American ExpressAmerican ExpressAmerican ExpressAmerican ExpressAmerican Express
United StatesChange Country

Supply Chain Management Demands More Attention to Cyber Risk

By Bill Camarda

Supply chain management experts are warning of growing cybersecurity risks, especially in today's extended, digitized supply chains. The same interconnections and technologies that promote greater agility, innovation, and cost reduction in modern global supply chains can also increase cyber risks that lead to counterfeiting, tampering, theft, and the spread of malware.1 Since virtually every company possesses a supply chain and participates in many others, experts say it's critical to assess and prepare for these risks.

Booz Allen Hamilton consultants warn supply chain managers that 2018 will see an increase in indirect attacks against small software providers who serve much larger enterprises. Such attacks can serve as the entry point to compromising large firms' global supply chains.2 They are representative of an even broader trend: determined aggressors identifying companies within large supply chains that have the weakest cybersecurity, and the attacking enterprises through those weak links. Often, according to InfoSec Institute, the weak links are smaller companies with limited cyber defense resources.3


Supply Chain Management Faces a More Dangerous Future


Several 2017 events may presage major future attacks, says Booz Allen Hamilton. In one widely publicized case, "attackers compromised the update server for a popular Ukrainian tax software called M.E.Doc, sending out poisoned updates that infected endpoints with a wormable destructive malware that then spread itself around compromised networks."4 Ransomware distributed through this "NotPetya" outbreak encrypted company files, enabling cyber criminals to demand payment in exchange for restoring access to data.5


While relatively few companies outside the Ukraine region were familiar with M.E.Doc, the attack had global impact. One leading shipper faced attacks throughout its terminals in several countries, experiencing weeks of delays and disruption.6 The firm found it difficult to take orders, or to instruct its longshoremen on loading outbound shipments.7 Even though the outbreak's source was quickly found and remediated, the shipper reported losses of between $200 million and $300 million in just weeks.8


The Information Security Forum (ISF) notes that 2017 also saw large manufacturers losing capacity due to similar, less publicized attacks, which compromised their ability to serve customers' supply chains.9


Booz, Allen Hamilton noted three other significant "indirect attacks" in 2017, each evidently launched from Asia. One of these compromised the popular system administration and help desk tool CCleaner, likely with the goal of performing cyber espionage against leading technology and telecom firms.10


Pay More Attention to Partners' Cybersecurity


Industry associations and government authorities have increasingly recognized that supply chain management needs to pay much closer attention to partners' cybersecurity. As American Shipper notes, the NotPetya attack placed linked partners at risk "from the factory to the trucking company at origin, port authorities, terminal operators, shipping lines, drayage at destination, intermodal providers, long-haul trucking companies, consolidation facilities, and distribution centers." Those partners could have been victimized through direct data feeds, by sharing an online portal, or via infected email attachments.11


Today, the PCI DSS 3.x standard requires credit card providers to assess risks associated with merchants, distributors, credit card manufacturers, banks, and service providers across their entire supply chains.12 So, too, the Federal Energy Regulatory Commission (FERC) recently proposed requiring electric utilities to follow tougher rules in considering cybersecurity when purchasing products and services for critical power generation and transmission systems. Even though suppliers won't be directly subject to FERC's rules, it's likely that utilities' supply chain management teams will be asking their suppliers tougher questions about cybersecurity.13


Respond More Systematically and Holistically


In 2017, the National Institute for Science and Technology (NIST) expanded its widely used Cybersecurity Framework (CSF) to specifically address supply chain management risks.14 NIST stresses the need for a holistic approach that encompasses the entire system lifecycle: "design, development, distribution, deployment, acquisition, maintenance, and destruction."15


NIST recommends that, wherever possible, organizations build on their existing cybersecurity, supply chain management, and risk management practices. NIST's approach encompasses the entire organization, from engineers to lawyers. Finally, to be cost-effective, NIST recommends identifying "systems/components that are most vulnerable and will cause the greatest organizational impact if compromised."16


Such systems and components also often involve partners. Supply chain security consultant Steve Earley recently outlined six best practices for reducing third-party cybersecurity risk, starting with prioritization: identifying vendors who – if compromised – would create the greatest risk, based on the data or transactions they handle. He also recommends identifying which assets are exposed to vendors and their data storage systems; developing threat scenarios that visualize what would happen if suppliers were compromised; and, if possible, formalizing data security expectations contractually.17


Of course, many companies can't enforce security requirements on their customers, or even their suppliers. In these cases, says supply chain risk management consultant Andy Geyer, a company can at least ask them to outline their security procedures, protocols, and standards. By doing so, a company can identify gaps, and sometimes take its own countermeasures.18



As supply chain cyberattacks become increasingly common and more dangerous, supply chain management is recognizing the need to systematically assess and mitigate cybersecurity risks involving vendors, customers, and other partners.

Bill Camarda - The Author

The Author

Bill Camarda

Bill Camarda is a professional writer with more than 30 years experience focusing on business and technology.


1. “Cyber Supply Chain Risk Management,” National Institute for Science and Technology Information Technology Laboratory Computer Security Resource Center;
2. “Foresights 2018,” Booz Allen Hamilton;
3. “Cyber Security Risk in Supply Chain Management: Part 1,” InfoSec Institute;
4. Ibid.
5. “The MeDoc Connection,” Talos;
6. “NotPetya Ransomware Attack Cost Shipping Giant Maersk Over $200 Million,” Forbes;
7. “Cyberattack blocks Maersk terminals, new orders,”;
8. “World's biggest shipper: cyberattack cost up to $300 million,”;
9. “5 information security threats that will dominate 2018,” CIO Magazine;
10. “Foresights 2018,” Booz Allen Hamilton;
11. “Cyberattack on Maersk brings data security to forefront,” American Shipper;
12. “Cyber Security Risk in Supply Chain Management: Part 1,” InfoSec Institute;
13. “FERC Proposes to Adopt Electric Supply Chain Cybersecurity Standards,” Morgan Lewis;
14. “NIST 1.1 tackles cybersecurity metrics, supply chain,” SC Network Security;
15. “Cyber Supply Chain Risk Management,” National Institute for Science and Technology Information Technology Laboratory Computer Security Resource Center;
16. Ibid.
17. “6 Best Practices that Reduce Third-Party Cybersecurity Risk,” Security Magazine;
18. “Assessing Cybersecurity Risks in the Supply Chain,” The Wall Street Journal;

Related Articles

Existing FX International Payments customers log in here