Digitalization and Cyber Security
Commentators have made many promises that Digitalization – the conversion of work processes into digital flows, will improve visibility through supply chains, both within and between organisations. Much less has been said about the risks to supply chains. As more digital connectivity is implemented through supply chains, the higher is each organisation’s vulnerability to cyber-attacks.
Cyber Security has become a risk for supply chains. When an attack happens, it is the Supply Chains group that must manage the business disruptions, no matter who is responsible for cybersecurity within an organisation’s operations. All businesses within a supply chain are vulnerable, but the potential target for attack is not only the business, but those who may have access:
- Increasingly, smaller supplier businesses (SMEs) have become targets for attack, due to their potential lower level of cyber defence. The target is not the SME, but gaining access into larger companies in their supply chains.
- The willingness of companies to outsource functions and tasks increases cyber risks, due to third parties having a range of cyber security capabilities. Weaknesses may only be identified following a cyber security breach.
- The availability of software-as-a-service (SaaS) applications and the use of Cloud hosting has enabled people to work effectively from nearly anywhere. Remote work, with the transfer of corporate data between the business and portable device has increased cyber risk.
The potential threats associated with cyber-attacks are not confined to corporate IT hardware and software resources. There is an increased scope for attacks that target operational technology (OT), as more ‘Industry 4.0’ technologies – Industrial Internet of Things (IIoT), robotics and industrial automation are installed in inbound and outbound stores and warehouses. OT is also likely to include older equipment that uses proprietary software or old operating systems, that could contain weaker security access points.
Cyber security in a supply chain
By participating in a supply chain, where participants use computers and electronic communications, a business has the potential to connect with all Nodes and Links in each of its supply chains. And there is not a sequence of actions that will fully protect your organisation’s supply chains from a cyber-attack; therefore, cyber security in a supply chain is only as strong as the weakest link.
This requires that in your business, security of data flows is a priority activity, for which the Supply Chains group should be responsible. To identify possible data security risks, enhance your organisation’s Supply Chains Network Design Map by identifying the cyber risk at each Node and Link in (at least) the Core supply chains of the Network (between Tier 1 customer, your organisation and Tier 1 suppliers). Identify the location that an attack may target, the data under threat and the supply chain processes that an attack could potentially affect.
To strengthen your organisation’s data security, there is the potential to implement a ‘trust but verify’ approach when considering connections to your organisation’s computer network. This is similar to the interaction with banks that require ‘two factor authentication’ before allowing a customer into their network. Access can be restricted, on a ‘need to know’ basis, to registered suppliers, customers and staff who are working remotely. In addition, there are possible actions by Procurement and Operations Technology (OT).
Procurement:
- Suppliers are evaluated concerning their supply chains cyber security risk
- Suppliers align with a set of cybersecurity standards and certifications
- Cyber security expectations are noted in contracts to provide assurance that suppliers are managing their supply chain cyber security risks
Operations Technology
- Confirmation from a chip within a device to provide a digital signature attached to the transaction data, identifying location and time
- Test supply chain software updates, as hackers can install malware in software from trusted suppliers
Security and the structure of supply chains
Cyber security has risks and costs. Actions to improve data security carry risks if not implemented and costs if they are. But doing nothing also carries risks, because cyber security risks are here to stay. And these risks are now influencing decisions concerning the structure of supply chains.
Some companies are considering a geopolitical decoupling or regional segmentation of their supply chains to reduce exposure to geopolitical events and cyber attacks that can affect a business which operates across borders. In a more decentralised environment, there is not a single point of failure that can disrupt a network system. The objective is to make long and therefore more unpredictable global supply chains more flexible by moving complexity closer to the place of sale. This change has been called Region Supply Chains, Structural Segmentation and Geopolitical Resilience.
Within this structure of region supply chains (located within a geography or country), there will be less complexity if production is mainly destined for the region. So, in this situation, Operations Planning is more likely to conduct Sales & Operations Planning (S&OP) using cloud based ‘software as a service’ applications at each factory in the region or the country DC for imported products. This can be easier to implement and manage than a large and complex centralised planning system.
For Sales & Operations Planning, input data is not required in ‘real-time’, therefore no links to external data sources. The preferred option for presenting SKU data is as a probability range between optimistic to pessimistic. For S&OP purposes, SKU data is consolidated into ‘families’ that are made on the same production equipment or handled and stored under the same conditions. Data is presented in a standardised measure, such as tonnes, litres, square metres etc. Importantly, consideration of the data for S&OP does not commence until after the planning ‘freeze’ period and continues out to the time required for an increase in capacity.
The objective of S&OP is to reach a consensus position about the future for supplying the region. The focus is therefore on process and workflow, to make it easier for people to reach conclusions that can be converted into a Master Schedule for scheduling production and an ‘available-to-promise’ application to inform customers of the forward availability situation.
A recent article considered that traditional S&OP is outdated, because it is a monthly and manual process. But, a more frequent and automated process does not improve outcomes, as it injects nervousness into a complex, adaptable (and non-linear) system of supply chains. For region supply chains, S&OP is an opportunity to develop collaboration between teams from different functions, because success in planning rarely can be attributed to a technology implementation.
One Comment on “Supply Chains group, Networks and Cyber Security”
Excellent insights on the intersection of supply chains and cybersecurity! A must-read for understanding network vulnerabilities and protection strategies.