Securing the Supply Chain with Zero Trust


In the Digital Age, it’s necessary for organizations to ensure a seamless flow of data across a plethora of networks, applications and storages. However, the dilemma is that it is no longer feasible, or even possible, to consider all elements of the service topology as “trusted”. With the rise in supply chain attacks, Zero Trust has become a critical concept, as research shows that in 66% of supply chain attacks, suppliers weren’t aware or failed to report how they were compromised.

The Value of Supply Chains Recent events have highlighted just how crucial supply chains are. Not only have consumers experienced empty shelves and disrupted services, but businesses have also felt the strain. Even technology giants, such as Apple, have cited supply constraints as a main barrier to growth. With that being said, the value supply chains provide might be boiled down to a very simple statement: they offer security and interoperability.

Which is to say that, when businesses rely on supply chains, they need to be certain that the supply chain will ensure products are reaching the right destination, without being intercepted or disrupted along the way. ZTNA (Zero Trust Network Access) is an IT solution that can provide secure access to the company’s apps, data and other services.  Interoperability ensures that desired actions happen; security ensures that undesired actions do not happen. Between them, these two key capabilities give businesses the reassurance that supply chains will not be interrupted, thereby mitigating the risk of impact on business continuity and financial loss.

Open Standards

The importance of Open Standards within the logistics industry in order to achieve interoperability is essential. With the industry increasingly relying on information and communication technology (ICT) solutions, which are produced globally, to run their operations – the systems involved need to be secure and kept free of major defects and vulnerabilities for customers to trust them. Open standards, such as The Open Trusted Technology Provider™ Standard (O-TTPS) can support businesses to overcome this by increasing product integrity and supply chain security. By offering a collaborative environment to facilitate creating international standards focused on supply chain security, businesses can establish a unified view of practicing supply chain risk management (SCRM).

Focusing on Security

These standards, of course, are not static, and need to keep evolving in order to meet new needs. The question of security is now a digital one. SCRM mitigation techniques must be at the heart of supply chains in order to limit the damage from malicious actors.

The need to develop and improve security approaches is therefore crucial. As is always the case with cybersecurity, risks need to be continually reassessed as the operating context changes – and, indeed, innovations in how people interact with supply chains always need to be made with security implications in mind. At the same time, new methods, and strategies for cyberattacks are always developing, and there are good reasons to believe that now is the time for a fundamental shift in how we think about the topic.

Considering the Network

Supply chain attacks are becoming increasingly frequent and, as the world becomes further connected, even more damaging. Software supply chain attacks tripled in 2021, with high profile companies, such as IT Software company Kaseya and KP Snacks, subject to recent security attacks.

In late 2020, for example, the security consultancy FireEye discovered that it had fallen victim to a sophisticated intrusion which took an obscure and convoluted path to its target. The consultancy, like most logistics companies, uses tools in its development process which are sourced from third parties. When one of these tools was successfully infected with a trojan, FireEye then brought that malicious code inside the gates (so to speak) of its network, enabling the attackers to manipulate FireEye’s own software and thereby give them access to sensitive and otherwise highly secure environments.

What’s important to understand about this attack is that no amount of network-focused security would have prevented it: rather than trying to pass as an authorized user, the attackers worked a situation where the actual point of infiltration was carried out by genuinely authorized users. It’s a scary situation, and a tactic that becomes more viable for attackers as our digital infrastructure becomes more complex and as logistics companies look to use more third parties for their supply chain operations. This supply chain, in other words, is starting to look like a vast new attack surface which requires a new approach to secure.

Implementing Zero Trust

If securing networks is no longer enough, we need to look to models which secure the data and assets which those networks are there to carry. This is what the Zero Trust model offers. Rather than assuming that any device on a network must have passed a security checkpoint and is therefore trustworthy, Zero Trust assumes that every action is potentially malicious, and performs security on an ongoing, case-by-case basis.

While the principles of Zero Trust are not new, the need to put them into action has never been greater. Few industries have gone untouched by the societal changes which the pandemic triggered, never mind the economic impact, and successfully bouncing back from those economic consequences will require innovating towards a position which reflects the expectations of modern consumers. For the logistics industries, this means digital tools that work from anywhere, securely, and intuitively.

Just as new systems for interoperability need to be designed with regards to maintaining security within the supply chain, new security models cannot jeopardize interoperability if they are going to successfully preserve the freedom with which businesses expect to deal with their supply chain operations.

That’s why the logistics industry’s adoption of Zero Trust has to happen from a position of open standards. Just as shared understanding powers institutions’ abilities to accurately communicate their customers’ intentions to one another, open standards are needed to enable mutual understanding about what needs to be kept secure and how. In a challenging and rapidly evolving environment, where supply chains are at the heart of world trade, that’s a priority for all of us.