Uncover Cyber Security Risk Hidden in Your Supply Chain

Increasing cyber security risk threatens global operations, business reputation, and profits. Now you can uncover cyber security risk in your sub-tier supplier network before attacks happen. Everstream’s Ulf Venne, Center of Excellence Leader, and Mirko Woitzik, Director of Intelligence Solutions, share the latest trends related to cybersecurity, and a real-world example of a major organization proactively getting ahead of cyber risk.  

Watch our 30-minute webinar on demand to learn more, including:  

• Latest industry-specific cybersecurity trends and threats  
• Impact of hidden cyber vulnerabilities on operations   
• How to uncover sub-tier network cyber risk and what to do about it 

See how you can protect revenue and reputation with proactive cyber risk management.  

Lauren McKinley: 

Hello everyone and welcome to today’s webinar: Uncovering Cybersecurity Risk Hidden Deep in Your Supply Chain, presented by Everstream Analytics. 

My name is Lauren. Today, I’m joined by my colleagues Ulf and Mirko who will be leading today’s session. Today, we will be covering a few topics including the global impact of cyber threats, industry trends and geopolitical implications, how to uncover and address cybersecurity vulnerabilities and identify threats in your supply chain, and then we will briefly cover a case study around uncovering cyber risk with a key aluminum supplier. And with that, I will turn it over to Ulf. 

Ulf Venne: 

Hello and welcome everyone from my side. So I want to introduce the session a little bit by talking about the rise of cyber risk. And we actually took the Allianz Risk Barometer as a staple here where top executives are getting asked how important is specific risk topics over time. So we see that in 2013, cyber risk was not even in the top 10 of most relevant risks. And over the years, you see us rapidly increase of quickly going up to number two in 2018 and then it holded this position for quite a while and then it even got number one, but then COVID hit and all of a sudden business interruptions and stability was getting more important. So it only ended up being number three for one year, but only one year afterwards, so really quickly, it again is now number one and that by a fair margin. 

So as you can see, there’s a continuous rise of cyber risk and the interest. And for 2022 where it’s now number one, you see that business interruption is still a big topic. I mean COVID just ended and we still see a lot of interruptions happening. Natural catastrophe has got way lower in comparison and pandemic outbreak, which was last year, number one, is now going down dramatically again. So we will see a continuous rise of cyber incidents in general as a topic in supply chain management and that’s why we wanted to address it today. And we want to give you a few more details on what cyber risks really are and Mirko is going to do that who’s heading our intelligent solutions team. 

Mirko Woitzik: 

Thank you all and good morning, afternoon everyone from my side as well. As Ulf mentioned, cyber-attacks are very diverse, can take many forms and impact supply chains in a different way, but one can roughly separate two types of failures that can enable cyber-attacks. The first one is IT system failures and the second one is more related to inadequate security cultures. For the first, we at Everstream Analytics are tracking three different types of cybersecurity incidents, which most often take advantage of failures in IT system. And those include top of mind obviously ransomware attacks, which is a type of attack that takes advantage of either system, network, software, but also sometimes even human vulnerabilities to infect the victim’s device. One example that comes to mind immediately is obviously the WannaCry ransomware attack in 2017 that affected more than 50 organizations worldwide, including FedEx, Honda, TSMC and Nissan. 

Second one is the denial service attack, which is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable by overloading it with requests, a website for instance. And the third one that we’re tracking in this compartment is vulnerabilities. So these are weaknesses that can be exploited by cyber criminals to gain unauthorized access to computer system. Many vulnerabilities, the most common ones are actually impacting software, popular software, but it can also affect hardware such as, for instance, medical devices. Here recently, the FBI had want of hundreds of vulnerabilities and widely used, for example, medical devices that have even adopt door open for attacks and can really endanger patient health, so mission critical topic for med tech manufacturers. 

And the second most common source of failure and even more important than the system one involves the human behavior. So up to 95% of all breaches can be attributed to the human factor and less so in a sense of an actual error, but more so related to inadequate security culture or security awareness, and by consequence, the exploitation, easy exploitation of human behavior and good will. Obviously emails come to mind here, they remain the main attack vector for exploiting human behavior and what is called social engineering. Obviously in the past two and a half years, even more so, we’ve seen organizations that are facing now obviously the growing reality of permanent work from home, situations being exposed to remote work and IT equipment that only increases the exposure to potential cyber-attacks in particular for, for example, phishing attacks. 

Switching gears a little bit, we want to look at some of the top trends for cyber-attacks in 2022, then if we mentioned in the introduction. And our proprietary data has revealed that almost 50% of all attacks have actually affected three different sectors only, which were in 2022 up until this point, the electronic sector including both industrial and consumer electronics, the manufacturing sector as well as the logistics sector. Especially the electronics industry, it’s interesting because them having the top spot is hardly surprising if you think about the growing importance for electronics and all kinds of manufacturing devices and then also how much the industry has benefited from the turmoil and supply chains ever since the outbreak of the pandemic. Similarly, to the logistics industry, both have posted record profits in the last two and a half years and thus obviously making them attractive targets for cyber-attacks. 

In terms of the most common places for attacks, we have identified the US and Germany as major economies, but similarly on the Asian continent, there have been frequent attacks in Japan and Taiwan as well as we are tracking them over the year with the most common form continuing to be ransomware attacks closely followed by data breaches that companies are reporting. 

If you can go back, just to wrap up the slide. So one interesting fact here, of all ransomware attacks, if you just consider ransomware attacks which are the most likely to lead to operational disruption, 38% actually have led to production or operational down times at companies or suppliers this year alone, particularly in the manufacturing in the automotive, but also the petrochemicals industries. These three industries were the most impacted by really complete shutdowns of plans and factories. And once those systems were shutdown, it took companies on average three to five days before operations were back to normal, but in many cases, that took much longer. 

To give some examples of major attacks that happened throughout the year, we’ve prepared this map here where you can see the scale of cyber-attacks with the dark blue indicating more frequent attacks in the light blue, less frequent attacks, and really preparing the map here to convey the sheer scale of global cybersecurity breaches. As visible, you can see here almost all parts of the world have experienced some form of cyber supply chain disruption, spanning multiple industries from consumer electronics to semiconductor, to farmer, to logistics and food making industries. 

Most recently, there has been a large attack on a copper producer from Germany, Aurubis AG that suffered a ransomware attack about three weeks ago or four weeks ago that forced it to shutdown all systems early this year. We’ve also seen Foxconn, one of the major suppliers for iPhones to Apple that had shutdown one of its plant in Mexico that is producing other consumer electronics but also medical devices. And to give just one example of a big logistics company that has suffered a huge ransomware attack or a huge cyber-attacks this year was Expeditors International in the US that it took more than one month to fully control and bring operations back to normal. 

Now, just expanding a little bit on the industries impacted. If we can just go to the next slide. I mentioned already logistics that has been one of the key industries being affected, but if we look at other sub-industry sectors that have been the frequent target this year, that includes industrial electronics as well as oil and gas. If we think about industrial electronics, this can certainly be attributed to heightened tensions over Taiwan, between China and the US as we’ve seen play out in terms of geopolitical tensions in August. Most recently, Taiwan being home to many electronic component makers, and as we’ve mentioned earlier, has also been one of the most attacked countries this year. So taking all these different factors together or data points together, it is hardly surprising. 

On the other hand, if you think about oil and gas, they’ve also been a frequent target this year, very likely due to the heightened energy prices and record profits that major oil and gas players have been posting this year. Again, making them attractive targets for hackers, giving also the increased leverage there. We still see energy shortages, particularly in Europe, which obviously is a situation that can be exploited. And with this, I’ll hand it back over to Ulf who will take us through some continuously plans that organizations can adopt in case of an attack on either their systems or their supplier systems. 

Ulf Venne: 

Thank you so much, Mirko. So we want to now take the opportunity to talk a little bit about what can you do once you are impacted. Often it starts with a supplier warning that either your supplier or your customers impacted. That’s maybe the first thing to notice. We often, right now as organizations, really focus on suppliers and your own chain, but the customer actually also could be a potential target and then it ripples through into your supply chain. So at one point, we also need to start monitoring them. So once a cyber-attack is happening in your entire value chain, it’s important to really stop online communication. So you need to find an alternative way to talk to your supplier and/or customer. Most often, that will be via phone to understand the root cause of the cyber breach. Because if it’s caused by a human, then maybe it is not as dangerous as if it’s an IT system failure where you might actually be able to suffer the same consequences. 

So once you have understood this and you know if you can continue your online communication or not, you need to understand if there’s any impact to production. Because if, for example, the ERP is frozen, they cannot get out goods, they cannot produce further, that’s a big issue. So the impact is very important and you have to understand that on a material basis because otherwise it’s very hard to manage. So, material criticality is very important to understand to just kickstart the right actions, to understand if you can produce it on your own, if you can find an alternative source and so on and so forth. So if you do not have any means to find an alternative source, there might be a potential to just continue production without it and add it in later or you just shift production. All of that is better than not producing at all. 

So all of this is, I would say, very classical risk management activities except for that. For cyber, the stop of the online communication is very key. But then comes your opportunity, which is very unique and that is talking about what happened and why it happened because whatever happened, there’s an ability to make it better in the future. So creating awareness is really key when it comes to cyber because a lot of cyber criminals are organized and customers currently. So companies in general, I mean, currently do not organize around awareness campaigns. So what we see as a best practice is that once something happened within the supplier or customer base that the entire anonymously, the entire supplier and customer base is getting informed may be via an information portal. 

Sometimes we also see press releases if it’s the own company to create awareness, because if one company in one sector’s impacted, it might very likely be that there’s a ripple effect throughout the greater value chain. And then obviously it’s very important to then once there was a detailed impact, it’s important to continue create awareness, especially with the suppliers where something happened through making it part of your quarterly business reviews. 

So if we continue, now that we have talked a little bit about what can we do once a cyber-attack is happening and what could be some of the things we do afterwards, how can we avoid that? And avoiding, it starts a lot with visibility. So first, what you have to do is you map your network, then looking at your suppliers, maybe also your sub-tier suppliers and try to identify endemic risks by not having enough IT security protection when it comes to awareness creation with employees or with IT system landscape. And then obviously once all of that is done, you have to take action. And again, take action can be what we just discussed, which is immediate action after an impact, but also it can be a lot about creating awareness. 

So if we go to the next slide. The fundamental basis is mapping your network and also going into this sub-tier. So a lot of customers don’t want to go the way of trying to identify the sub-tier suppliers via surveys, but because of compliance reasons and also the cyber-attacks that might ripple through your sub-tiers to you, people are getting more and more interested in understanding the sub-tier network. So what we do is we use AI to solve that problem and help you understand your sub-tier relationships in an automated way and give you quick access to that data on a material and location basis, which makes it really relevant and helps you to understand on a very detailed level what your exposure might be. And the exposure is an important part because once you have identified your extended network, with the help of AI for instance, you have to then go and start scoring it. 

And obviously only scoring for one risk is a little bit of a waste. But for instance, we work together with risk, we can also use other partners if you want to identify your cybersecurity risk. We can do that for all your tier 1 suppliers, but then we can also bring a lot of other risk course to the mix. So we have overall 31 risk scores going from natural disasters all the way to social political or sustainability risks. We can add finance and cyber risk as you see here. And with that, you get a holistic view and incorporate seamlessly cyber as one of the many topics. If you identify a cluster of your suppliers that might have high cybersecurity risks, this is then where you might have to apply a deep dive on creating awareness and help them to improve because maybe your own organization might be stronger in cybersecurity than others because the maturity level is very diverse right now as it’s a very young topic in comparison to natural disasters. 

So you can help others improve by creating awareness, by telling them what you do and that is something that you definitely should apply. So we’re always here to tell people cybersecurity is a lot about telling others what are good best practices, we are here to help, and the risk scoring is a good first indicator where you have to focus your activities on. 

So if we go to the next slide. As you can see, obviously even if you really try to understand the risk exposure, if you try to understand your sub-tier network, everything you do is very vital and it will help you reduce the amount of cyber incidents that will happen to your supply chain over time. But it’s probably very unlikely to totally avoid cyber risks in the future because they’re getting more and more prominent. So monitoring still pertains a vital element and we, through the team of Mirko, are monitoring cyber risks and we’re not doing it in a media monitoring way but really have humans that read through all cyber alerts, look for relevancy to supply chains and really bring it into the context that you need. 

And the AI human interaction, we use AI to identify cyber alerts and then we use humans to verify them is very vital to create the highest amount of relevancy for you. And with that, we can also bring the intelligence that Mirko just showed you earlier. So we have a global coverage and updated insights across all the industries and we really believe that can be a very high balance value for a lot of customers and our 300 customers already benefit from that today. 

If we go to the next slide. You can see one example how that can look like in the system. This one here is a nationwide alert, so that is a targeted cyber breach against a whole country and from a bigger organization a lot of cyber criminals are organized and this will then help you really with directly understanding in which area exactly it is happening. That helps you also to understand if your supplier might be impacted or not. Keep in mind that sometimes you will see cyber events that are happening in a very localized cluster because they might be able to infiltrate one tech campus from an electronics industry campus and then go and see several buildings and understand humans and behaviors in there and that helps them then also to attack not only one but several in the same location. And that’s why localizing and making sure you know exactly where it is happening helps you to draw a conclusion if somebody else in the area and the close vicinity might also be impacted. 

So if you go to the next slide. We now want to quickly talk about one of the case studies we have with our customers. So one of our big customers on automotive OEM was faced with the Norsk Hydro cyber-attack and he understood very early that one of his key suppliers for aluminum was impacted and will not be able to ship out goods for the foreseeable future, which ended up being more than a week. 

As an automotive, you have to have a certain quality for your aluminum, they weren’t able to go to random places to buy it on the stock market, so they were trying to get as much automotive commodity as possible out of the market as quickly as possible. And the reaction helped them to avoid more than $1 million in additional costs because the price after Norsk Hydro got the cyber-attack, tremendously rose within one day, and hedging essentially two weeks of aluminum to bridge a gap was very important to them and they stopped communication at one point but also looked on a material basis for additional sources and then looked at the stock that was available, directly purchased it. And that’s how you do cyber supply chain risk management and we hope that’s for you also a good case study to understand how the previous example we talked about works. 

Okay. Now, we go over the questions, and Lauren, over to you. 

Lauren McKinley: 

Great. Thank you, Ulf, and thank you, Mirko, for the great content today.