Cyber exercise case study: Supply chain assurance
Cyber security incidents are unfortunately a fact of life. But while you can work to secure your own organisation your operations can still be affected by cyber incidents in your supply chain. However, reducing your exposure to a risk you have little control over is not easy.
Cyber exercises are a way that your suppliers can demonstrate that they are ready for a cyber incident. They provide objective and independent evidence of your suppliers’ response to realistic cyber incidents. They also make your suppliers better prepared for an incident.
Cyber exercises have been used by the military for some time. However they are a relatively new concept in the private sector. To help explain how they work and how they can add value this case study will consider how a fictional company could use them to understand and reduce the risk in their supply chain.
This case study will show how a company can use cyber exercises to understand the risks in their supply change. This understanding can then allow them to make informed decisions to minimise these risks.
Example Ltd assemble and sell products in the aerospace industry. They rely on multiple suppliers and are aware that their operations can be easily affected by supply chain issues. Cyber incidents are one source of such issues. Example Ltd’s leadership therefore decide that they need to try and understand how a cyber incident in one of their suppliers may impact their own business.
They have previously tried to understand this risk by asking their suppliers to complete cyber security surveys. These were quick and relatively easy to do however Example Ltd felt that they lacked the fidelity to allow them to fully understand the risk. They have considered requiring their suppliers to become ISO 27001 accredited. However they are aware of the huge commitment and cost involved in doing this and recognise that it may just not be feasible for many of their smaller suppliers.
They instead decide to require their suppliers to conduct a cyber exercise. They are in a position with some of their suppliers to have the cost of the exercise fall with the supplier, but with others they have to incur the cost themselves.
Cyber exercises are conducted by each of Example Ltd’s key suppliers. An example of how these exercises would be conducted can be found here. The exercises typically take 1-2 days and the post exercise report is produced within 5 working days. The post exercise reports are made available to Example Ltd so they can better understand the risk in their supply chain.
Informed decision making
One of their suppliers, Supplier A, could be easily affected by common cyber incidents. With this information Example Ltd can make a number of decisions. They can: switch suppliers, demand improvements in Supplier A’s cyber security, or they can find ways to mitigate the impact of a cyber incident affecting Supplier A.
Given their strong and long term relationship with Supplier A, and the fact that perfect cyber security is a rarity, they decide to require Supplier A to improve their performance. They also decide to increase their stock levels of the components Supplier A provides so they are less likely to be impacted by an incident. In the longer term, and once Supplier A has improved their cyber security, they intend to reduce these stock levels to free up capital.
Supplier A have acknowledged the challenges they face and due to the value they place on Example Ltd’s business they commit to making improvements. In order to track this improvement Example Ltd plan for Supplier A to conduct another exercise in the next quarter.
Another supplier, Supplier B, has a data link into Example Ltd’s own IT system in order to be able to fulfill orders. Because of this link Supplier B has already had to agree to meet certain information security standards. The post exercise report for Supplier B independently confirms that these standards are contributing effectively to the cyber security of Supplier B and, by virtue of the data link, to Example Ltd also.
How cyber exercises helped
Cyber exercises have helped Example Ltd understand risks in their supply chain. They have provided a quick and effective way of testing how their suppliers would handle a cyber incident. They maintain a focus on business operations so that Example Ltd can understand what the likely impact would be on their own operations.
Cyber exercises also provide an incentive for Example Ltd’s suppliers to improve their cyber security for the benefit of all parties.