Manufacturers and supply chain organizations must prioritize limiting third-party risk as they produce, warehouse and deliver essential goods and medical supplies during the COVID-19 pandemic, said Curtis Simpson, former VP and global CISO with multi-billion-dollar food marketer and distributor Sysco Corporation, in a podcast interview with SC Media.
Houston-based Sysco is one of multiple companies that has drastically shifted its standard operating procedures in response to the coronavirus outbreak. Normally, the company ships food, smallwares, kitchen equipment and related supplies to clientele such as restaurants, schools and hotels. But with many of its usual customers closed for business, Sysco has begun delivering to grocery stores, which are struggling to keep shelves stocked. Meanwhile, companies such as Dyson, Ford and GM have literally had to convert certain manufacturing facilities to produce items they normally don’t make, such as ventilators or personal protective equipment.
The scramble to meet needs of consumers and health care professionals at this critical time potentially opens up manufacturers and distributors to significant cyber risk that makes them a ripe target for attack.
“You’re refactoring manufacturing plants, you’re likely introducing new equipment, you’re likely spinning up new credentials, and creating new integrations and authentication points through the environment to allow certain things to communicate that have never communicated before,” said Simpson, who is now CISO at Internet of Things enterprise security company Armis. “In this time… of crisis it’s more important than ever for a security team to really be providing the value behind the scenes and not controlling or slowing down what’s happening, but rather just continuing to assess the landscape and looking for anomalous behaviors and at minimum signs of malicious activity within the environment…”
Asked what he would be at the top of his agenda if he were still at Sysco, Simpson said he would concentrate on reducing risk associated with third-party systems access — this includes both business and technology partners.
“For me, what I would really be doubling down on,” said Simpson, is “getting third parties off the network, having some sort of hardened buffer between the third parties and the corporate environment that would give me better visibility into exactly what they were doing, and would give me less pause for concern about the state of their devices and the state of their network, and those things potentially spreading further infection into the landscape.”
Simpson also emphasized the importance of gaining peak visibility within your IT, OT and IoT environments, and monitoring for anomalous activity in your warehouse, supply chain and transportation operations.
If such operations are left exposed to compromise, a malicious actor could threaten to further disrupt supply chain operations and demand a ransom payment in exchange for restoring normal functionality, Simpson warned.
Simpson’s podcast was recorded over two separate sessions. Simpson originally sat down with SC Media in person to discuss day-to-day challenges within supply-chain environments and distribution facilities that rely heavily on IoT devices. But as the COVID-19 outbreak ballooned into a worldwide crisis, SC reached back out to Simpson and recorded a second Q&A session via phone, focusing exclusively on new security challenges posed by COVID-19. SC then merged the two sessions together into a single interview.