Overall we have a low level of visibility and understanding of our supply chains. Horizon scanning for threats and vulnerabilities needs to extend into this area. Without awareness of these, expecting to have any resilience to supply chain risk is unrealistic. However, with improved collaboration, simpler solutions and investing in planning and preparation, there will be a marked improvement in supply chain risk management and resilience.
In this globalised world we need to increase our visibility and understanding of where and how our suppliers operate, the resources they use and the code we depend on. We have all seen the impact of sudden, unpredicted disruption from cyber attacks, pandemics and wars.
So how do we ensure that the supply chains upon which our business operations rest are stable and resilient? How do we horizon scan for threats on such a scale? What questions should we be asking? Is supply chain resilience really even possible? Are we moving forward or regressing?
What does your supply chain look like?
It is, first and foremost, important to understand what the bird’s eye view of your supply chain actually looks like. It is now common place to see tiering in most supply chains. This is where you see “tiers” of suppliers who feed other suppliers who then feed you. Tiering in supply chains can quickly make them hugely complex to manage at a risk level, especially once they become more that 3 or 4 tiers “deep”.
Tiering in your supply chain creates several issues. Firstly, you develop a combinatorial problem for yourself when it comes to resilience – supplier X needs both supplier A and C to feed into them, to produce part of the solution for supplier H. The challenge becomes how do we find and secure the “grouping” or combinations of suppliers to satisfy the given conditions or outcomes needed for our operations?
The second issue, and a much more immediate problem, is that often in tiered supply chains there are suppliers who don’t necessarily want you to know who their suppliers are, probably from a fear of being “cut out” of the deal perhaps. You may be able to demand visibility on this but it is not guaranteed. So now you have a 3, 4 or even more tier deep supply chain only a percentage of which you have any visibility of. A risk management nightmare.
Having a good understanding of the nature, extent and structure of your supply chain is a key step in building resilience.
I took a risk and asked infosec Twitter what they thought about supply chain risk.
Glenn Pegden (@GlennPegden) raised an interesting point,
“Most people hear “supply chain” and think “bought-in tools and services”, but code dependency is arguably a bigger risk with far less visibility (as anyone who worked on log4j will tell you!)”.
Jenny (@ha1fling) added,
“Devs don’t reinvent the wheel, we use code libraries and frameworks and while many are maintained and patched, many are not. Any external code should be vetted and documented periodically”.
They both make excellent points. It isn’t just about the companies and the goods and services in the supply chain but also looking at the code being used and how, if at all, that is maintained. This makes visibility, true visibility, even more challenging and resource heavy for clients.
So we definitely have a visibility and understanding gap when it comes to the nature, extent and structure of our supply chains.
Scanning the supply chain horizon
This is a difficult task. Taking Covid as the obvious example, companies that had the virus on their radar long before March 2020 had a headstart in pre-empting issues with their supply chains. Resilience is just your ability to respond to something (usually something negative) therefore the more time you have to plan that response, the more likely it is to be better and more robust.
Another great example comes from the environmental space right now. The IMO (International Maritime Organisation) as part of their energy efficiency and decarbonisation program have introduced rules that mandate new ships must be much more energy efficient. This is something that should, on a business level, be on people’s radars because inevitably this will mean an increase in the costs of shipping – something that may well impact parts of your supply chain. Again, something that is on the horizon and can be planned for before it manifests an impact on our business.
In some ways, we had some warning for the pandemic and we have advanced warning of the environmental changes being introduced. It is therefore actually easier to predict the supply chain issues that would flow from them to a greater or lesser extent. Cyber security is far harder though. Some of the attacks from the last 2 years have highlighted that for us all!
We can and should be looking at trends and levels of vulnerability and resilience from a security perspective in our supply chains. Colin Topping commented:
“Threat actors are increasingly targeting the supply chain to either use the client/ supplier trust to compromise their intended victim by proxy (Solarwinds) or as collateral damage (NotPetya)” .
So you could argue that in some ways we are aware that the risks exist, we’ve seen the damage that can be yielded and we have discussed at length as a community the lessons to be realised from these attacks.
Over the last few years it has proven to be a serious security risk we have all been forced to respect and not ignore.
What does resilience look like?
As I said previously, resilience can be reduced down to “what is my ability to respond to this event?”. Due diligence, strategies, crisis management plans, playbooks and exercising are all part of this. I’ve actually run exercises where companies have had their suppliers join in and take part. This can be a great idea to build resilience at both ends of the relationship if you get this chance.
One other thing that we also need to consider that plays heavily into the concept of resilience, is examining what degree of visibility we have, if any, of the amount of so called “slack capacity” of our key suppliers. This is often something I see when the cards are down. Companies aren’t necessarily even aware of what sort of support they are entitled to, or what options there would be for a “plan B” either at client level or provided by the supplier themselves. “Slack capacity” is a key concept to understand regardless of who the supplier is.
If we look at the baby formula crisis in the USA as an easy example. If there are only a few companies or factories that manufacture and supply baby formula and one of those is out of action for whatever reason that suddenly removes a lot of capacity from the system as a whole. Hence why it has been a hallmark of good management to build in slack capacity – in this case stockpiling of formula – to compensate for any downtime that may impact the supply of goods or services. So understanding what, if any stockpiling, those factories were doing is a key piece of information for us to properly assess the level of resilience (and response) to a disruptive event.
If something goes wrong at any point at any tier of your supply chain is there any “slack capacity” to ride out the disruption caused by say a ransomware attack? Or will it cause immediate and severe disruption? These are important resilience questions to ask.
What questions should I be asking about my supply chain?
So some practical advice now. Here are a few simple starting questions that you should be able to answer or retrieve the answers for easily.
- Where do we get what we need to do the business functions we do?
- How do we get those goods or services?
- What could go wrong or disrupt this?
- What would mild to severe disruption to these companies mean for our business?
- How can we get around this disruption?
Once you have these questions answered and clear in your mind we can look at some resilience specific questions:
- Do we have multiple ways of getting the goods or services we need?
- If these suppliers get attacked or suffer disruption how will this impact our revenue and how quickly will we see this impact manifest?
- If there is no alternative supplier we can use what would be our contingency plan for getting the goods or services we need? How long would this take to spin up?
Supply chain solutions. Is there one?
So are we seeing the start of a supply chain management renaissance, a “rebirth” of sorts, or are we seeing a retrogression? What is the solution? Is there a solution?
I spoke to Professor Alan Woodward (@ProfWoodward) about this. He said,
“What is a surprise is a) how some operators don’t fully understand their supply chain and b) those who consolidate third party products seem to think that a contract putting the onus for security on the supplier is enough to protect them from attacks”. He added, “Supply chain security is like all other areas, it can never be 100% but it is a fact of life and those using third party products need to take steps to mitigate any failure further down the chain”.
He is right. We can’t fully manage risk if we can’t visualise or understand what we are managing. The dependencies in complex supply chains make this particularly hard but it is our responsibility to take action.
Nick Weber (@nw_C21) Managing Partner at Archer, made a great point on my Twitter thread, he remarked that we need to:
“work with the supply chain…… Onerous contracts or regulations can shrink the vendor pool, shrinking the adversary’s target list and increasing the impact of a compromised vendor”.
This is a great point and Colin Topping built on this by commenting
“If a supplier has to satisfy multiple regulatory controls or align with national and international standards that are broadly similar but different that becomes a complex thing for a global supplier to facilitate”.
Keeping things as simple as possible is usually a wise decision.
I think all is not lost. Investing time in properly understanding all the tiers of your supply chain and the security threats to them is time well spent. Work with your suppliers to build in security and resilience and don’t do things in isolation – share ideas and strategies with others. To cite my wise friend Colin Topping one final time “The mantra of keeping it simple is needed to ensure the complex and diverse world of supply chain risk management can be given a chance to succeed”.
Maybe not a renaissance but definitely not retrogression.
Huge thank you to Colin Topping, Professor Alan Woodward, Nick Webber, Jenny and Glenn Pegden for their thoughts on this.