Supply Chain

Record Cybersecurity Investments: Innovation? Or Overdue Necessity?

The digitization of global supply chains means that the steady flow of goods and services is increasingly reliant on an equally smooth transfer of data and information across the web. In spite of a record $7.8 billion invested in cybersecurity globally last year, we are already on course to match that figure by the early second half of 2021. Q1 of the current year alone saw $3.7 billion invested in cybersecurity. 

Still, experts warn of the logistics industry’s slow cybersecurity uptake. The logistics sector, with its global, fragmented supply chains, is particularly vulnerable to cyber attacks, leading to calls for providers to modernize and bolster their cybersecurity alongside efforts to automate the supply chain.

Research and under-development

As far as supply chains go, there can be no automation without integration. This, however, leads to increased exposure and vulnerability. Perhaps it comes as little surprise, then, that up to 80% of cyber-attacks begin in the supply chain. Last year’s SolarWinds data breach is among the latest major examples highlighting why the large sums of investment are needed, concerning the cybersecurity spend in logistics. 

Indicative of the discrepancy between building and securing supply chains, researchers have pointed to a “scarcity of cybersecurity studies in logistics” and that “security in Information and Communication Technology (ICT) supply chains is still in its infancy” — highlighting a lack of quantitative research and investment into cybersecurity in the logistics space. An earlier Infosys report corroborates the researchers’ findings by saying that “the state of awareness in organizations with regard to cybersecurity in the logistics industry is very low.” This is also backed by a 2019 report revealing that only 30% of logistics providers actually had a chief information security officer (CISO), a strong indicator for a lack of sophisticated cybersecurity solutions – worse still, only 2 in 10 organizations believed they needed one. 

The need for safeguarding the Industry 4.0 revolution

As indicated, every point of connection in the supply chain is a potential point of breach. New Industry 4.0 technologies from sensors and IoT platforms to machine-to-machine communication are improving the efficiency of logistics processes while simultaneously creating a slew of potential vulnerabilities. Indeed, the rapid pace of innovation in logistics has put a vast number of systems online without the advantage of building a security framework from the ground up first. 

Two recent examples of attacks targeting supply chains highlight existing vulnerabilities in addition to which these vast numbers of new systems are being built. They come in the form of the 2020 SolarWinds supply chain attack, as well as 2017’s NotPetya ransomware attack that cost shipping giant Maersk over $200 million. Indeed, ransomware attacks on shipping and logistics firms tripled between 2019 and 2020.

Supply chain attacks, also sometimes referred to as third-party attacks, are particularly threatening to the logistics industry as it relies on an intricate network of third-party collaboration — a point that was driven home by IBM’s 2020 Cost of a Data Breach report stating that 16% of all breaches are caused by vulnerabilities in third-party software. A flood of third-party IoT sensors and devices could open a new gateway for attackers if logistics businesses don’t make state-of-the-art security protocols and continuous due diligence a part of their future operating model.

As strong as your weakest link

One problem in securing fragmented supply chains is that it can be unclear where exactly the responsibility lies in a complex network of critical partners. That’s why Levi Strauss CISO Steve Zalewski calls for “a legal, regulatory, collective defense,” akin to a “global Public Key Infrastructure (PKI) system” for securing data across the board. Right now, among the quickest methods logistics firms can use to bolster their security is to use network segmentation to isolate IoT devices. Carefully selecting vendors and enforcing periodic risk assessments via service level agreements can also go a long way to shoring up any cracks in the armor. 

New technological advances will, of course, play a large role in securing supply chains in the coming years — IBM and Maersk’s blockchain auditing system TradeLens is a prime example of this. In a further example of the pressing need for IoT security solutions, Microsoft recently acquired startup CyberX, which has specific defense solutions for logistics, in a $180 million deal. With researchers warning of the oncoming threat of quantum computing, securing the logistics cyberspace will be a constant struggle as the pace demanded by the promised efficiencies of ongoing automation keeps charging ahead.