Supply chain integrity has become a hot topic during the COVID-19 pandemic. With shortages of various products, it’s become critical as companies may have to turn elsewhere to find what they need.
“Across the board, we’ve been seeing supply chain security integrity constraints which are significantly worse during COVID-19,” said Brett Bennett, Director of Supply Chain Integrity Services at CyberCore Technologies.
As a further sign of the importance of supply chain security, President Joe Biden signed an executive order Wednesday intended to boost manufacturing jobs by strengthening U.S. supply chains for advanced batteries, pharmaceuticals, critical minerals and semiconductors.
The United States has become increasingly reliant on imports of these goods — a potential national security and economic risk that the Biden administration hopes to address with the planned 100-day review and the possibility of increased domestic production.
One of his main concerns, Bennett said, is that companies are going outside of their already vetted and trusted networks. That can cause problems as counterfeit products can be introduced.
“You’ve always had the challenge of things going to the lowest bidder,” Bennett said. “After COVID-19, you have additional restrictions, such as whether you can even find the products you are looking for. Because of these limitations, you might be tempted to soften your protocols since there’s more strain on the systems that companies have in place, given the shortages and longer lead teams. However, you still need to do your due diligence on new suppliers just as you did before the pandemic.”
These measures may take more time and add additional stress on your company – from your procurement team to your finance team to your security team – but you can’t jeopardize your company by letting your guard down and going to a supplier that you haven’t vetted. A strong counterfeit program starts with vetting suppliers, Bennet said. That means not only asking if they are an authorized supplier, but also doing your own research to confirm. Verification and validation are just as important as training your procurement team to not go outside of your trusted supplier network.
“Supply chain is a pretty broad term,” said Tina Kuhn, President and CEO of CyberCore Technologies, “but it basically means getting goods from one place to another.”
Kuhn said the problem is that IT equipment can be manipulated, hacked, and/or counterfeited as it’s being shipped through the supply chain.
“Typically, manufacturers have a lot of security during the manufacturing process,” she said, “but then the equipment sits in a warehouse that may not be owned by the manufacturer, or shipped out, or goes to a third party. So, there’s a lot of opportunity for malicious operators to tamper with the product.”
Bennet said the first step to keeping your equipment safe is vetting your supplier network, meaning knowing exactly who you are buying from. He said it’s one thing to buy from one of the big manufacturers, but you aren’t always necessarily going to get everything directly from them.
“First and foremost,” Bennett said, “the thing to look for when vetting a new company is to determine if there is any foreign influence or foreign actor not friendly to the U.S. who owns the company or could provide challenges from a financial perspective.”
Kuhn said the connections throughout the word economy were seen as the COVID-19 pandemic spread around the globe.
“We are a global economy,” Kuhn said. “Starting February 2020, we did see the supply chain being disrupted because of the China shutdown, plant shutdowns, and manufacturing shutdowns. There’s also a chip shortage because of increased demand for computers, laptops, gaming devices and electronic devices overall.”
Bennett said some bad actors cause problems just for kicks, while others do it for profit or some other reason. Yet at the end of the day, almost everything in the world comes from overseas sources.
“Just make sure the companies you work with have our best interest at heart,” he said. “It is really interesting that it took a pandemic for us to realize how vulnerable our supply chains are. I don’t think it changed anything, but it has put a strain on everything.”
Brett Bennet provided some tips and resources for maintaining strong cybersecurity:
Do your due diligence: Closely monitor the transactions you have with your partners upstream or downstream. One entity getting hacked leaves everyone exposed.
Know who you are working with: Vet suppliers for evidence of breaches; know if a company is financially struggling
Keep a complete audit trail: Track everything during every stage of the process, including what’s happened, where it’s been, and if something happened outside of the norm.
Ensure that you have authentication procedures in place: For example, the two-step verification process.
Resources to begin to understand and identify both internal and external threats to an organization and to begin to develop their own supply chain integrity practices:
Medicating against maliciously tainted in counterfeit product: https://www.iso.org/standard/74399.html
Security for supply chain management systems: https://www.iso.org/standard/44641.html
Securing supplier relationships: https://www.iso27001security.com/html/27036.html
NIST: Here’s a recent article that provides great resources that they’ve developed for supply chain security standards. https://www.nist.gov/news-events/news/2020/02/nist-offers-strategies-help-businesses-secure-their-cyber-supply-chains
Bennet said in addition to the references in this article, NIST 800-161 is probably one of the most comprehensive resources for Supply Chain Risk Management Practices for Federal Information Systems and Organizations
For cybersecurity standards, take a look at NIST 800-171
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final and the Cyber Maturity Model Certification (CMMC): https://www.defense.gov/Explore/News/Article/Article/2071434/dod-to-require-cybersecurity-certification-in-some-contract-bids/. Both of these focus on securing control on classified information (CUI).