The Cybersecurity in Supply Chains series with Seongkyoon Jeong explores why cybersecurity matters to supply chain managers and what fundamental strategies managers should take. An assistant professor at the Haslam College of Business, Jeong is a digital supply chain researcher with rich experience in detecting vulnerabilities in software systems and the economic impact of cyberattacks.
With the digitalization of business, cyberattacks have become a top risk. These attacks occur more frequently and cause significant losses in business value. Recognizing the severity of the risk they’re exposed to, leading companies have enhanced their cybersecurity measures. However, building a so-called security fortress does not prevent cyberattacks entirely. Instead of directly attacking well-protected target companies, cyber-attackers will often exploit suppliers with weaker protections to gain access and harm their primary targets.
A prominent example of a supply chain cyberattack is the 2020 SolarWinds incident. SolarWinds offers Orion software, an IT infrastructure tool used to monitor, analyze, and manage corporate IT systems. State-sponsored hackers infiltrated the software, inserting malicious code into a scheduled update. Customers, including U.S. federal agencies, state and local governments, and major corporations, were compromised when they executed the update. This breach affected around 18,000 SolarWinds customers.
For over a decade, scholars like me have documented the rising pattern of cyberattacks channeled through the supply base. What we began observing in the early 2010s accelerated with the COVID-19 pandemic. As the world moved online, the rapid and necessary adoption of digital tools, active use of digital services, and improved digital connectivity with suppliers increased business productivity but also induced more cyberattacks through the supply chain.
Importance of Integrating Cybersecurity into Supply Management
A primary reason the supply chain is leveraged for cyberattacks is suppliers’ weak cybersecurity levels. Despite the rising risk, suppliers—often smaller companies—do not have sufficient measures to protect themselves against attacks. With fewer operational resources and limited capabilities, they’re left exposed. Even when made aware of the importance of cybersecurity, suppliers place more emphasis on key operational performance measures like speed and cost than cybersecurity-related measures. This inclination within supply management is akin to other emerging issues in the discipline (e.g., sustainability in the supply base).
Supply management thus plays an essential role in securing against cyberattacks. Cybersecurity must be integrated into the supplier selection process, and continuous supplier development in cybersecurity is necessary. After all, in today’s digitally connected environment, companies can remain vulnerable to cyberattacks originating from their supply chains regardless of their own defense level. In that regard, supply managers must take a leadership role in cybersecurity, orchestrating their supply chains in the same way they do when facing other key business issues.
Understanding the Digital Supply Chain for Cybersecurity
Like physical products, most software products are not built by a single supplier. They consist of multiple modules, potentially made of sublevel modules, forming “software supply chains.” Companies embedded in software supply chains face challenges akin to those in conventional supply chains. While recent studies consistently reveal that a significant portion of software modules rely on vulnerable components within their supply chains, it is difficult to map what constitutes a software supply chain below the first-tier supplier/module and how a software supply chain evolves over time. This challenge becomes more serious when hackers exploit vulnerabilities in a low-tier supplier/module in software supply chains.
In 2021, for example, Log4J, an obscure but widely used software that records computer system activities, was exploited through a security vulnerability that allowed malicious attackers to infiltrate the system without using valid passwords. Digital goods, by nature, can be readily and instantaneously accessed from the outside. As new vulnerabilities are disclosed, hackers may exploit them before they are resolved. Software products using vulnerable modules in their supply chains remain at risk of cyberattacks unless these issues are addressed.
Recent Developments and Best Practices
In response to the rising risk of cyberattacks, government agencies and industry organizations have developed frameworks that supply chain managers should adopt.
Similar to traditional Bill of Materials practice, the Software Bill of Materials (SBOM) details the required software modules for a product. This helps organizations understand the components within their software, allowing for better tracking of potential vulnerabilities and responsive mediation of emerging issues in the software supply chain.
There is also a government-level movement towards creating standardized frameworks for managing supply chain cybersecurity. For example, the National Institute of Standards and Technology (NIST) released a Cybersecurity Supply Chain Risk Management framework, which underscores the issue’s importance and provides a systematic approach to helping companies consider factors involved in supply chain cybersecurity.
Beyond technical tools, managerial attention to potential cybersecurity concerns is crucial. Cyberattack strategies evolve as hackers and defenders interact, meaning no permanent solutions can exist. Collective and responsive actions across organizational boundaries can mitigate the impact of potential cybersecurity risks. For instance, despite the severity of the log4j vulnerability, many companies and communities were proactive in addressing the issue collectively, effectively minimizing the ramifications.
In the next post, we will explore recent supply chain cyberattack cases and what lessons we can learn from them.