On October 24, The New York Supply Chain Meetup held an event on the theme “Secure Supply Chains.” Supply chain security is a topic I touched on in passing last week in this column Commentary: Will auto companies bring blockchain into real-world supply chains first? I have been interested in cybersecurity as an investment theme since 2011. That interest led me to source two early-stage cybersecurity investments at my former employers – Fireblade (2013) and Virgil Security (2016), and others that did not make it into the portfolio such as Zimperium (2013), Chainalysis (2015), NS8 (2016) and RunSafe Security (2017).
My operating hypothesis when it comes to cybersecurity has been this – as more of the world’s property becomes digitally enabled or fully digitized, there will be a growing need to protect that property from theft and other destructive or fraudulent behavior.
As the cyber-physical systems I wrote about in this column last week become more common, the need to secure autonomous supply chains will become more acute. In this article, I will write about some of the lessons I learned during the meetup.
Context: Damages reported by victims of 2017’s NotPetya malware attack
In The Untold Story of NotPetya, the Most Devastating Cyberattack in History, published by Wired on August 22, 2018, Andy Greenberg provided the approximate damages reported by some of the biggest victims of 2017’s NotPetya malware, and reported that the White House estimated the total damage caused by NotPetya at about $10 billion.
- Merck, the pharmaceutical company – $870,000,000
- FedEx (TNT Express, its European subsidiary) – $400,000,000
- Saint-Gobain, a French construction company – $384,000,000
- Maersk, the shipping company – $300,000,000
- Mondelez, a packaged foods company – $188,000,000
- Reckitt Benckiser, a British manufacturing company – $129,000,000
It is worth reading Greenberg’s article for additional background. It is an excerpt from his book, which will be available in hardcover on Tuesday, November 5. The cyber security incidents that are big enough to make the news are far fewer than those that go unreported in the popular media.
Supply chains as an attack vector
If his reporting on NotPetya is not worrisome enough, on October 10, 2019, Wired published another article by Andy Greenberg; Planting Tiny Spy Chips in Hardware Can Cost as Little as $200. This article builds on reporting by Jordan Robertson and Michael Riley that was published online by Bloomberg Businessweek on October 4, 2018; The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.
Taken together, those two articles suggest that corporate information technology hardware supply chains are susceptible to attacks by organizations that do not need the resources of a nation state behind them. Quoting from Greenberg’s article, “Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company’s hardware supply chain. And one of them has demonstrated that it doesn’t even require a state-sponsored spy agency to pull it off – just a motivated hardware hacker with the right access and as little as $200 worth of equipment.”
The companies mentioned in the Bloomberg Businessweek article vociferously deny the incidents reported in that article. The NSA has waved it off as well.
Supply chains present a promising attack vector because each supply chain contains suppliers, and numerous nodes, that may present a weak link through which attackers can gain easy access. For example, this article published by CPO Magazine on October 4 describes an attack on Airbus, stating that “European aerospace company Airbus has found itself on the receiving end of a particularly large coordinated attack on its vendors over the past 12 months.”
Insights from the field – lessons learned at #TNYSCM17: secure supply chains
Scott Carlson, Head of Blockchain Security at Kudelski Security, discussed six layers across which data and information should be protected in modern, autonomous supply chains. These layers are:
- Content – ensuring that the data and information that is transmitted across the supply chain is accurate.
- Recipients – ensuring that the devices receiving data and information are properly authorized to do so.
- Devices – ensuring that connected devices configured to communicate over the supply chain are authorized to do so, and tamper-proof.
- Commits – ensuring that data and information written to the supply chain is stored in a traceable and immutable database.
- Communications Protocols – ensuring ongoing compliance with the rules established within the supply chain while protecting data and information from theft and misuse.
- Ongoing Integrity – providing guarantees about the fidelity of data and information that has already been recorded and stored.
In comments to people who wanted to speak with him after the event, Carlson clarified that Kudelski is protocol agnostic, and will use whichever technology protocol is most appropriate for a specific enterprise supply chain implementation. His team also partners with other organizations, or licenses intellectual property from others if that is necessary. Kudelski holds numerous patents related to cryptography, connected devices and content security.
David Garrity and Thomas Olofsson of BTblock discussed some of the lessons they learned during a blockchain security implementation for a client. BTblock is an implementation partner of Kudelski Security. Among the issues that struck me from their presentation:
- BTblock has discovered that initially supply chains seem simple. However, as one starts to dig the underlying complexity of supply chain processes become apparent. Furthermore, it is only once one starts to interview supply chain stakeholders that numerous undocumented exceptions are revealed.
- BTblock also urges anyone thinking about implementing distributed ledger technology in a supply chain to first ask if decentralization is a necessary feature, since that makes such implementations more complex. I wrote about this in a February 2018 blog post: #ChainReaction: Notes on Centralized, Decentralized and Distributed Systems.
Finally, Charles Yeomans, CEO of AtomBeam Technologies, described software that shrinks, secures and speeds data transmission between devices connected to a network. He described AtomBeam’s superior performance on IoT and telemetry data, internet data, data from SMS and other social media apps, as well financial data of different kinds. He also described conversations between AtomBeam and one company in the trucking industry, as well as another in the shipping industry.
Supply chain security is a complex topic. It’s impossible to do it justice within the parameters of a column such as this one. However, we can conclude that:
- As communications technology advances become more tightly integrated in supply chains, the need for cybersecurity will continue to increase.
- Effective defenses against supply chain security risks will require organizations of all types to examine their business processes to ensure that those processes adequately complement any technologies deployed to protect the supply chain from cyber attacks.
- It is not clear how much protection ordinary property and casualty insurance will provide for the most devastating cyber attacks. For example, Mondelez International is suing Zurich American Insurance in a dispute over property and casualty insurance claims related to the NotPetya attack.
Author’s disclosure: Kudelski Security sponsored #TNYSCM17: Secure Supply Chains, on which this article is based. Transfix hosted the event. I do not have any personal financial relationships with either of them, or any of the other entities mentioned in this post. REFASHIOND Ventures is not an investor in any of the startups mentioned in this article.