Supply Chain Security: Defending the Cyberspace and Supply Networks

School of Business - Department of Information Systems GIST 500 - Principals of Information Systems Dr. Kamal Agarwal April 24, 2013

Ayodele Bakare Nikote Etienne Shantel McClendon Elisha Vaillant

Table of Contents:

I. INTRODUCTION:

II. LITERATURE REVIEW:

III. METHODOLOGY:

IV. ANALYSIS:

V. CONCLUSION

VI. REFERENCES

VII. APPENDICES

I. Introduction

Cyber-attacks are an ever growing issue within the U.S. and it cannot go ignored. More specifically there is a concern on the attacks on government and major corporations supply chain networks. In this day and age where supply chain networks are running exclusively through online portals, companies should have raised concerns on protecting the systems that ultimately get the product created and delivered to the customer. Developed technologies are allowing outside parties to penetrate the

sophisticated networks currently used by companies. This paper delves into current supply chain networks and how the cyber threats that they can be exposed to. Current laws and regulations that are in place to protect these systems will be explained in detail as well as the history of attacks in the public and private sector that have led to these regulations. Additionally, this paper will review how the private sector has contributed to cyber defense. Lastly, a case will be studied on a recent cyber-attack on a Fortune 500 company. II. Literature Review Nakashima, E., and Krebs, B. (2009). As Cyber-attacks Increase, U.S. Faces Shortage of Security Talent. Washington Post. This article delves into the concern of an increase in cyber-attacks and the shortage of talent to prevent or rectify a potential attack. Business Pundit (2011). 10 Most Costly Cyber Attacks in History. Business Pundit. This article focuses on the top cyber-attacks that were most costly in the private sector. It explains in detail each of the attacks and the outcome of the data breaches including the monetary burden suffered CSIS Commission of Cyber Security (2012). Significant Cyber Attacks Since 2006. This document illustrates the most significant cyber-attacks that have impacted the US government over the last seven years.

CSIS Commission of Cyber Security (2008). Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission of Cyber Security. The CSIS examines existing plans and strategies and to assess what a new administration should continue, what it should change, and what new policies it should adopt and what new authorities it should seek from Congress. Garamone, J. (2013). Clapper Places Cyber at Top of Transnational Threat List. U.S. Department of Defense. The US Department of Defense showcases Director of Intelligence, James R. Clapper testimony to the Senate Select Committee on Intelligence. He discussed how prevalent cyber defense is with the increased cyber-attacks over the last ten years. Barnes, J. (2008). Pentagon Computer Networks Attacked The cyber-strike on key sites is thought to be from inside Russia. Los Angeles Times. This article discusses US concern of possible cyber-attacks from China and Russia and this countrys ability to protect itself from these threats.

III. Methodology The research was gathered from official U.S. government agency and committee websites. Additionally, the Howard Universitys library catalog contributed to our

findings. Setting aside at least three months to prep for our data collection and inquires of how companies from private and public sectors defend themselves in the cyberspace and supply networks, a through analyze of the collected data was prepared. When conducted our observational study we reviewed case studies. In a case study, a single phenomenon is studied and described.

IV. Analysis Supply Chain Networks The rapid advancement of technology such as pervasive or ubiquitous wireless and internet networks, the basic supply chain is rapidly evolving into what is known as a supply chain network. Supply chains and supply networks both describe the flow and

movement of materials & information, by linking organizations together to serve the endcustomer. Supply chain networks are a collection of physical locations, transportation vehicles, and supporting systems through which the products and services that a firm manufactures are managed and ultimately delivered. A supply chain network shows the links between organizations and how information and materials flow between these links. The more detailed the supply chain network the more complex the web -like the network becomes. Supply chain networks evolved to become critical structures in the production and dissemination of goods in today's modern economies. Since they involve

manufacturers, distributors, retailers, as well as consumers, which are spatially dispersed, they must respond to the realities of world events, which, in the given age, are characterized by heightened risks and uncertainty. Companies develop supply

chain networks to enable effective communication between their suppliers and customers. There are various networks involved in supply chain; these networks

include suppliers, distributors, and customers/end users. Suppliers: These are companies or firms that supply a firm its raw materials. Suppliers vary; as they could be different level tiered. Companies maintain a database of data used by suppliers; to identify what they need, what needs to be supplied, when supplies need to be delivered, and importantly price points, banking information and data. Distributors: Supply chain firms maintain and deal with distributors who help distribute their raw materials, semi-finished goods and finished goods. Data are

transmitted to from the manufacturers to the distributors using different ERP systems.

Valuable information such as product specification, weights, sizes, cost, delivery time frame, and destination amongst others are transmitted between these distributors and manufacturers. Customers: Customers are very valuable to any organization, and communicating With the world

with them has always been a key process for all organizations.

becoming a virtual market, business now communicate with their customers via the internet, selling products, providing services, and getting customer feedback. With supply chain networks becoming virtual and dealing with all aspect and various departments and sources via the Internet, the security of the firms infrastructure has not been more important. With companies now using ERP systems to

communicate with their networks, it is important that they use a secure and wellprotected enterprise system. Supply chain planning systems enable the firm to model its existing supply chain,

generate demand forecasts for products, and develop optimal sourcing and manufacturing plans. Such systems help companies make better decisions such as determining how much of a specific product to manufacture in a given time period; establishing inventory levels for raw materials, intermediate products, and finished goods; determining where to store finished goods; and identifying the transportation mode to use for product delivery (Laudon, 344). The importance of Supply chain and Enterprise systems working hand in hand cannot be underestimated.

Cyber Threat Categories

Cyber threats are relatively new within the US and it is necessary that on a broad scope we are protected from these types of threats. Ten years ago no one could fathom cyberspace being a danger to the US. While these types of threats are new, the US did not take necessary precautions initially to protect this countrys computer networks. Foreign adversaries have been able to invade US cyber networks due to the ill protection measures in place. The systems penetrated included valuable information that was assumed to be under lock and key. In order to understand the development of cyberspace defense today we must first explore the need for defense. According to James R. Clapper, Director of National Intelligence, there are two forms of cyber threats: cyber-attacks and cyber espionage. Cyber-attacks aim at

creating physical effects or to manipulate, disrupt or delete data (Garamone, 2013). Cyber espionage refers to stealing data from a variety of sources (Garamone, 2013). The US has dealt more with the earlier, cyber-attacks. The last two decades have proven that cyber-attack defense has been a losing battle for the US. Cyber security in the new world has been difficult because officials are attempting to apply solutions from old threats, old alliances, and old strategies (CSIS Commission, 2008).

Cyberspace Defense Today With cyberspace attacks becoming more sophisticated protecting systems are becoming more of a challenge. Within the past couple of years cyberspace defense companies have been banking on the potential funds that can be received by coming up with the next best defense system as we become more and more a technological world. Companies such as Lockheed Martin, Boeing, Northrop Grumman, and other defense

companies have been warning Capitol Hill of the threat that cyberspace criminals hold. Threats that these cyberspace criminals hold are stolen state secrets and hacked computers. It has been reported in the news that companies such as Lockheed Martin have won key contracts to assist with the Pentagon Cyber Crime Center. Currently, there have been executive orders to have a more secure defense mechanism against cyber warfare. Currently the Pentagon is looking to increase its budget for cyber

security and operations by 20%. By doing so the Pentagon is hoping to tighten the US defense and this expansion may probably be a future conflict. The Pentagon is increasing its budget for cyber operations by 20 percent in the hopes that it can replicate successful cyber-warfare operations like the attack on Iranian nuclear facilities in 2010 that damaged centrifuges at the Natanz uranium enrichment facility. No one has officially claimed responsibility for the unprecedented attack, but the U.S. and Israel are suspected of being the culprits. According to the tightened 2014 U.S. defense budget released last week, the money allocated for cyber-operations rose to $4.7 billion, up 20 per cent from $3.9 billion in 2013. Two defense officials said that the increase is meant to strengthen the countrys offensive capabilities, including the ability to blind an enemys radar or sh ut down its command systems in the event of war. According to USA Today, the expansion is a recognition that cyber-war will probably at least be part of any future conflict. The strategy is backed by the development of a new cyber-force. By 2016, the Pentagon hopes to have more than 100 teams in place. The teams will be divided into three categories: defending military

networks, damaging the capabilities of enemy networks and helping to defend the nations infrastructure (Pontz, www.algemeiner.com)

Public Sector Contribution to Cyberspace Defense The public sector due to its abundance of sensitive information has been paving the way for a more standardized security defense system. The main objective has become to strengthen systems on the back end to protect them from attacks that could possibly be detrimental. The public sector is related to government or state owned sectors. In certain states, government owned companies purchase cyber defense hardware/software, such as Barracuda, off of state contracts where public sectors are to pay not one penny more for the product than they wish to purchase. In New York cost pricing information for the equipment is readily available on the website, www.nysogs.com. Public companies, depending on the size use hardware/software such as web filters, web application firewalls and SSL VPN to protect them from cyberspace attacks. An engineer from an IT solutions company, stated that companies such as EMC (RSA) have been working diligently to help protect public sector high valued data assets and intellectual property. He also mentioned that when a cyber-breach occurs, what determines a successful readiness is the response and defense tactics. HP is also on the list when building secure cyber solutions for the public sector. HP has been delivering cyber security solutions on behalf of government and commercial clients such as financial services, utilities, transportation, and health for more than four decades. We have been building, integrating, operating, and securing
9

some of the most complex environments in the world while enabling agency productivity, securing information exchange, and ensuring citizen privacy. HP responds with precision to protect against cyber-attacks because of the enterprise wide approach we bring to security. Our proven, integrated portfolio for federal, state, and local government provides our clients with the situational awareness they need to help mitigate risk. We deliver two of the largest and most secure defense infrastructure programs in the worldthe U.S. Navy and Marine Corps Intranet (NMCI) and the UK Defense Information Infrastructure (HP.com, Cyber security Solutions for US Public Sector). NMCI is a secure IT platform which allows the supply chain of the US Navy and Marine Corps to support and unify its net centric environment. State, local, and provincial governments are faced with many issues. They encounter challenges such as budget constraints, regulatory guidelines, and heighten security and privacy concerns. Cyber defense companies are now offering an array of solutions that can be considered low end or high end depending on the cost. The solutions can be application transformation and infrastructure consulting. These solutions may complete technology such as the cloud, which we will further discuss later on. The public sector is currently changing the way that cyber defense operates; they are not only demanding an effective way to operate their supply chain defense but also a cost effective hardware/software too.

10

History of Cyber Attacks The threat of cyber-attacks on the US did were not without warning. In 1998, a presidential commission reported that protecting cyberspace would be crucial for national security (CSIS Commission, 2008). In the last ten years there have been The

several cyber-attacks against the US that have led to government regulation. following attacks show the significance of cyber defense.

Department of State It was in the US Embassy in East Asia that an email attachment was opened and initiated the cyber-attack on the Department of State in 2006. It was believed that the attackers operated through computers in China (Nakashima and Krebs, 2009). Officials worked for two weeks to confine the attack and prevent information theft.

Department of Commerce (2007) In April of 2007 networks were hacked in the Bureau of Industrial Security. The attack was very similar to the attack at the Department of State in 2006. According to the Washington Post its contract technicians were unable to identify the date that the networks were infiltrated but there was highly classified information at risk. The Bureau of Industrial Security controls sensitive exports of technology that is used commercially and within the military (Nakashima and Krebs, 2009). To further this issue after eight days of work technicians installed the incorrect filter to block the leaking of information. Installing the wrong filter caused sensitive information to be given to the media, adding more fuel to the fire.

11

Department of Defense In November of 2008 the Department of Defense experienced a cyber-attack that was suspected to be from within Russia. The attack struck hard at networks within US Central Command, the headquarters that oversaw US involvement in Iraq and Afghanistan, and affected computers in combat zones (Barnes, 2008). Also a highly protected classified network was infiltrated. This attack included an intrusive piece of malicious software designed precisely for highly protected military networks. Officials disclosed that an attack of this magnitude showcased the vulnerability of computer networks. The public sector is not the only history lesson to learn from. Over the course of the last ten years major corporations have experienced millions of dollars in losses due to cyber-attacks. Below are significant cyber-attacks on corporations.

Delta Airlines In 2004 hacker Sven Jaschan, a German teen, orchestrated a virus that poisoned millions of computers around the world including Delta Airlines computer system. The virus disabled the Atlanta based companys computer system. This cyber-attack

contributed to the cancellation of a considerable number of transatlantic flights. Experts estimated that $500 million in damages were incurred by Delta. The German college student was arrested three months later subsequent to Microsoft putting a $250,000 bounty out for his capture.

12

Hannaford Bros. Hannaford Bros is a large grocery retail chain was under the thumb of a hacker for the course of seven months in 2007 and 2008. More than 4.2 million credit and debit card numbers were put in jeopardy in addition to other personal customer information. Hackers planted malware on store servers. It is said that the monetary damage in this case was $252 million. One of the hackers was Albert Gonzalez who also was involved with the attack of TJX Companies systems.

TJX (2008) In December of 2008 The TJX Companies were victims of a cyber-attack. Hacker Maksym Yastremskiy, and a group of sophisticated hackers, who has since been convicted penetrated the companys customer service systems. He gained access to over 45 million credit and debit card numbers of TJX customers. A data-breach of this magnitude cost this retail giant over $250 million.

Private Sector Contribution to Cyber Defense Today in every industry, a business supply chain is its life and blood, thus making effective supply chain management a top priority for senior management. The modern supply chain depends upon a complex and interrelated network of suppliers across a wide range of global partners. Globalization and advanced technologies have led businesses to utilize two of todays most popular business technology trends to gain many competitive advantages through efficiencies: Enterprise Resource Planning (ERP) and cloud computing.

13

An ERP system is business management software that allows an organization to use a system of integrated applications to manage the business. They have replaced a myriad of old, undocumented, non-integrated legacy systems by state-of-the-art, integrated and maintainable software (Akkermans, H et al, 2002). ERP software connects all facets of operations such as finance, accounting, sales, marketing, and manufacturing to work towards a common goal of efficiency. Functionally, this system primarily supports the management and administration of the deployment of resources within a single organization. These resources can be materials, production capacity, human labor, or capital. Supply chain ERP systems in particular, integrate all participants within a companys supply chain (Multi-tiered suppliers, manufacturers, distributors, and customers) allowing for lean production schedules and accurate forecasting and deliveries to ensure that the highest levels of customer satisfaction are met. Supply chains are typically difficult to secure as they create risk that is hard to identify, complicated to quantify and costly to address, the last of which is of the most concern of management usually. (Information Security Forum Limited, 2013). While ERP systems allow enterprises to integrate information systems with trusted partners through supply chain management, the number of authorized users continues to grow. This effectively introduces new entry points to business systems from outside the traditional IT security perimeter (Holsbeck, 2004). Sharing information with suppliers is an essential part of any organizations daily business operation, however doing so increases information risk: the risk that the confidentiality, integrity, or availability of that shared information could be compromised. When a companys tier 1

14

suppliers share information with tier 2 suppliers and so forth, the risk is extended further up the supply chain and visibility and control diminish. This aspect of supply chain information risk often goes unseen and unmanaged (Information Security Forum Limited, 2013).Additionally, the attractiveness of company supply chains to hackers is growing. Criminals are seeing the supply chain as a means of accessing information they wouldn't otherwise be able to get from a large, proficiently run, well secured global organization (Mello Jr, 2013). A perfect example of this is what happened to Verizon last year. In July 2012 someone hacked Verizons databases and posted around 300,000 entries of customers information to the internet including names, addresses, and passwords. He allegedly took advantage of several vulnerabilities in the cellular giant's network. However, upon further investigation it was discovered that none of Verizons systems were breached. Instead, the information was actually accessed through a third-party telemarketing firm whereby an error was made and information was copied (Clay, 2012). Historically, ERP security focused on the internal controls that aim to limit user behavior and privileges while organizations rely on network perimeter defenses firewalls, VPNs, intrusion detection, etc. - to keep outsiders from accessing the ERP system. However, increasingly integrated information systems with numerous system users require new levels of transaction-level security. Enterprises must not only trust the actions of employees but also trust partners' employees and perimeter security. Today ERPs security protocols include passwords, data encryption and audit logs, each of which comes with their own risks.

15

The effectiveness of passwords is diminished through weak passwords, and coworkers sharing credentials and leaving stations unattended without logging out. Data encryption limits ones ability to export the database but does not address the need to protect authorized insiders from accessing unauthorized modules in the system. Audit logs within an ERP system track individual transactions or changes in the system but provide little detail into the relevance of the transaction. With each transaction documented individually, the audit log does not consider the context of the transaction. Furthermore, about half of all organizations do not configure their ERP system to maintain audit logs because they are concerned about performance degradation and they don't think they need it. Cloud computing presents another increasingly attractive option for companies. Cloud-based technology provides one place where managers can go to monitor critical supply-chain events. When an element is updated, everybody gets the information. That element of sharing is what distinguishes the cloud from more traditional means of centralizing data. All relevant data is held in one place. Furthermore a cloud can be private or public. A public cloud sells services to anyone on the Internet e.g. Amazon Web Services. A private cloud is a proprietary network or a data center that supplies hosted services to a limited number of people. When a service provider uses public cloud resources to create their private cloud, the result is called a virtual private cloud. Cloud computing technology developed rapidly over a number of years and helped organizations cope with dynamic changes. Reports estimate that cloud-based adoption increased 40 percent in 2012 as compared to 2011. Adoption rates have been the highest within areas of collaborative sourcing and procurement, demand planning,

16

global trade management, and transportation management systems. This growth can be attributed to its flexibility in accessibility, cost reductions and increased efficiency, and technical support reliability. For all of its benefits however, this technology does incur several potential risks that are devastating to any business today. There is already a huge risk with data hosted in-house, so its no secret that data sitting off site has an even higher risk. With data offsite, more avenues for attack and its frequent travel makes it easier to be intercepted (Shagin, 2012). The cloud cannot always guarantee data confidentiality for all users information. The trust relationship in the cloud is temporary and dynamic, so the users cannot avoid the risk of receiving dangerous or malicious information. Sometimes the users can find some illegal information from the cloud. Worse, it cannot completely avoid service-hijacking, phishing, fraud, and exploitation as happens generally in IT. Hackers illegal operations can lead to public cloud users information being betrayed (Zhou L). With technology always improving, there are ways to make sure of better encryption; however there are also always people improving their hacking skills to penetrate new defense mechanisms. Risks for organizations arise not only for suppliers a company knows, but for suppliers that it may not be aware of. According to Hugh Thompson, senior VP and chief security strategist for Blue Coat Systems, a groups growing of unknown suppliers. They are services and technologies that the business is using that were never sanctioned by IT. These business/consumer technologies that employees and small teams are using make them unknown suppliers. If you're an attacker, you may want to go after one of these consumer services that might hold corporate data instead of going

17

directly at a company. One example is the popular cross-platform information management program Evernote thats used by employees in many organizations, but would be under IT's radar. Office workers store all kinds of information in the program, some of it, no doubt, of a sensitive nature to their employers. Such an account would pose an information risk to an organization that it wasn't aware about (Mello Jr, 2013). According to the Information Security Forum, the key to managing information risk in the supply chain is an information-led, risk-based approach to identify what information is being shared and assess the probability and impact of a compromise. This focuses on identifying information shared in the supply chain and focusing attention on the contracts that create the highest risk. This provides a scalable way to manage contracts so that efforts are proportionate to the risk (Information Security Forum 2013).

V. Conclusion As discussed throughout this paper, Cyber-attacks cannot be ignored any longer with the ever increasing threats impacting this countrys network. Supply chain

networks are at the forefront of this concern because so many entities are impacted is this type of network is breached. This point proved to be true with Verizon Wireless. Developed technologies are allowing outside parties to penetrate the sophisticated networks currently used by multiple companies. This paper explored current supply chain networks and how the cyber threats that they can be exposed to. Current precautions that are in place to protect these systems were explained in detail as well as the history of attacks in the public and private sector that have led to these regulations. Additionally, the paper shed light on

18

how the private sector has contributed to cyber defense. The research was cultivated with a real world example of Verizon Wireless.

19

References Nakashima, E. and Krebs, B. (2009). As Cyberattacks Increase, U.S. Faces Shortage of Security Talent. Washington Post. Retrieved from http://articles.washingtonpost.com/2009-12-23/news/36853852_1_homeland-securityhoward-schmidt-chief-security-officer

Business Pundit (2011). 10 Most Costly Cyber Attacks in History. Business Pundit. Retrieved from http://www.businesspundit.com/10-most-costly-cyber-attacks-in-history/ CSIS Commission of Cyber Security (2012). Significant Cyber Attacks Since 2006. Retrieved from http://csis.org/files/publication/120504_Significant_Cyber_Incidents_Since_2006.pdf CSIS Commission of Cyber Security (2008). Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission of Cyber Security. Retrieved from http://csis.org/files/media/csis/pubs/081208_securingcyberspace_44.pdf Garamone, J. (2013). Clapper Places Cyber at Top of Transnational Threat List. U.S. Department of Defense. Retrieved from http://www.defense.gov/news/newsarticle.aspx?id=119500 Barnes, J. (2008). Pentagon Computer Networks Attacked The cyber-strike on key sites is thought to be from inside Russia. Los Angeles Times. Retrieved from http://articles.latimes.com/2008/nov/28/nation/na-cyberattack28 Alan Harrison, Remko VAN Hoek (2011) Logistics Management and Strategy, 4th edition, Pearson Kenneth C. Laudon, Jane P. Laudon, Management Information System: Managing the digital firm, 12th edition, Pearson Information Security Forum (2013). Information Security Forum Releases Securing the Supply Chain Report. Information Security Forum. Retrieved from https://www.securityforum.org/userfiles/public/isf-13-022_ssc-press-release.pdf Holsbeck, M, Johnson, J (2004). Security in an ERP World. Help Net Security. Retrieved from http://www.net-security.org/article.php?id=691 Clay, K (2012). Verizon Denies Hacker Leaked 300,000 Customers' Data - UPDATE. Forbes Magazine. Retrieved from http://www.forbes.com/sites/kellyclay/2012/12/22/verizon-denies-hacker-leaked-300000customers-data/

20

Mello Jr, J (2013). Supply chain the new tempting attraction for hackers. CSO. Retrieved from http://www.csoonline.com/article/731557/supply-chain-the-new-tempting-attraction-forhackers?utm_medium=Email&utm_source=ExactTarget&utm_campaign=OMNow&&& Akkermans, H et al (2002) The impact of ERP on supply chain management: Exploratory ndings from a European Delphi study. Retrieved from http://www.student.oulu.fi/~jolahti/accinfo/7%20ERP%20Impact%20on%20Supply%20C hain%20Management.pdf Gross, J (2012) Supply Chain World Europe Cloud Computing and the Supply Chain. IBM. Retrieved from http://supply-chain.org/f/Jelle%20Gros%20-%20Cloud%20Computing.pdf Shagin, A (2012) The Risks And Benefits Of Cloud Computing. SAP. Retrieved from http://blogs.sap.com/innovation/cloud-computing/risks-and-benefits-of-cloud-computing020025 Zhou, L. Cloud Supply Chain: A Conceptual Model. Retrieved from http://www.medifas.net/IGLS/Papers2012/Paper109.pdf

21

Appendix 1

(Source: Laudon, 341)

22

Appendix 2

Source: IBM Cloud Computing and the Supply Chain

23

Appendix 3

Source: Verizon 2012 Data Breach Investigation records report

24