How to secure cyber-physical supply chains
The merging of digital and physical domains is a central part of the digital transformation we're going through as part of the 4th industrial revolution. These cyber-physical systems combine computation, networking, and physical processes.
They cover a wide range of areas, including industrial control systems in utilities, smart grids, and nuclear power stations. Such systems usually work alongside the physical environment via a communication channel that receives inputs and feedback.
Cyber-physical systems typically present a number of challenges from a cybersecurity perspective, including:
- The distributed nature of control and management of cyber-physical systems makes it hard to effectively secure the system
- The speed and fluidity of readings and the status of the system can create doubts
- They may involve real-time control loops with specific performance requirements
- They can be geographically spread over a large area, with components in locations that lack physical security
Securing supply chains
Nowhere are the challenges of securing cyber-physical systems more prevalent than in supply chains. Covid-19 has underlined the importance of having robust supply chains, with the pandemic prompting organizations to increase redundancy to ensure continuity of supply even in the midst of disruptions.
In his recent book Cyber Strong, cybersecurity expert Ajay Singh highlights the growing difficulty associated with securing such supply chains. Singh illustrates the challenge via the hack undertaken against aerospace giant Airbus, which was compromised after hackers targeted their supply chain. The hackers, who used VPNs to access systems, managed to obtain crucial technical information about components used by Airbus in their A350 model.
“As a major high tech and industrial player, Airbus is like any other company, a target for malicious actors,” the company said in response to the attack. “Airbus continuously monitors activities on its systems, has detection mechanisms in place, and takes immediate and appropriate actions when needed.”
- Cybersecurity defences are not infallible - If organizations start with the premise that a breach is inevitable, it changes the way you implement your cybersecurity. “The focus then becomes not just on how a breach can be prevented, but also on other aspects such as mitigation of the hackers’ ability to misuse the information they may have got access to and also planning for a recovery from the breach,” Singh says.
- Understand how hackers operate - The modern world is likely to see companies using a wide range of vendors, so it’s important to understand just what hackers will look to exploit in the supply chain in order to access sensitive information. It’s not enough to focus cybersecurity efforts on just your own systems, as the security of the supplier network is only as strong as its weakest links.
- Define minimum security requirements - It’s rare for cybersecurity to be a part of supplier contracts, but Singh argues that companies can only establish control if they define minimum security requirements as part of the contracts companies have with their supply chain. “Raising supplier awareness with respect to cybersecurity and helping them maintain minimum standards is essential,” he says. “Providing support in the aftermath of an attack or breach can help recovery and in minimizing the damage.”
- Companies should monitor compliance among suppliers - Given the complexity of supply chains, it is unquestionably cumbersome to monitor cybersecurity compliance among such a complex web of vendors. It is, however, a necessity if supply chains are to remain secure. “Vendors must understand that their vulnerabilities can lead to hackers getting an opening into their partner network and make them liable for losses, fines, and potentially even damages from a lawsuit,” Singh explains.
- Secure supply chains are a cost of doing business - Given the propensity of cyberattacks around the world, and the significant costs associated with such attacks, cybersecurity is no longer something that can be viewed as a luxury that can only be considered in good times. Instead, it should be viewed as very much a standard cost of doing business in our modern and interconnected world. Doing so is, after all, in the interests of the parent firm and all of their suppliers.
At the forefront of such efforts are German industrial giant Siemens, who has developed a Charter of Trust to facilitate a collaborative approach to cybersecurity among their supplier network. The charter began with nine key partners and has since grown to include a wide range of companies, such as Airbus, Atos, Daimler, Cisco, Deutsche Telekom, Total, and IBM.
“In the age of the internet of things, the Charter of Trust is a very important first step,” Siemens said. “We’re open to many more partners, making the real and digital worlds safer places for all of us. Cybersecurity is the key enabler for successful digital businesses. We hope that this initiative will lead to a lively public debate on cybersecurity and, ultimately, to binding rules and standards.”
With the threat posed to supply chains growing, it’s an initiative that will hopefully show the way in ensuring cybersecurity is front and center of all practices within supply chains globally so that the kind of breaches seen at Airbus are not a common feature of the 4th industrial revolution.