One year on: Supply chain under the pandemic
And so a year has past. It is a 12 months to the day since the UK declared its first COVID-19 lockdown and, other than a few pockets of eased social distancing in the summer, adapted to life largely indoors.
The Prime Minister, Boris Johnson, asked citizens to stay at home just weeks after Italy (9 March), France (17 March) and other major European nations first closed their borders and locked down in an effort to stem the rising tide of infections across the continent. People put their personal lives on hold, rescheduled weddings and took up new hobbies baking bread and binge watching documentaries about big cats - and bigger personalities.
Businesses scrambled to decipher a new rulebook and vocabulary - furlough, social distancing measures, non-essential retail - and how they pertained to their daily operations and future prospects. While some sectors were forced into closure, one industry that did not stand still was supply chain, instead stepping up to meet the surge in ecommerce deliveries, adapting to fluctuating volume demand as businesses whirred into action or spun down into stasis and, ultimately, playing a major role in global recovery with the manufacturing and transport of the various COVID-19 vaccines.
What has the pandemic taught us?
The two refrains repeated by supply chain professionals amid the pandemic are resilience and visibility. Already the move towards more flexible and transparent value chains was driving digital transformation, but the immediate pressures placed upon SCMs by the virus made AI, ML and other intelligent automation technologies a must-have, rather than nice-to-have.
With passenger flights grounded, capacity for the air freight that travelled alongside holidaymakers has largely disappeared. Port chaos in China and subsequent knock-on effects halted sea freight, while countries dipping in and out of lockdown - not to mention Britain’s withdrawal from the EU - continue to cause issues with unclear border regulations and hastily drawn up paperwork. Resiliency here is key, something the big players are aiming to provide. In Europe, DHL is aiming to combat instability with its European Fulfilment Network, a pan-continental logistics network it says will help businesses hat require greater supply chain resiliency and the flexibility to react to volume fluctuations. Supply chain SaaS solutions and data analytics have also come into their own, offering clarity and stability during a period of interminable disruption.
Procurement teams also adapted rapidly, stepping beyond their daily functions to source PPE, sanitisers and other safety equipment. Their role continues to evolve: just consider the on-going dearth of semiconductors. Making chips is one of the most complex and time-intensive major manufacturing sectors, with lead times stretching into the months, relying on consistency in both in out-bound supply chains. The pandmeic strained manufacturers beyond breaking point, and the deficit has grown into a crisis. Car manufacturers have frozen production lines, those vehicles that will roll off the factroy floor will launch with missing features that need the chips to function. And now the shortages are spilling over into other sectors. Samsung, one of the world’s biggest chip makers and users, says it may skip iterative updates to its flagship mobile handsets this year due to the shortfall. Supply simply cannot keep up with rebounding demand for these goods.
More recently, Renesas, one of the world’s largest chip manufacturers, was hit by both an earthquake and a factory fire which will halt production for months to come - “yet another reminder of the importance of building resilience,” says Richard Barnett, a veteran semiconductor supply chain expert and CMO of Supplyframe. “Automobile manufacturers, consumer electronics companies and other businesses that rely on electronics components to build their products can lower their risk of chip shortages by using new forms of intelligence that provide visibility into the supply chain.”
One more year on
Tourism, hospitality and other industries that have withered under social distancing face a difficult road ahead. But supply chains, in the main, have thrived under adversity. Industry leaders such as XPO Logistics, FedEx, and UPS all posted record quarters and continue to expand and diversify their capabilities. It is a moral quandary whether one should measure success amid a pandemic in terms of balance sheets and financial gain, but fiscal stability does highlight the facts: that supply chains have undertaken the digital transformation many projected would span the coming decade in a time period meaured instead by months. In many cases, they are now on track to deliver and respond as we tentatively step into the post-pandemic world.
Supply chain professionals now lead the charge in the route to recovery. Their role in the global vaccination effort will be critical in the months ahead to ensure immunisation efforts reach the global community at large, not just the countries with big enough pockets and borrowing power to bulk buy. The story of the coming 12 months has yet to be written, and after the past year, projections and forecasts are less reliant than ever. But one thing is certain, the evolution of supply chains is a process still in motion - and will look dramatically different one more year on from today.
Google and NIST Address Supply Chain Cybersecurity
As high-level supply chain attacks hit the news, Google and the U.S. National Institute of Standards and Technology (NIST) have both developed proposals for how to address software supply chain security. This isn’t a new field, unfortunately. Since supply chains are a critical part of business resilience, criminals have no qualms about targeting its software. That’s why identifying, assessing, and mitigating cyber supply chain risks (C-SCRM) is at the top of Google and NIST’s respective agendas.
High-Profile Supply Chain Attacks
According to Google, no comprehensive end-to-end framework exists to mitigate threats across the software supply chain. [Yet] ‘there is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent months...some of which could have been prevented or made more difficult’.
Here are several of the largest cybersecurity failures in recent months:
- SolarWinds. Alleged Russian hackers slipped malicious code into a routine software update, which they then used as a Trojan horse for a massive cyberattack.
- Codecov. Attackers used automation to collect credentials and raid ‘additional resources’, such as data from other software development vendors.
- Malicious attacks on open-source repositories. Out of 1,000 GitHub accounts, more than one in five contained at least one dependency confusion-related misconfiguration.
As a result of these attacks and Biden’s recent cybersecurity mandate, NIST and Google took action. NIST held a 1,400-person workshop and published 150 papers worth of recommendations from Microsoft, Synopsys, The Linux Foundation, and other software experts; Google will work with popular source, build, and packaging platforms to help companies implement and excel at their SLSA framework.
What Are Their Recommendations?
Here’s a quick recap: NIST has grouped together recommendations to create federal standards; Google has developed an end-to-end framework called Supply Chain Levels for Software Artifacts (SLSA)—pronounced “Salsa”. Both address software procurement and security.
Now, here’s the slightly more in-depth version:
- NIST. The organisation wants more ‘rigorous and predictable’ ways to secure critical software. They suggest that firms use vulnerability disclosure programmes (VDP) and software bills of materials (SBOM), consider simplifying their software and give at least one developer per project security training.
- Google. The company thinks that SLSA will encompass the source-build-publish software workflow. Essentially, the four-level framework helps businesses make informed choices about the security of the software they use, with SLSA 4 representing an ideal end state.
If this all sounds very abstract, consider the recent SolarWinds attack. The attacker compromised the build platform, installed an implant, and injected malicious behaviour during each build. According to Google, higher SLSA levels would have required stronger security controls for the build platform, making it more difficult for the attacker to succeed.
How Do The Proposals Differ?
As Brian Fox, the co-founder and CTO at Sonatype, sees it, NIST and Google have created proposals that complement each other. ‘The NIST [version] is focused on defining minimum requirements for software sold to the government’, he explained, while Google ‘goes [further] and proposes a specific model for scoring the supply chain. NIST is currently focused on the “what”. Google, along with other industry leaders, is grappling with the “how”’.