This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

As supply ecosystems grow, and points of vulnerability proliferate, businesses will have to turn to distributed ledger technology.

Companies' supply chains are becoming ever more complex in the global, ultra-competitive economic environment. The manufacture of products tends to involve many parts and components created by specialist factories dotted across different parts of the world.

That means there are an increasing number of different players in supply chains, each using their own technological platforms. This makes supply chains more vulnerable to cyber attacks.

That's why cyber criminals looking for new ways to exploit company networks are turning their focus to the privileged network access given to the many players involved in supply chains.

This is a serious risk for businesses. Through just one compromise, supply chain attacks can strike at vast numbers of machines connected to the supply chain. And these attacks can be much harder to detect than traditional malware.

|

The Importance of the Supply Chain

Take a simple product like a sports shoe. Nine or 10 suppliers across the world might be involved in creating the materials. These materials might then be shipped to a dozen different factories for processing. Then they might be shipped to another factory to put the shoe together.

That might sound a complex supply chain. But it's relatively simple in comparison with the complexity involved in sourcing for machines such as cars or factory equipment.

Whether shoes, cars or factory machinery, these globalized, multi-player supply chains offer essential efficiencies. But they require everyone involved in them to communicate within a central system to avoid issues such as inaccurate inventory reporting, unexpected shortages and supply chain fraud.

These types of open supply-chain networks make systems highly vulnerable to cyber attacks.

|

An Increase in Attacks

Earlier this year, cybersecurity experts Crowdstrike revealed research suggesting two-thirds of organizations it surveyed had experienced a software supply chain attack in the past year. The average cost of an attack was over $1.1 million.

In an era of the Internet of Things, digital buying platforms and robotic process automation, vulnerabilities will continue to proliferate.

But organizations are being held back from developing robust protection strategies because of the time and cost involved in vetting suppliers and third parties. According to the Crowdstrike report, 90% of businesses agreed security is a critical factor when making supplier decisions, but only 37% said they would be able to vet all of them.

So what should businesses do? How can they ensure every member of the supply chain has the cyber tools and protection to defend against attacks?

|

Blockchain Technology Helps Prevent and Contain Attacks

Rather than continually patching up old security systems, blockchain technology offers companies a way to build protection into the supply chain by design, while streamlining their supply chain processes. The blockchain is a transaction ledger that is uneditable and virtually unhackable. New information can be written onto the blockchain, but the previous information (stored in what are known as blocks) can't be adjusted. Every single block (or piece of data) added to the chain is given an encrypted identity.

Cryptography effectively connects the contents of each newly added block with each block that came before it. So any change to the contents of a previous block on a chain would invalidate the data in all blocks after it.

Blockchains run in almost sterile environments. The only way to get data on to them is through the chain itself. So a cyber attack is highly unlikely to work. And if one ever did, it would leave clues that would trace back to the attacker.

This means the number of stakeholders involved in a blockchain-based supply chain wouldn't actually matter from a security point of view. There would no longer be any weak links if they were all working through the same blockchain.

The blockchain doesn't store data in a single centralized location, but across a vast network of computers that constantly verifies information with each other. In order to compromise data as part of a cyber attack, a hacker would need to breach a majority of the computers in the network simultaneously. This is almost impossible.

That's why securing a supply chain is a perfect use case for blockchain technology. Of course, the veracity of the data must be established before it is added to the blockchain. This means the devices capturing the data (for example, sensors) must be certified and authenticated. Ensuring the link between the physical and the digital world is valid is a problem that can't be solved by blockchain technology by itself.

|

Transparency and Security

As well as security, blockchain technology also brings essential transparency to supply chains.

For example, in manufacturing, many parties need knowledge about the provenance of products answered—whether children's toys, cosmetics or electrical appliances. The world needs confidence that goods aren't counterfeited, have been made properly, and are safe to consume.

In these cases, manufacturers need a way to prove data about their supply chain. And increasingly, they need to have ready evidence of operational details that are trusted and verified enough to help them in case of a lawsuit or questions about authenticity. For this trust to exist, they need to know the data is immutably correct.

Blockchain technology provides a solution here. The blockchain's core value—built on distributed consensus—offers a way to turn data into immutable proof of evidence that can't be destroyed or hacked.

For example, in the case of a manufacturer dealing with counterfeit goods in its supply chain, the company could record on the blockchain when a genuine product was made and follow it through the chain. This way, it could prove that a counterfeit item was not theirs. If a serial number was copied, the company could show where the genuine product is and prove that the counterfeit product is a fake.

Companies can also become empowered to monitor supply chains for occurrences like the transfer of inventory, the exchange of cash from the moment the raw material is acquired, and the sale of the final product to the consumer.

Crucially, all this can be established without multiple technological platforms being plugged into the flow of supply chain information. Importantly, as blockchain technology continues to evolve, supply chain management will become more efficient by increasing visibility, reducing monitoring costs, preventing accounting discrepancies, and providing predictive analytics.

|

A Future Built on Smart Contracts

An era widely described as the fourth industrial revolution is well underway. The Internet of Things is providing businesses with the means to monitor and gain mastery over supply chains—gaining vast amounts of business value in the process.

But as the amount of datapoints in each supply chain continues to grow, companies' vulnerability to attacks grows, and the implications of those attacks grow too.

Protecting a supply chain from cyber risk can no longer be about upgrading security systems attached to supply chain ecosystems with multiple points of vulnerability. Designing security and immutability into the platform itself is by far the safest option.

Blockchain technology can also help us store this valuable information safely—then sift through it to prove an event recorded was right or wrong. That's why it is about to transform supply chains.

 

Adrian Clarke, a former Microsoft CTO, is founder of tech startup Evident Proof, a blockchain-based platform that turns documents, transactions and data events into evidence that can be used to meet compliance, provenance and other data verification requirements.