Supply chain risks under review after Suez canal blockage
At the end of last month, the Suez Canal in Egypt became blocked after one of the largest container ships in the world named the 'Ever Given' became grounded, blocking the waterway for almost a week.
As a result, this had several impacts on society, including affecting global supply chains, as goods stored in other ships were not able to continue their journey.
The canal, whilst having been recently reopened, is still presenting some issues, as 300 ships have reportedly been delayed and are awaiting the green light.
Other ships have been re-routed, taking a much longer way around South Africa's Cape of Good Hope.
International freight transport and logistics insurer, TT Club is now alerting supply chain operators to these impacts and is warning them of the consequences that these types of events can have on the supply chain industry.
Mike Yarwood, Managing Director of TT Club, commented on the effects of the incident, saying: “Beyond the delay to cargo on board those ships affected, there will inevitably be a knock-on impact for those involved in discharging the containers at destination ports when they finally arrive, as well as the final mile delivery carriers.
“While the immediate impact may be a lack of cargo arriving when expected, presenting market supply challenges, it is when the cargo does start to turn-up that further potential risks emerge,” he said.
The disruption has in part been created by a large number of full containers, along with hinterland distribution requirements, which is placing strain on yard and throughput capacities, as well as causing cargo to build up.
Mr. Yarwood also points out that this could see theft at ports and freight depots increase, leading to the need for tighter security in the affected areas, warning supply chain operators to be diligent.
He said: " The risk of theft at ports and freight depots in this scenario is heightened and a greater focus on security is required.
"Whether it simply be at an overspill holding or storage area, or temporary warehousing, wherever and whenever cargo is not moving, it is more likely to be stolen.
"Those active in the supply chain should be mindful of these security risks. Due diligence, undertaken to ensure that any third party provider of storage is adequately resourced to meet these demands, is a prudent step to take in these circumstances," commented Yarwood.
This is an example of the butterfly effect, which is an on-going series of events that affect each other one-by-one, resulting in either good or bad consequences.
Furthermore, the consequences look set to continue, as a shortage in the number of delivery drivers is expected to increase this year, as found in a recent International Road Transport Union (IRU) survey, meaning cargo shops will be relied upon to transport goods.
Summing up the events that led to the risks to the supply chain industry, Mike Yarwood said: "The new normal might see many stakeholders increase their focus on contingencies and adopt more a ‘just in case’ philosophy than a ‘just in time’ one.”
Google and NIST Address Supply Chain Cybersecurity
As high-level supply chain attacks hit the news, Google and the U.S. National Institute of Standards and Technology (NIST) have both developed proposals for how to address software supply chain security. This isn’t a new field, unfortunately. Since supply chains are a critical part of business resilience, criminals have no qualms about targeting its software. That’s why identifying, assessing, and mitigating cyber supply chain risks (C-SCRM) is at the top of Google and NIST’s respective agendas.
High-Profile Supply Chain Attacks
According to Google, no comprehensive end-to-end framework exists to mitigate threats across the software supply chain. [Yet] ‘there is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent months...some of which could have been prevented or made more difficult’.
Here are several of the largest cybersecurity failures in recent months:
- SolarWinds. Alleged Russian hackers slipped malicious code into a routine software update, which they then used as a Trojan horse for a massive cyberattack.
- Codecov. Attackers used automation to collect credentials and raid ‘additional resources’, such as data from other software development vendors.
- Malicious attacks on open-source repositories. Out of 1,000 GitHub accounts, more than one in five contained at least one dependency confusion-related misconfiguration.
As a result of these attacks and Biden’s recent cybersecurity mandate, NIST and Google took action. NIST held a 1,400-person workshop and published 150 papers worth of recommendations from Microsoft, Synopsys, The Linux Foundation, and other software experts; Google will work with popular source, build, and packaging platforms to help companies implement and excel at their SLSA framework.
What Are Their Recommendations?
Here’s a quick recap: NIST has grouped together recommendations to create federal standards; Google has developed an end-to-end framework called Supply Chain Levels for Software Artifacts (SLSA)—pronounced “Salsa”. Both address software procurement and security.
Now, here’s the slightly more in-depth version:
- NIST. The organisation wants more ‘rigorous and predictable’ ways to secure critical software. They suggest that firms use vulnerability disclosure programmes (VDP) and software bills of materials (SBOM), consider simplifying their software and give at least one developer per project security training.
- Google. The company thinks that SLSA will encompass the source-build-publish software workflow. Essentially, the four-level framework helps businesses make informed choices about the security of the software they use, with SLSA 4 representing an ideal end state.
If this all sounds very abstract, consider the recent SolarWinds attack. The attacker compromised the build platform, installed an implant, and injected malicious behaviour during each build. According to Google, higher SLSA levels would have required stronger security controls for the build platform, making it more difficult for the attacker to succeed.
How Do The Proposals Differ?
As Brian Fox, the co-founder and CTO at Sonatype, sees it, NIST and Google have created proposals that complement each other. ‘The NIST [version] is focused on defining minimum requirements for software sold to the government’, he explained, while Google ‘goes [further] and proposes a specific model for scoring the supply chain. NIST is currently focused on the “what”. Google, along with other industry leaders, is grappling with the “how”’.