that was before a major pandemic changed the face of the world and led to widespread shortages & delays that affected many businesses. Incidents like grounded container ships blocking the Suez Canal and winter storm-induced standstills in Texas became the norm.

That’s when the push came to integrate supply chains with new technologies that provide up-to-date reliable information. With them, an organization can successfully create a real-time picture of its end-to-end operations. But here’s the catch: while technologies like automation and IoT can play a major role in optimizing supply chain operations, they can also leave a business exposed to a multitude of cyber threats like malware, ransomware and phishing. And these incidents can have absolutely catastrophic effects when it happens to critical infrastructure, considered to be the backbone of any nation’s economy.

Time now for a cautionary tale about Colonial Pipeline, one of the largest, most crucial oil pipelines in the US, covering 5,500 miles from Texas all the way to New Jersey. It delivers refined oil for gasoline, jet fuel and home heating oil, essentially supplying nearly half of the East Coast’s fuel requirements. On May 6, 2021, the hacker group DarkSide accessed the Colonial Pipeline network, stole 100GB of data and infected the IT systems with ransomware.

How did they do it?

Simply through an exposed password for a VPN account, which happened to be the same password the user had for other accounts that got targeted first. This gave way to a whole host of ramifications. Colonial Pipeline had to pay 75 bitcoins ($4.4 million) to DarkSide for a decryption key. There were jet fuel shortages for many carriers like American Airlines, and subsequent disruptions in airports like Atlanta and Nashville. Shortage fears prompted panic buying and long lines in gas stations across several states. Some even resorted to filling plastic bags with gasoline. Eventually, Colonial Pipeline did get access to their data on May 12, 2021, but by then, the fallout was massive enough for the breach to be deemed ‘the most disruptive cyberattack on record’.

The Colonial Pipeline breach has now become the poster child of critical infrastructure attacks resulting from supply chain fallouts. The situation is heightened because a disruption to critical infrastructure poses a threat to national security and ultimately renders a nation vulnerable to a wide array of digital & physical hostilities. In those scenarios, a nation’s citizens may be unable to work, attend school, or even obtain resources essential to survival.

This blog is concerned with securing critical infrastructure supply chains through a two-pronged approach – the first dealing with general risks associated with supply chains, followed by risks associated specifically with their digital data. It’s important to segregate them because of their distinct functions. The former is for creating agile supply chains that are key enablers of commerce and essential for organizations that want to leapfrog their competition. Technology will be the driver of this, and this brings us to the latter, which ensures that the vast data derived from these technologies doesn’t end up in the wrong hands.

Prong A: General Supply Chain Risks

A recent Gartner survey revealed that only 21% of supply chain organizations believe they have a highly resilient network. To improve this situation, it is important to demarcate the types of supply chain risks organizations face:

As we mentioned, some things are out of your control. For the rest, a good place to start would be the PPRR risk management model:

• Prevention: Precautionary measures for supply chain risk mitigation
• Preparedness: Developing & implementing a contingency plan in case of an emergency
• Response: Executing on contingency plan to reduce the event’s impact
• Recovery: Resuming operations and getting things running at normal capacity

Such a framework serves as the ideal building blocks for building a supply chain risk management strategy to identify, assess and mitigate risks within an end-to-end supply chain. It is essential to invest in a comprehensive retail solution that keeps data within a single, centralized, well-organized repository that ideally contains the following elements:

Supply Chain Risk Assessment Software

This identifies weak points in your supply chain and gives data-driven insights on how you can improve them. Some solid strategies derived from this critical infrastructure supply chain risk management software include:

• Having multiple options, like additional suppliers or suppliers that produce out of multiple locations should your primary supplier face an unforeseen event
• Finding nearshore suppliers closer to your operations to reduce cycle times
• Undertaking recurring stress tests that simulate real world events and check for vulnerabilities
• Building buffers by stockpiling products during known periods of risk
• Using centralized technology throughout the network to reduce inefficiency of siloed data

Real-time Freight Metrics

This uses technology like service portals, IoT sensors on containers and automated reports of inventory levels to derive important decision-making metrics like Transit Time, Average Stop Time, Average Loading Time, Route Optimization, Maintenance Schedules and more. The process is essential because even a single late delivery can disrupt the entire supply chain.

Logistics Contingency Plan

This ensures business continuity in the event of a supply chain disruption. Here are some tips to create an effective contingency plan:

• Mapping out the entire chain to get a clear understanding of which entities are at risk
• Assessing suppliers based on political, geographical and economic risks
• Diversifying supplier network to avoid overreliance
• Auditing logistics providers on their disaster plans
• Documenting all processes so employees know how to act
• Having a crisis response team to make critical decisions in an emergency

Prong B: Digital Data-Driven Supply Chain Risks

As recently as 2017, a typical supply chain used 50 times more data than it did 5 years ago. That has led to the gravitation of cyber attackers onto this infrastructure and the inevitably adverse effects that follow. In 2023, the average number of supply chain breaches increased by 26%, and by 2025, 45% of global organizations will have experienced attacks on their software supply chains. In the same year, the global annual cost of software supply chain attacks to businesses will hit $60 billion.

Supply chain attacks target suppliers & vendors of the critical infrastructure ecosystem. They usually start by compromising the system and gaining access to sensitive information controlled by the supplier. Once they’re in, they can hop further down the supply chain to gain access to way more data.

Here are the processes you can incorporate for mitigating supply chain threats:

• Leverage vendor cyber risk assessments prior to signing contracts.
• Establish uniform compliance standards for all your third-party supply chain vendors. Adopting robust threat intelligence systems that gather multi-source data and provide real-time updates into threat actor activities is a must.
• Define proper user roles. Implement the principle of least privilege that assigns permissions only required to perform task functions to every member of your supply chain ecosystem.
• Effective network segmentation also goes hand in hand with the point, because even the most trusted third parties & partners don’t need access to every element of your network.
• Automate certain real-time processes like threat prevention & threat hunting to quickly identify unusual activity.
• Establish backup controls to safeguard your data backups.
• Regularly update your antivirus, antispyware, and firewall.
• Look into technologies like DNS filtering and network access control.

Finally, both prongs are most effective when there is constant monitoring and perpetual risk awareness training for both your employees and third parties. That helps create a holistic solution for supply chain risk mitigation.

So, if you’re a company involved in critical infrastructure or any organization that has to deal with multiple moving parts in their supply chain, partnering with us could be ideal for fortifying your entire ecosystem. Contact us today to get started!