Successfully tackling your Digital Supply Chain Risk

Thank you Warwick. Welcome to everyone in the room and everyone who is joining in online. And sometimes it is that when my events team asks me to do a presentation, think, okay, sounds, sounds nice. And then you, you start working on it and you see, Oh, I need to spend way more time on the slide than I expected. This is one of these slide x where, where it took me quite some time because I looked them up, definitions of digital supply chain and supply chain risks and stuff like that. And there's not that much out there.

So I, I started thinking about what, what we are talking about. And I think one of the important things, even what title says digital supply chain risk, it is that there are many different types of supply chains. And so digital grow us plays a role everywhere if you look at the software supply chain, but also when we look at goods because then the supply chain, the communication along the supply chain, et cetera, this is the other side of the coin. And so the first thing I I'd like to, to talk a bit about is there are many different supply chains.

So we have our traditional physical supply chain and all of this is a bit oversimplified to be very clear. So the reality is way more complex than, than what I have on my slides.

And this, this is about, I have parts and raw materials that become product by a manufacturer. So, and on the next slide I'll talk about multi-tier supply chains. So many suppliers to manufacture, and this is sold to goods and this is the way this, this physical thing is, is going on today. A lot of these, these things are not just traditional physical goods anymore, but we have a software supply chain within that physical supply chain. So when you, when you take a vehicle, then large components are provided by suppliers that already integrate software.

So you have a sort of a risk that comes through getting software from a supplier and you have the, the sort of the traditional supply chain risk. And we all have learned in the past three years that disruption of supply chains, be it through pandemic or ships that block the Swiss canal or war or attacks software that manages the supply chain can cause really massive damage. So we need to look at it also the software that manages the supply chain.

There's an interesting story which I heard from some relatively sort of, I would say trust versus sources that, for instance, part of the pirate attacks on ships that happened a couple of years ago were factually also sort of enabled by rent hacker where the pirates rented hackers to learn about where the ships will be. So again, supply chains, digital supply chains and the risk behind that. So we can continue this, we have to, as I've said, the logistics for the physical supply chain, which involves IT systems and point of sales systems.

And I think also we had some, some rents where attacks on some retailers and point of sales didn't work or sometimes it's more down to earth, well not managed certificates on payment cards, stuff like that, the digital services supply chain. So we get a digital service, which appears to US software as a service which runs on the infrastructure as a service and build some on platform as a service component of others.

So again, a supply chain with multiple suppliers for each of the SaaS services we are consuming and where we, which we might again consume in our digital service, which we might integrate in our digital services. And the same is when we, when we look at data, data as flowing, we have good old, EDI is not really really modern, but data means when data flows, we have connectivity. When we have connectivity, golden rule or once you're connected, you're under attack. So once we, we connect things, there is a risk.

We have our software supply chains, open source software with OEM modules, commercial of the shelf software, etc. We integrate into other software products.

We, we run the IT infrastructure and we have also people supply chain. So people come in and can cost damage or take knowledge with them. So there are many differents of that and I think this is something where we should be really aware of that.

There's, it's, it's not, not a single challenge, but it's a, it are multiple types of supply chain risks and they are in some way all linked together. So trust solving, for instance, the software supply chain risk will not address everything because as I've said, when you look at physical goods, et cetera, then you already have a problem here. So you can't address the singular measures that just go for one of the things.

And I believe usually when it's about complexity, the best thing is to first understand a bit bigger picture and then break it into pieces again and understand which pieces you can you solve with the same types of measures. So which help where and then work in smaller projects. So slicing the elephant but understanding it's an elephant. So this is I think the first thing you need to do. And you need to pay attention to all of these layers or many of those layers depending on the type of industry you're in. That may differ a bit, but it's something to do.

The other point, which I believe is very important is that we need to think about it be or think beyond the first tier of suppliers. So it's not just the suppliers we have directly. And when we look at software, it's popping up a bit in this SBO m subject. So the software bill of materials, trying to understand what which components are in that.

But again, it's important to understand we have these complexities everywhere and this is again, really massively oversimplifying because it's not that we just have one supplier for raw materials, but we have many and we have multiple parts. So parts can be get packaged into, into components, components into other components, et cetera. So there might be tens of thousands of suppliers involved in the supply chain. If you go to an C such as Airbus or so in the aerospace industry, they have really huge, huge numbers of suppliers and very complex supply chains.

And when it's about defense for instance, then they need to understand, they need to know everything about it. When, when software is integrated, it gets even worse because then you have the physical world and then you have software latest in the component. And software again is something which is combined out of different components. So you have a lot of libraries you're using, you have to own code that is created. You are using capabilities of past services like, like databases in the cloud and other services, which again build on on infrastructure as a service.

You code it, you have to DevOps of tools change, which is a preferred area of attack. So attacks against GitHub for instance are very interesting because you then can potentially put something in the codes, some malicious code in there and your digital service runs on an infrastructure as a service platform. So there are really many elements. And in many of our today goods, both worlds come together because you have to good the physical good and the digital service and you have to deal with the entire complexity as a whole.

And what what I believe is, is important is also that we, we need to be realistic on what can we do And what I want to propose a bit, I hope that's a good idea, is to, to think about three, three levels of how we can handle supply chain risk. And and what I, what I have here is, the one thing is the level of control. Level of control means you really have control. You get the events, you can process the events in yours, source system, you, you really have a technical control about systems. The second level is the level of governance.

That is where you get audit reports, where you, where you really get some, have some governance processes and governance and audits and other stuff implemented. And the, and dessert is the level of knowledge and the level of knowledge is broader. So level of control is focused on what you can, where you can really implement control and where you're allowed to do so. So you will not be able to implement the level of control for Azure. You have a certain level of governance for that because you, there are some public information, they provide you some public information, other stuff.

Level of knowledge would mean that you software bill of materials that you know which components are in the software you, you are using that would be a level of knowledge where you don't have a full governance of how good are the various whatever open source software, other library development and, and, and software testing and assurance models. But that is I think a way to think about it and to think about how can we, where do we need really control? Where do we need governance and ensure that we at least know who is in the supply chain and providing what.

And as I've said in in the software space with the SBO or software bill of material stuff, something is going on. When I look at the supply chain risks and, and get a bit more concrete, then we have, we can map to these supply chain types. I introduced two slides like oh we can map the main supply chain risks to that.

So, and these are, how can this impact physical supply chains? Something as I've said, we learned a lot about in the past three years, safety and security risks for physical goods. Was integrated software a major issue? So can software cause problems, breaks of a connected vehicle? Sort of the common scenario. But there are many, many more. So also if you take standard machinery today and when you talk with someone from ot, from the operational technology space and you start talking about security, the first thing will say we care about safety, not about security.

In fact, they need to care about both of them usually care about both today. But understanding there's a safety and a security aspect is very important because security can impact safety. So safety is machine explodes and we also have this huge risk surely about spreading vulnerabilities. So this is a discussion, you know, sometimes then the discussion is, oh yes, we we need to sort of group our suppliers according to the risk. The problem is some of these risks are sort of ubiquitous across all suppliers.

So, so the fact that whatever malicious software, malware attacks triple in through a supplier, that can be every supplier. Maybe the risk is even higher from small suppliers with relatively weak it than it is from large suppliers which have a lot of security measures in. And so grouping is not as easy as we may expect here. So I don't want to read through that entire list of capabilities, but there are different things that can happen. It are quite, quite a number of different sort of risks we need to look at.

And so this again goes back to this entire supply chain risk topic is more complex maybe than than that we may even when we, when we started working on that sync from the very beginning. What I try to do in the next, on the next slide, as I've said, all these slides will be available for download. So no need to to write down it as refrain from reading every, every single line here. Cause that might be done too boring. You also can look at for which supply chain type, which of these risks does apply.

So back here I I talked about risk like malicious users, human errors, lots of leakage, software bur software vulnerabilities, et cetera. And then you can can also look at and say, okay, which are things that, that apply everywhere. And I think at the end, the human factor very, very obviously is a problem everywhere. The human factor always will be a challenge. Malicious users, others are a bit more distributed. So physical attacks on the physical supply chain, I think that is also very clear. That's the other extreme.

And surely when you look at the people supply chain and we, we first talk about the malicious users, so these are, so to speak, the extremes. The other stuff is distributed.

This is, i I would say this is maybe a working tool for you if you want to use it. I don't say this is already the perfect solution. So this is something which where you might may disagree with the one or other check mark where you may want to add whatever, some more detail, et cetera.

But I, I believe it can help also when I look at it more from my, my advisory perspective. So when I do advisory then this is one of the things that can help structuring it and then saying, okay, where should we start with? So what is from the, the horizontal and the vertical areas, what is pillars? What is the most important area? Where should we start? Where should we invest? Because again, as I've said in, you can't do everything at the same time. And when you structure a bit, then it helps you to under to focus.

And focus is important because we are always limited in, in, in skills and capacity and money. So we, we need to focus our efforts and here's some perspective on that. So what are actions to take at the end? We need to be be prepared and we need organizational measures and we need technical measures and we need to understand the supply chain. What do we have as a supply chain? How does this look like? Which types of supply chains do we have? What is the risk and how can we technically secure it? And what are our counter measures? And they are, what I propose here, there are three, three levels.

Organizational, it's knowing, assessing, certifying, auditing. So know the suppliers, understand your supply chains, assess. That's again level of control, level of governance. Assess as far as possible what you can do. Look at certifications, which is a very important part of level of governance and or audit or in your own audits.

Again, this means looking at to which extent can you do what. So publicly available certifications like Azure 27,000 x are a good starting point, but you need to look at what has been certified exactly et cetera. Both organizational, technical, the system mix between this, this is enabling look at how can you work more securely, more safe, more securely with your, your suppliers. So how do we exchange information? What are the platforms you use for, for sharing knowledge, et cetera. How do you deal with the identities of the suppliers? All that stuff that is you need technical platforms.

And then you need technique side, more the cybersecurity side. Prepare, understand the tech surface, protect, detect, respond, recover. So this brings us to that standard list or more cycle. So I tend to use this seven step cycle, identify, prepare, and protect, detect, respond, recover, improve. Where I'm always say focus on recover, this is the most important thing because things will go wrong and you need to be able to recover quickly. So recovery is super, super important to that.

The others are equally also important, but recovery is sometimes a bit out of focus or not enough on in focus today. And yes, you need tools. I don't want to read all of them and they, there are way more, as I've said, you need processes, you need to find processes, you need to understand how your incident response works. You need to do business impact analysis and all these types of things. You need to have defined board reporting and you need the people. And this is not just management and not just IT security, it's everyone because everyone is involved in supply chain and cyber security.

So you need the people as well. And you need to align this, you need to work on this thoroughly. And this is from my perspective, what, what you should take into account when thinking about how can you tackle your digital and beyond supply chain risk. So how can you ensure that all the supply chains work and you aren't at least aren't hit too hard by things that go wrong. That's it for my, and I think I have left a little time for questions, so back to work. Are there any questions in the room? Come on Patrick. I I mentioned that you don't have a question.

Well while they're all stunned, quite a lot to digest to be honest, but great points there. One question we have here though is in the wake of the solar winds and other similar attacks, do you think organizations are taking the topic of digital supply chain seriously enough? I think we are seeing it being taken way more serious nowadays than it has been taken.

So we, we see definitely changes also driven by regulators. So as I've said, when you take this software bill of materials topic, which comes from the US government as a requirement in certain areas, then we see an evolution, we see an uptake here and, but we still have a long way, a long, long way to go and we need to work on standardization here as well because it's a nightmare today. If you're a supplier to whatever the 10 leading automotive lenders, then okay, it's a bit better maybe in that space or getting better.

But if you're a supplier to a lot of larger organizations, then you might have for each of these to fill out different forms, et cetera. And that doesn't help because it doesn't help in quality, it doesn't, it just causes workload and better standardize.

And we, I think we need to get much better. Some industries are relatively good, aerospace defense, truly. So the better side, others are definitely not yet there.

Okay, you are a question do well you're gonna eat into your presentation. Oh right. It'll be a quick one.

Martin, we need to describe the three layers of of, of how we apply this stuff. What strikes me is the fundamental is the lack of control of the supply chain services that we are consuming.

And, and, and I dunno how we can gain go through all of the processor, but if we don't, if we don't have control of those things, then surely we're always going to be, you know, on the back foot and at the, you know, at the achilles heel of supply chain security is the fact you don't control your own supply chain. Any thoughts on that?

Yeah, But, but you can't control the entire, so to speak, security of, of, of your cyber security, of your suppliers. I I think that at the end, governance helps in increasing or helps in that space.

When, when you know that your suppliers are obliged to do certain things and are doing certain things then and you can trust that. So by certifications, by good certifications, by in-depth certifications, then it helps for some area truly. Also having really industry platforms for collaboration, for sharing information cetera is a way to address this. Also to sometimes simplify the governance process by standardizing the governance process. And I think there definitely are also efforts needed within industries and beyond across industries to, as I've said, to, to standardize more, more of that.

But at the end there will be always a bit of a trust issue. We have, we need to trust someone that the audit certifications, the information provided is correct. And this is, I have to look at the time I'm stealing your time. Sorry.

Okay, let's stop here. Okay. Thank Very much.