Defining IT Supply Chain Risk for Manufacturers

By Christie Fisher, Vice President of Service Delivery, ZAG Technical Services

Last year, shutdowns in China affected American manufacturer’s ability to source raw materials and products. In the last month, shutdowns as a result of cyberattacks affected oil and gas delivery across the eastern U.S. and 25% of the meat supply chain in North America. For manufacturers, the supply chain contains myriad risks – and when not properly managed, technology may be at the core of it.

Some of this technology risk for manufacturers includes:

IoT devices. As manufacturing plants and companies rely more heavily on automated processes, connected equipment and processing systems are becoming prime targets for bad actors – especially because they are connected via the Internet of Things (IoT). These systems and devices, ranging from sensors to remote scan guns, control virtually every piece of the manufacturing or processing system, leaving many opportunities for gaps in security.

Increased phishing scams. Phishing and social engineering scams are becoming increasingly common. Criminals use malware-embedded files sent via email that can look convincing to users. When a user clicks on a link or downloads an attachment from these emails, criminals can take control of the computer’s operating system and gain access to critical company data. This can result in significant data breaches that can cost companies thousands of dollars and open them up to significant liability.

Ransomware. Ransomware is a type of malware that is loaded onto a system that locks the system from being used until a ransom us paid. The most common types of ransomware are designed to infiltrate an organization’s network and hold critical data for ransom. In industries where anything from warehouse inventory data to shipment tracking and temperature monitoring can damage products or interrupt the supply chain, cryptolocking (a form of ransomware) is especially dangerous to business continuity. Recovering from a cryptolocking attack can take anywhere from a few days to weeks or months at large-scale enterprises, which can have a detrimental effect on a distributor’s ability to deliver products across the supply chain – and can even put the entire business at risk.

Asking Questions to Assess Supply Chain Vendor Risk

After an organization begins to see the health of its technology as an integral part of the supply chain, it’s time to ask some crucial questions that can help identify potential risk. This may start with questions about its vendors, such as:

  • Who are my vendors? Identify who is involved and at what level.
  • Which vendors are critical? If you have a single-source supplier that has a single factory that produces what you need, this can be identified as a potential risk to the organization if that vendor cannot deliver on time.
  • How are vendors selected? In some markets, financial validation such as a credit report is required of businesses to be identified as a vendor, but rarely is IT looked at as a critical piece of the decision-making process. This needs to change.
  • Which vendors are peripheral? Identify the vendors who might be secondary to the operation and examine the level at which they’re used. Even if there are vendors that you work with only once a quarter or even once a year, their link to your company can make them a risk.
  • Do my vendors have a business continuity plan in place? At times, some vendors are in a “just in time” delivery model, which can place significant stress on the supply chain if that source is interrupted and there is no business continuity plan in place to help get them up and running in a timely manner. This should be a crucial factor in the discussion of vendor risk.
  • Do I have alternative vendors in place for critical supplies? We often talk about the idea of “it’s not if, but when” as it relates to a cyberattack. The nature of business and connectivity makes this a real threat, so part of supply chain risk assessment determines how long it will take your company to identify another source for supplies if a supplier goes down.

Once an assessment is conducted, additional considerations must be made alongside other departments to ensure the best possible outcome for the business, such as working with procurement to introduce vendor qualifications. All of this is part of the next phase in the process: supply chain risk management.

How to Address Supply Chain Risk Through Ongoing Management

Managing technology-related risk, identifying where inefficiencies lie, and executing a plan to keep the supply chain intact begins with examining the technology being used by a company AND its vendors.

The core components of this include:

  • Identifying the risk (a risk assessment is a good fit here).
  • Prioritizing supply chain partners based on business impact.
  • Collecting and assessing supply chain risk, implementing a rating system that can easily identify potential risk based on factors such as a single factory, “just-in-time” delivery practices, and more.
  • Establishing processes, procedures, and policies to work with vendors based on the information collected about the risk to your organization.

The manufacturing process is gaining in complexity, and technology is adding to it. Assessing an organization’s supply chain IT risk is the first step toward ensuring mitigation, business continuity, and eventually, making sure risk is properly managed.

About the Author:

Christie Fisher is the Vice President of Service Delivery for ZAG Technical Services, where she oversees the delivery of services and solutions to clients as part of the executive leadership team. Christie’s success at ZAG is rooted in her ability to set strategic initiatives for clients and call on her extensive technical experience in network and systems engineering.