Securing Supply Chain Data: Mission Impossible?

When reports surfaced earlier this year that hackers had penetrated the network of {complink 2125|Foxconn Electronics Inc.}, the news sent shivers down the spines of many supply chain executives in the electronics manufacturing industry. After all, if the contract manufacturing giant that makes Apple's iPhones and iPads can have its computers compromised, what does that mean for the rest of the electronics industry, which has linked its supply chain data to globally connected networks?

What it means is this: A digitized electronic supply chain isn't just a source of information; it's the network that contains data that drives business decisions, improves efficiency, and advances a company's competitive differentiation. Supply chain data is gold; it can be valued in the millions, and maybe even in the billions. It is, therefore, imperative that original equipment manufacturers, contract manufacturers, and distributors protect their financial, operational, and product information — but these days, the challenges to doing so are becoming increasingly difficult.

Today, the electronics industry operates in an era of mobile device connectivity, social media, and hackers with ever more sophisticated tools to conduct more persistent attacks. In fact, according to recently released research, there has been an increase in the number of data breaches across the globe. In the “2012 Data Breach Investigations Report,” published by Verizon, it is revealed that in 2011 there were 855 data breaches that involved more than 174 million compromised records. This was the second-highest data loss that the Verizon RISK (Research Investigations Solutions Knowledge) team has seen since it began collecting data in 2004.

The report reflects the global challenge facing companies conducting international business online. To gauge the global scale of cyberattacks, Verizon collaborated with the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting and Information Security Service, and the Police Central eCrimes Unit of the London Metropolitan Police.

The international nature and scope of cyberthreats has a direct impact on the electronics supply chain, which relies on a global shipping and logistics network infrastructure to conduct its business.

One company that understands the dangers of these threats is UPS, a global logistics company that collaborates with security agencies around the world for information exchange, risk assessment, regulatory compliance, and preventive action. This includes participating in various cybersecurity task forces and industry working groups.

“Certainly, as technology becomes more sophisticated, new threats emerge. We believe our collaboration helps to develop and share best-practices for responding to threats and enhances our preparation,” Susan Rosenberg, UPS public relations director, said in an interview with me. “We add to that technology tools that UPS provides for visibility of packages and information management to operate our multi-modal transportation networks around the world.”

Like other companies connected to a global electronics supply chain, UPS is faced with the arduous task of trying to provide transparency and visibility while protecting sensitive business information. Without divulging details about UPS's security measures for fear of compromising them, Rosenberg broadly outlined two distinct aspects of the approach UPS has taken, both of which safeguard the high-tech and strategic component shipments of their customers.

First, UPS examines its processes and compliance for data protection and internal systems, including the architecture and redundancies of its own technology and training to routinely reinforce the protection of internal data as well as customers' information assets. “We have continually enhanced authentication processes for using or any of our shipping systems or UPS tools that may be APIs integrated into other technology platforms for accounting or inventory management systems,” Rosenberg told me. “We have frequent and periodic requirements for password changes and rules for encryption and use of any auxiliary devices.”

Second, Rosenberg said UPS counsels customers on risk assessment in their supply chains to help minimize data breach threats through effective logistics planning with sourcing partners, multiple modes of transit, aligning regional and global geographic needs, planning for warranty repair, and parts inventory management.

“In the UPS multi-layered approach to ensure security, we have processes, systems, and procedures in place designed to protect our people, aircraft, vehicles, and customers' shipments. It's very dynamic, and much is tied to 'Sensitive Security Information' by government entities that cannot be disclosed to the public.”

In the meantime, companies that provide data security tools and services are feverishly working on ways to prevent the electronic supply chains from succumbing to cyberattacks. One such company is Redspin Inc., which provides penetration testing and IT security assessments. In June the company announced a new assessment service that helps Fortune 1000 companies reduce their vulnerability to advanced persistent threats (APTs).

Daniel Berger, Redspin's president and CEO, told me that high tech companies involved in tackling the problem of data breaches should rethink their strategies. “It is impossible to construct a security defense that can protect all data and every data exchange,” he said. “We recommend company's conduct a data-centric risk analysis so that the most resources can be allocated to safeguard the most important in the electronic supply chain.”

3 comments on “Securing Supply Chain Data: Mission Impossible?

  1. prabhakar_deosthali
    July 12, 2012

    The security breaches and cyber attacks to gain access to the sensitive data and to be able to manipulate the same is not just the problem of supply chain networks , it is pervading everywhere whether it is a financial system, a strategic system ( like defense or research ) or a social networking system having a lot of personal information about its members.

    In my opinion, the security solutions companies need to find a common solution for this global menace.  The main focal point here should be to provide a security blanket on the data packets that flow through the internet. If the integrity of these data packets can be guaranteed throughout their travel from the source to the destination then we can achieve the required security in any system.

  2. stochastic excursion
    July 13, 2012

    Prabhakar is onto something when talking about a blanket over the data packets.  A comprehensive security plan, as with piling it on for cold weather, has to involve layers in order to be effective.

    The minute data is keyed in, it is handled by numerous software packages in succession, from the operating system on a workstation, a database client, and so on through the internet.  Each has vulnerabilities that should be assessed and taken care of when mission-critical data is being handled.

    Reports like this don't do anything to generate interest in remote cloud storage, especially as the victim is as high-profile a computer maker as Apple is.  This type of attack, though, is atypical in that most hacker attacks in recent years work in stealth mode and when done right, leave no traces.

  3. The Source
    July 20, 2012

    Stochastic excursion and Prabhakar,

    I think we should remember that while installing the right security technology helps to mitigate electronic date breaches, companies must train their employees to adhere to practices and procedures that make it difficult to penetrate the network. Also, while it may be a challenge to prevent these attacks it is possible to do so.  The Verizon's 2012 Data Breach Investigations Report showed that 97% of breaches were avoidable through simple or intermediate controls, and 96% of attacks were not highly difficult, which means penetrating these systems was a relatively easy task.

    High tech companies must implement a comprehensive set of policies and procedures that ensure supply chain data is protected not only at their company, but also among their partners, component suppliers and others handling sensitive supply chain information.   This is an ongoing and daunting task.



Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.