Inspired by the most recent Toyota third party breach, Snehal Antani, CEO of Horizon3.ai, has come up with defensive suggestions for enterprises concerned with these third-party risk exposures.
Here’s some background on this from Bloomberg:
“Kojima is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor’s entire production line to a screeching stop. The world’s top-selling carmaker had to halt 14 factories at a cost of about $375 million.”
That’s not a good place to be. Here’s what Snehal Antani, CEO and Co-Founder of Horizon3.ai suggests to try and mitigate this threat:
“JIT Logistics, made popular by Walmart’s efficiency in the 2000’s, now poses a significant cybersecurity risk to global organizations. An interesting example occurred with a Toyota supplier recently:
“Large organizations have the resources to build a world-class security operations center (SOC), but their suppliers often don’t have the talent or resources to defend against cyber-attacks effectively. Often these smaller suppliers are barely treading water, with IT Operations and CyberSecurity being a single team (or person!)
“This is especially challenging in the era of cyber-enabled economic warfare, where nation-states will execute cyberattacks to cause internal strife and economic pain that is below the threshold for war. Companies in manufacturing, pharmaceuticals, agriculture, energy production, etc, that have embraced just-in-time logistics are ripe targets, where a small action leads to outsized impact.
“So what? As security practitioners, we often default to thinking of SBOM when discussing supply chain security. However, that’s an orthogonal issue. As a CEO or COO, I would work closely with my CISO and procurement team to do the following:
- Map my suppliers
- Conduct sensitivity analysis to determine which suppliers pose the greatest impact on my operations if they are disrupted due to a cyberattack
- Identify the exploitable attack surface of my critical suppliers, while also assessing their ability to detect & respond to cyber attacks
- Expand the scope of the SOC to include security overwatch for those critical suppliers unable to defend themselves.
- Subsidize cybersecurity investments for the critical suppliers that lack the ability to harden, detect, and respond to breaches
- Invest in diversifying those suppliers to reduce the operational impact if any one supplier is disrupted
- Ultimately transform the vendor risk assessment process to hold suppliers truly accountable for their security posture: their exploitable attack surface, their ability to detect & respond, and improvements to both over time
“Early adopters in this space are leveraging autonomous pentesting to identify the exploitable attack surface of their critical suppliers and making investments to proactively harden their systems and improve their detection & response time.
Related
This entry was posted on April 20, 2023 at 8:38 am and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Just-in-Time Logistics And Cybersecurity – How To Reduce The Attack Surface
Inspired by the most recent Toyota third party breach, Snehal Antani, CEO of Horizon3.ai, has come up with defensive suggestions for enterprises concerned with these third-party risk exposures.
Here’s some background on this from Bloomberg:
“Kojima is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor’s entire production line to a screeching stop. The world’s top-selling carmaker had to halt 14 factories at a cost of about $375 million.”
That’s not a good place to be. Here’s what Snehal Antani, CEO and Co-Founder of Horizon3.ai suggests to try and mitigate this threat:
“JIT Logistics, made popular by Walmart’s efficiency in the 2000’s, now poses a significant cybersecurity risk to global organizations. An interesting example occurred with a Toyota supplier recently:
“Large organizations have the resources to build a world-class security operations center (SOC), but their suppliers often don’t have the talent or resources to defend against cyber-attacks effectively. Often these smaller suppliers are barely treading water, with IT Operations and CyberSecurity being a single team (or person!)
“This is especially challenging in the era of cyber-enabled economic warfare, where nation-states will execute cyberattacks to cause internal strife and economic pain that is below the threshold for war. Companies in manufacturing, pharmaceuticals, agriculture, energy production, etc, that have embraced just-in-time logistics are ripe targets, where a small action leads to outsized impact.
“So what? As security practitioners, we often default to thinking of SBOM when discussing supply chain security. However, that’s an orthogonal issue. As a CEO or COO, I would work closely with my CISO and procurement team to do the following:
“Early adopters in this space are leveraging autonomous pentesting to identify the exploitable attack surface of their critical suppliers and making investments to proactively harden their systems and improve their detection & response time.
Share this:
Like this:
Related
This entry was posted on April 20, 2023 at 8:38 am and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.