Difficult as the conversation may be, organizations need to talk about the cyber security threat they face. Back in the autumn, the UK’s National Cyber Security Centre (NCSC) advised the manufacturing sector to analyze and collaborate across its entire supply chain.
Tata Steel UK took this advice to heart and hosted a conference that included technology, providers of worker services, logistics, materials suppliers and business lines. This event triggered open dialogue as a new collaborative approach to dealing with cyber security in the manufacturing sector is forged.
According to the NCSC, just one in ten businesses review the risks their immediate suppliers pose to them. Ian McCormack, NCSC Deputy Director for Government Cyber Resilience, says:
With incidents on the rise, it is vital organizations work with their suppliers to identify supply chain risks and ensure appropriate security measures are in place.
The May attack on Colonial Pipeline, the US oil company, raised awareness of how the manufacturing supply chain is vulnerable to cyber security attacks. In the metals industry, Aurubis, a German manufacturer, was attacked on October 28th. The Hamburg headquartered business said of the attack:
This was apparently part of a larger attack on the metals and mining industry. As a result, numerous systems at Aurubis sites had to be shut down and disconnected from the internet as a preventive measure. Production could largely be maintained.
Nigel Henderson, Head of Information Security and Enterprise Architecture at Tata Steel UK says of the new reality:
Before events such as the Colonial Pipeline attack became headline news, cyber security attacks that hit the news headlines were largely ones that were in some way emotive, the WannaCry attack of 2017, for example, which hit the NHS.
That has changed now though, he says:
There is a much wider acceptance in business now that this is part of a wider pattern; cyber security risk is a business risk like any other, and has to be treated that way.
That acceptance led Tata Steel UK to strike while the iron was hot and get its supply chain together and begin sharing ideas. Henderson says:
There are likely groups in any supply chain who are actively working on this, and anything we can do to spread the learning and best practice is a benefit to all. It was nice to see how many people in our supply chain had something to offer.
He adds that the event revealed the manufacturing sector realizes it can be a target, whereas previously people thought targets were limited to organizations like major banks. Nick Reeks, Director IT at Tata Steel UK, adds:
The sector is waking up to the risks, and we are seeing more of our customers ask questions about cyber security.
Everyone at the Tata Steel UK event revealed how the complexity and scale of the cyber security threat mean closer working relationships are essential. Henderson says:
The concept of the spotty teenager in the attic hacking their spare time has not gone away, but the other dynamic is that some of those attacking you can key into extensive formal and non-formal networks; it is an entire ecosystem.
There is a complexity and, dare we say it professionalism, that is leading to a broadening of the understanding of how all parts of the organization have to be involved in protecting the business, Henderson says:
It is being treated as a general business risk, not just IT’s problem, and that is an important shift.
Director IT, Reeks adds:
Everybody is becoming much more mature about the cyber piece. Y2K raised the profile of technology as a spectre, and cybercrime is now doing the same.
That maturing is seeing business lines such as procurement becoming cyber security aware, which Reeks says is vital:
It was essential to us that procurement was involved, as they are getting questioned on this. So this helped shape the agenda of the event, as IT was an underlying topic, but the discussion was not about technology; it was a cross-functional piece.
Reeks adds that cyber security is a close cousin to the world of procurement. He says:
The procurement team are well versed in risk, as they buy in materials from all around the world and have to know details about the veracity according to ethical and sustainability requirements. Cyber is another layer to this.
Advice and technology
The NCSC has advised manufacturers in the UK to determine the minimum cyber security requirements that each supplier must adhere to, and to conduct due diligence on a supplier’s ability to meet cyber security controls. As manufacturing and supply chains become increasingly digitised and interconnected, the ‘openness’ this creates can lead to increased risk. Shay Levi, CTO of NoName, a security vendor, says:
API attacks are becoming very popular. For manufacturing, they understand that the threat is increasing, and our research found that 70% of manufacturers only had a partial view of their API inventory, and only 10% were testing their APIs in real-time.
The same research found that 80% of organizations had experienced an API-based security issue. Levi adds:
Under estimation of the size of the API estate is very common.
As the threat landscape increases, CIOs and CISOs will need to follow the lead of Tata Steel UK and invited their supply chain to discuss a shared approach to protecting one another’s businesses. Reeks advises:
We were not encouraging people to share things about what had gone wrong. It is still a world where sharing something is seen as a bit of a weakness. Also, make the agenda as wide as possible to interest a lot of people, which also shows how wide the surface area of threat is.
No business is an island; whether forging steel, delivering digital services or trading goods and currencies, each and every organisation is dependent on a wide number of suppliers.
Connecting each and every one of these suppliers is technology. A while back, Reeks drove me around the Tata Steel UK plant in Port Talbot, Wales; the site is in itself an ecosystem with a port, processing plants, logistics, steel mills, catering and back office functions, all connecting with one another via technology.
Like the economy, that interconnection is only achieved through honesty and dialogue, so the relationships between suppliers, whether they be technology or iron ore, have to be closer in order to protect one another from the threats an interconnected and professional cyber-criminal sector presents. Hosting an event of the type Tata Steel UK put on is the first step.