Let’s cut to the chase and start this article by immediately addressing an issue in the distribution sector = supply chains are often vulnerable to cybersecurity issues.

Why? Well, there are a number of factors at play, and it would seem that many IT leaders in the industry agree that there is a problem. In fact, only 21% believe that their supply chain network is secure (Gartner). 

Also, according to a survey report of 2,200 IT decision-makers, 84% of leaders believe that software supply chain attacks could be one of the biggest cyber-threats from now until 2024 (Crowdstrike 2021 Global Security Attitude Survey).

So, from complexity to legacy systems, let us investigate some of the complications. 

Understanding the Issues 

Supply Chain Complexity  

The key thing to understand in the distribution industry is its complex and integral relationship with other sectors, including manufacturing, construction, logistics, and retail. 

If a supplier experiences a security attack (or even an issue with inventory and staffing), then distribution companies are impacted. Additionally, if a distribution organisation suffers a breach, then everyone along the chain is affected, from supplier to end-client. 

This complexity creates a risk, as more often than not, multiple parties are integrated and given access to the supply chain’s network, information systems, and software. 

Essentially, your cyber-posture isn’t only influenced by how you access and use your systems, but by how other companies do too. Your internal strategy and practices could be close to perfect, but this may not be true for external businesses and lower-tier suppliers.

Legacy Systems 

If you work in the distribution industry, you may be aware that it is famed for its dependence on legacy systems and infrastructure. If you weren’t aware, well, we are sorry to break the news. 

Why are legacy hardware and software an issue? 

  • Poor integration with modern solutions and ability to receive software updates. 

  • Ongoing maintenance can be pricier than investing in new IT equipment.

  • Unproductive and outdated software that frustrates employees and doesn’t keep up with compliance. 

  • Security that gets weaker and weaker each year, becoming incompatible with vendors and software updates.

To home in on that last point, thousands of cyber-crime victims will testify that legacy systems are extremely vulnerable to attacks and data breaches. Systems that no longer receive updates or support from vendors are particularly at risk. 

Every vendor has a lifecycle policy which is designed for organisations to align refresh roadmaps to across a number of years. VMware for example, announce their end of general support milestone first, followed by end of technical guidance, and lastly end of availability/distribution. 

Not following a solution lifecycle roadmap will result in increased areas open to cyber-attacks and limit the ability to manage threats in a controlled and effective manner. Considering day to day operations of distribution organisations is paramount given the nature of the industry – leaving the only option of shutting services down could have a detrimental effect.

Of course, you may be one of the lucky IT departments that has invested in overhauling its systems. A wise move that, at the very least, improves your internal productivity and security. 

But, as we have mentioned, supply chains involve numerous parties. How can you be sure third-party suppliers and organisations have IT systems that are up to spec? 

Ultimately, IT departments either need to review their own hardware and software, or consider if other companies in the chain are using modern, updated systems. The basis of effective screening, due diligence, processes, and policies is key for any organisation integrating with third-parties. 

Most companies integrate with others using connectivity methods such as VPN tunnels or point-to-point WAN links. Understanding and controlling where third-parties can access within your network is an essential approach to ensuring a resilient segmentation approach. Ensure access requirements and requests are documented and pass requests through a formal review process before being implemented by security engineers. Ongoingly monitor and perform reviews of what access is in-place and if it’s still essential. Lateral movement is a key element to focus on managing and limiting risk during a successful breach – an attacker may have access, but if access is limited to a small number of services this ultimately determines the severity and impact of the breach, which could organisations save millions of pounds.

Case Study: The Colonial Pipeline

Located in Texas, the Colonial Pipeline is the largest refined oil pipeline in the US – carrying oil from Houston through to many US states, including New York. Around 45% of all fuel consumed on the East Coast comes from this critical pipeline. 

In May of 2021, this supply chain fell victim to the US’ largest cyber-attack on key infrastructure. The hackers first stole 100 gigabytes of data, and then moved on to infect the entire IT network infrastructure with ransomware. 

In order to prevent the spread, the supply chain was shut down, effectively cutting off the entirety of the East Coast from oil products. This again demonstrating the impact of poor solution lifecycle management and network segmentation.

What was the root cause of this cyber-attack? Well, in what many would have thought would be a highly secure network, the issue simply turned out to be an employee using the same password across multiple access points. 

This goes to show, one weak element can expose and shut down an entire supply chain. 

The Solutions

We now understand the main issues. 

Your company, or a 3rd party, may be vulnerable, and supply chain attacks will target the weakest and least secure element of the chain. 

Due to a variety of reasons, such as pandemics and trade wars, many companies are used to strategising ways to build their supply chain resilience. So, what can distribution companies do to build resilience in regard to IT security?

Step 1 is to develop a strategy based on the premise that you will, eventually, be attacked. It may sound doom and gloom, but it's better to prepare this way. You must consider your current IT security posture, as well as what you would need to do to mitigate any damage if an attack gets through your (or another company's) defences. 

Additionally, it's about considering your entire environment. Every person. Every connection. Every access point. 

Visibility is essential. You need to understand your environment and processes and hypocritically review them with a zero trust policy. Again, the premise is that human error or a breach will happen, so you must know who is accessing your network and why. 

If there are multiple parties and partners along the supply chain, you need water-tight segmentation of your network to limit damage or delays that an issue may cause. 

Step 2 is to review your software and hardware inventory and consider upgrading any legacy systems and solutions. 

Fundamentally, legacy kit has a life span. Without upgrades, you may not only fall behind the competition and lose capability, but you run the risk of decreasing security posture year-on-year creating a longer refresh project timeline and ultimately increased commercial costs to rectify the situation. 

This may require significant investment; however, there is potential to greatly increase productivity, as well as gaining long-term savings on avoiding any breaches or supply chain halts, as well as reducing the investment in training staff to deal with legacy vulnerabilities. Use this opportunity to upskill, modernise, and digitally transform your business to the latest cutting-edge technology. 

Step 3 is to go beyond your technology, and look at the people and processes within your department or company. In many cases, such as the aforementioned Colonial Pipeline incident, the root of cyber-attacks can sometimes be due to human-error. A simple step, such as a consultancy session to review your estate or a rule not to repeat passwords can go a long way. 

Step 4 is to communicate with all elements of the supply chain, from factories to external agencies. There may be difficulties here, but in the end, you need to be confident and secure that all members of the supply chain are adopting professional practices, updating their software, and upgrading their legacy systems. 

On the above, there are many solutions organisations can look at. IT departments across the supply chain can look to collaborate on cyber-security. Additionally, any RFPs or contract agreements can include a certain level of IT security requirements. 

With smaller suppliers or firms, a security team can even work with them to make sure any of their vulnerabilities or issues are addressed.