Lack of cyber in Australian supply chain resilience plan has IBM concerned
The federal government on Thursday received the Productivity Commission's final report on vulnerable supply chains, which the likes of IBM hope will contain more focus on 'cyber' than its interim report did.
Earlier this year, Australia's Productivity Commission released an interim report that looked into vulnerable supply chains, focusing on imports. A final report is now sitting with the government and expected to focus on exports.
The purpose of the work led by the Productivity Commission is explained as examining the nature and source of risks to the effective functioning of the Australian economy and Australians' wellbeing associated with disruptions to global supply chains, and to identify any significant vulnerabilities and possible approaches to managing them.
"Improvements in technology and trade liberalisation have made it easier and cheaper to source many goods and services from overseas. This has brought benefits from specialisation and economies of scale. It has also lifted the complexity of supply chains -- modern supply chains often rely on inputs from across the globe and can consist of thousands of firms," the report [PDF] said, using the Toyota supply chain as an example, which consists of over 2,100 suppliers.
"This intricate web of economic interdependencies means that a supply chain is potentially exposed to the many types of shocks that can affect every business, both in Australia and overseas: Geopolitical (for example, a trade war), environmental (a natural disaster), economic (a financial crisis), societal (a pandemic), and infrastructure-related (cyber attacks)."
While the interim report was prepared ahead of the Colonial Pipeline and Kaseya ransomware attacks, and in the same month as when the details of the Microsoft Exchange vulnerabilities emerged, it was compiled with knowledge of many other cyber incidents affecting supply chains but it was still light on the "cyber".
In its submission [PDF] to the Productivity Commission, IBM said cybersecurity should be highlighted as the biggest risk to supply chain productivity. It said, however, part of the challenge was that there is no single, functional definition of supply chain security and mitigating this risk would be a "moving target and mounting challenge".
"Supply chains are increasingly complex global networks comprised of large and growing volumes of third-party partners who need access to data and must provide assurances they can control who sees that data," it wrote. "Further challenges are introduced by today's constraints on staff, budgets, rapid unforeseen changes to policy or geopolitics, partner strategies, and the supply and demand mix."
Big Blue called out the interim report for only making cursory mention of both cyber attacks as an infrastructure-related risk and broader technology implications. The report does mention some technology implications, however, these are limited to the Internet of Things and cyber risk.
"This is a significant gap," it said. "Widespread situational awareness across supply chain elements is needed so that any vulnerabilities are quickly discovered and remediated, and any consequences of exploitation be detected as soon as possible.
"Security should not be seen as a separate consideration to any of the technology or infrastructure concerns above, but as overall embedded 'security by design' across the supply chain network."
In addition to mentioning IoT, the report also touched on blockchain and artificial intelligence.
"Technological advances have made it easier for firms to understand their supply chains. Advances in tracking technologies, data analytics, and machine learning have made it easier to predict where and when disruptions might occur. These advances have also made it easier to access real-time information about disruptions, facilitating a quicker response and recovery," the report said.
One of the risks and costs associated with the use of IoT, the report said, was the increased vulnerability of a chain to cyber attacks. It also said blockchain has applicability in record-keeping, for example to track the origin of goods and establish trust in shared supplier information. For AI, the report noted many companies have used the tech to automate many aspects of supply chain management, including warehouse operations, transport and logistics, and inventory management.
IBM would argue the use of AI, blockchain, and adopting cyber resilience centres -- such as underway at the Port of Los Angeles, in partnership with IBM -- demonstrated a security-by-design approach and ensured that risk management could be a key factor in the supply chain enabled by technology.
"It's critical that this risk management approach considers all elements of the supply chain, so that maturity can rise equally and therefore limit opportunities for adversaries to exploit any link in the chain," IBM said.
Elsewhere in IBM's submission, it said "infrastructure needs to give greater attention to how emerging technology is mutually exclusive to IT systems".
"With a focus on maintaining supply chain productivity, Australia cannot afford to simply 'react' to another 'black swan' event (eg, another pandemic). Whilst technology investment is inevitable to drive resilience and transparency, this topic should be considered from two capabilities: Becoming cognitive (adopting a level of AI, blockchain, IoT, and automation maturity); and on the cloud (embracing a combination of public, private, and mainframe modernisation)," it wrote.
"Supply chain workflows are ideal to leverage AI, blockchain, IoT, and automation to reach new levels of responsiveness. These workflows challenge siloed processes allowing supply chains to work as a consortium rather than individual partnerships."