When supply chain disruptions strike, risk mitigation strikes back. And, it does so in many forms. Whether it’s enhanced software, improved employee training or solutions equipped with visibility features, managing risk is a 24/7/365 job. It requires all hands on deck, the latest and greatest technologies and the ability to pivot accordingly.
That’s because supply chain disruptions also come in many forms -- ransomware attacks and port closures, natural disasters and global pandemics, food fraud and cargo fraud.
If history repeats itself, disruptions of major magnitude will continue to rock U.S. supply chains. But, it’s how companies plan, manage and react to these disruptions that allows them to efficiently and successfully mitigate risk.
Here’s an interview with Jim Bowers, security architect at TBI, with excerpts publishing in Food Logistics’ October 2021 issue. [CLICK HERE to read the article in full].
Food Logistics: The COVID-19 pandemic presented a host of risk/security challenges to today’s cold food chains. Now, the Delta Variant is looming its dark head. What is your company or companies in the cold food chain doing to mitigate and stay in front of these types of risks?
Jim Bowers: All supply chains have multiple partners or vendors communicating between each other for things to run smoothly. From the farmer to the producer to the shipping and all the way through to the restaurant, there are constant interactions happening between systems.
One flaw we saw glaringly during the pandemic was the blind trust in third-party tools and third-party interactions between companies and how their data is shared. Along with this, many organizations in the cold food chain arena deploy several IoT devices, so that they can be faster and more efficient. While this is typically true, the problem with IoT devices is a lot of times companies are not keeping up with their maintenance, such as updating the device’s firmware. When this oversight happens, IoT devices become a big target for threat actors.
Being cognizant of exactly what changes you’ve made to your supply chain and what IoT devices are in your infrastructure is crucial to successful supply chain management. For example, when an IoT device is placed on a refrigerated truck, it’s communicating back somewhere with data, making it an entryway into that organization.
Keep in mind that no entryway is too small or ridiculous for hackers. One of the largest breaches I've worked on was a casino that got hacked by a thermometer in their fish tank. It was an IP-connected thermometer with an old code on it, and the hackers were able to go through that thermometer to get to the rest of the network.
Food Logistics: Cyberattacks are becoming more commonplace in the cold food chain. Thoughts on how to prepare for when cybersecurity disrupts the cold food chain.
Bowers: The very first thing organizations need to do is a third-party risk assessment to make sure their policies and procedures are in order. Companies also need to be hyper aware of how their data is exchanged, where it’s housed and who has access it. Because at the end of the day, it's the raw data threat actors are after.
We're seeing more and more IoT devices being deployed in multiple different areas, especially in the supply chain and manufacturing industries. And, while these devices help them to become more efficient, they’re also now a primary target for threat actors.
While the sharing of data is necessary for the logistics aspect of the supply chain, take the extra mile to be able to look at how you're interacting with said data, what exactly you’re sharing and how that data is being transferred and transmitted.
Food Logistics: Please describe some of the technologies implemented to better mitigate risk, improve visibility/traceability and monitor farm to fork along the cold food chain.
Bowers: You can have all the tools in place to mitigate risk, but it still won’t guarantee you’re in the clear from a breach. Therefore, it’s important to have key pieces in place, like a defense in depth (DiD) approach, to mitigate risk to the best of your ability.
If you think of a big house, you have a gate, an alarm system, a key, external cameras and motion sensors all coming together to provide greater protection within your house from outside intruders. The same thing goes for an organization; you need multiple layers.
It’s nearly impossible to protect everything but leveraging the right tools can get you pretty close. Zero-trust network access (ZTNA), multi-factor authentication (MFA), endpoint protection and an endpoint detection and response (EDR) platform need to all be working together to give you the visibility you need across your infrastructure.
Humans are an organization’s weakest link in terms of security, so having a layered approach where you can easily identify what is going on within your infrastructure, is key to making sure employees are only accessing the data they need to do their job.
Make sure to promote user awareness with phishing simulations and trainings, use secure remote access for anyone accessing the data and encrypt data everywhere possible.
Food Logistics: Risk reduction entails other facets of the business, i.e., worker safety, product safety and plant safety. What is your company or companies in the cold food chain doing to protect employees, product, facilities, fleet and more?
Bowers: All the components of a defense in-depth approach are there to protect your employees, products, facilities and fleet. If any of those pieces, whether it's your product, access to the product or your employees that have access to an attack, you need to have all of the components of a layered approach ideally in place to detect the threat.
All the moving parts in a supply chain have technology that enables them to run. For example, fridge systems are controlled by a software and their power is controlled by software. A layered, or a defense in-depth approach, allows you to protect the components that are accessible for threat actors.
Security is everchanging, and I like to remind people that security is not a destination; it’s a journey. Just because you feel like you're safe today, give it a week or so, and it could change.
Food Logistics: Going into 2022, what are some things companies should be doing now to better identify risks?
Bowers: Going into 2022, companies must have visibility across their environment and make sure that just because they have a vulnerability management plan, they’re still following that up with a patch management plan. Many companies won’t have a choice to avoid these precautions moving forward, as cyber insurance companies are dictating certain standards in a company’s security posture.
Previously many organizations relied cyber insurance as a crutch and that’s now changing. Organizations need to look realistically at themselves, analyze where they're going and continually do thorough risk security assessments to assess where they are vulnerable. They need to have the mechanisms in place to limit, restrict, and if a threat occurs, the anomalous behavior to stop it.
The unfortunate reality is the amount of risk companies now face has changed dramatically. Organizations can’t afford to skimp on any of these tools as they're all part of a robust security posture.
[CLICK HERE to read the article in full].