Manufacturers recognize the importance of keeping their products secure throughout the supply chain. However, there’s...
something else traveling through the supply chain that’s more valuable than physical goods: enterprise data.
The more complex a supply chain is, the more susceptible it is to security breaches. From intellectual property theft and product leaks to hackers and malware, there’s a myriad of supply chain security issues that, if left unchecked, can have devastating consequences. Experts say the key to combating manufacturing data security problems is to keep a close eye on both IT and human resources.
One major concern for manufacturers is the leaking of product data that is not ready for the public eye. Companies don’t want such information distributed prematurely for any number of reasons -- the design specifications need improvement, the patent is pending, or competitors could create imitations before the original product is released. Not even corporate powerhouses like Apple are immune; the company has dealt with supply chain data leaks of its iPhone and, more recently, the iPad.
A first step to reducing the chances of data leaks is limiting the number of people who have access to all of the data, according to Andrew Rose, principal analyst at Forrester Research Inc., based in Cambridge, Mass. “Keep it at a need-to-know basis,” he said.” Does everybody working on the new iPhone need to know the whole design? Do the people making the glass need to see all the specs? Send the data only to people who need to see it.” When only certain people have access to certain data, it’s easier to trace the source of leaked information, Rose said.
Simon Ellis, practice director for supply chain strategies at IDC Manufacturing Insights in Framingham, Mass., agrees with this approach. “Ultimately, it’s the business that will decide whether a particular supplier should have access to certain information or not,” he said. “Some information is given to retailers with the understanding that it will not be leaked, but it still sometimes happens. It’s the responsibility of everyone in the business to make sure that info isn’t being handled too casually.”
Hold third parties to supply chain security standards
With complex networks of suppliers, assemblers and distributors, manufacturing organizations often need to grant data access to numerous third parties. Manufacturers must require that they uphold certain security agreements, Rose said.
“Make sure contracts with third parties are up to security standards -- demand ISO27K compliance,” he said. Though the standards can be a burden to the business partners, they’re necessary, according to Rose. Encryption is another way to keep supply chain data secure -- or, at least, unreadable to outside parties. “You have to make data secure on its own, so it doesn’t matter where the data actually is. This means you can send your secret data on to a third party, but a person outside the network would just see it as garbage, a garbled mess, and wouldn’t be able to read or print it.”
Manufacturers can also simply give suppliers a password to view data, rather than sending the data itself. “Whenever you introduce third parties [to a supply chain], it gets tricky, because you can’t be sure they’re keeping the data inside the supply chain,” explained Rose. “This way, if they do get hacked on their end, they don’t have your data, just an ability to get to it. It puts another barrier between hackers and your data.”
“[Supply chain data security] is about making sure you have the right contracts, that the service level protects you when necessary. IP [intellectual property] protection is a piece of it,” Ellis said.
Hackers, malware threaten supply chain data
Cloud computing is growing popular with manufacturers because it provides centralized program and data access on limited IT resources. It is especially attractive to companies with large global networks of users. But taking supply chain data off an in-house system and moving it into the cloud can open the door to hackers.
“Product-centered info, BOM [bill of materials], specifications and even drawings are finding a way onto the cloud,” said Tom Singer, principal at Tompkins Associates Inc., a supply chain consulting firm based in Raleigh, N.C. “This enhances the opportunity for intellectual theft or just malicious tampering. If I’m putting data packets over the Internet, those packets are susceptible to hacking.” Cloud providers are recognizing this, Singer said, and most vendors are including enhanced security features in the cloud versions of their products. Cloud audits can also ensure that providers are following security standards, according to Rose.
Software isn’t the only portal for malicious supply chain attacks, Rose said. Data can also be accessed -- or simply destroyed -- by malware built into hardware. In a blog post from this past summer, he wrote about the Department of Homeland Security’s acknowledgment that some of its purchased hardware came with undetected, built-in malware programs.
“If you buy chips from abroad, there’s a possibility for subversion,” Rose said. “It’s hard to be sure that these chips don’t have anything in there that isn’t supposed to be. It’s a scary development when it’s embedded in the hardware. We have to make sure that every layer is secure.” Virus protection software providers are releasing new suites -- such as McAfee and Intel’s DeepSafe platform -- to address these new security concerns.
Intellectual property a major supply chain security concern
Misuse of confidential product data is bad enough when it comes from outside attacks, but what if the problem is coming from within your own supply chain? Manufacturers that outsource their production are vulnerable to intellectual property theft by the same people that assemble their products.
“Being able to trust your international partners is key,” Singer said. “You need to be able to trust them with your intellectual property, which goes beyond software security. You can get them to follow certain procedures, but what are they doing to safeguard your intellectual property? You place standards, but how can you stop knockoffs?” They’re often made by the same companies that assemble a manufacturer’s products, sometimes even in the same factory, according to Singer.
Rose warns that manufacturers that hope to save money on IT and assembly line staff by outsourcing production could end up losing far more from intellectual property theft. “There are increased risks moving to certain jurisdictions,” he said. “Sometimes the cheaper production plants will end up copying your design and selling it. One company I’ve spoken with even had their design duplicated and then improved upon.”
“Technology is only going to get you so far,” Singer said. “Choosing the right partnership and factory that can help mitigate that possibility is perhaps more valuable than trying to button down manufacturing visibility.”