Towards a Common Standard for Digital Supply Chain Security

Towards a Common Standard for Supply Chain Cybersecurity

Digitization is transforming the way business is conducted and supply chains operate, and mostly for the better. However, one of the downsides of our IT systems, databases, software applications and, increasingly, physical assets such as factories and warehouses being internet-enabled is that the potential for cyber-attacks to cause disruption is growing.

The risk is not only to customers’ confidential information and companies’ valuable intellectual property, but also to industrial control systems and a multiplicity of devices connected together via the fast-expanding internet of things.

Cybersecurity is now a major concern for IT professionals, risk and business continuity managers, insurance specialists and senior executives alike. SCM World research in 2016 found that data security and IT incidents are also now the most worrying type of risk for the supply chain community. Of more than 1,400 practitioners surveyed, 30% said they were “very concerned” about these, and this percentage has risen steadily over the past five years.

Until recently, most of the focus in cybersecurity has been on shoring up internal firewalls against hackers and other so-called “threat actors”. The supply chain dimension, and the convergence between information technology and operational technology on the one hand, and between data security and product security on the other, has been largely overlooked.

Standards Deviation

One of the challenges of bringing suppliers into the cybersecurity fold is defining the processes, practices and behaviors you want them to comply with, both before they are selected and then over the course of the contract lifecycle. The good news is that you don’t need to start with a blank sheet of paper: there are a host of standards, such as ISO 27001, that address information and computer security. The bad news is that there isn’t currently an agreed standard that covers digital supply chain security more broadly and which trading partners can unite around.

That may be about to change. At the turn of the year, the Maryland-based National Institute of Standards and Technology (NIST), part of the US Department of Commerce, published an updated draft of its Framework for Improving Critical Infrastructure Cybersecurity, a widely adopted standard used by companies such as Boeing, Intel, Merck, Apple and Chevron.

Whereas the first version of NIST’s framework, released in February 2014, contains just one cursory mention of supply chain, the amended version – open for public comment until 10 April and due to be released in final form later this year – contains 36 and adds an entirely new layer of supply-chain-specific characteristics in its four-tier capability model (see table).

 170320 March Image 1 Web


Best Practice Mandated

Under President Barack Obama, the US government took the lead in trying to get strategically important industries, from defense and telecommunications to transport and energy, to beef up their cybersecurity. Particular concerns include the potential for malware and counterfeit parts to find their way into military hardware via the supply chain.

Companies that provide these and other products and services to state agencies, along with their subcontractors, are also seeing best practices such as those laid out by NIST move from being a voluntary option to a mandatory requirement.

Analysis of SCM World’s data for a new report* shows that supply chain professionals working in critical sectors such as telecoms, utilities and logistics are particularly concerned about cyber risk. The same is true of their peers in hi-tech – which makes many of the components, devices and software at risk of being hacked or tainted – and healthcare & pharmaceuticals, where IP theft and counterfeiting are serious problems.


A chart visualizing how different industries see data security/IT incidents, based on 1,319 respondents.

The amended NIST framework proposes a five-stage process for addressing cyber risk. This starts by defining processes and identifying high-risk suppliers, moves on to outline contractual measures that suppliers are expected to follow, and specifies audits and other monitoring mechanisms to check for compliance. The fifth and final stage uses planning and testing drills run with suppliers to see how well the parties would work together to recover from a cyber-attack.

Given the technical and technological issues involved, risk and security experts in both the IT and supply chain organizations will need to work together to ensure that a company’s extended network, not just its enterprise network, is as resilient as possible.

For IT security folk, this means broadening their horizons to include both direct and sub-tier suppliers; for supply chain practitioners it means raising awareness of electronic adversaries and factoring digital security into their product integrity and risk management initiatives.

Cross-functional and cross-enterprise collaboration of this kind is vital for building cyber-resilience. Engaging in the debate about NIST’s framework is a great way to get started.

*SCM World’s report on digital supply chain security and cyber-resilience will be published next week.


Author Geraint John

More posts by Geraint John