The WannaCry Cyberattack: Another Warning for Supply Chain Executives

One of the most popular posts I wrote last September became a reality over the weekend.

Comparing the headlines (September 7, 2016 and May 12, 2017).

By now, you’ve probably read the headlines, like this one from the Wall Street Journal: “Major Cyberattack Sweeps Globe, Hitting FedEx, U.K. Hospitals, Spanish Companies.” It echoes the title of my post from last September: “The Day a Cyber Attack Brings the World’s Supply Chains to a Halt.”

(I noticed a spike in pageviews on Friday for that post — which was one of the most popular from last year, with over 31,000 views on LinkedIn —  and I couldn’t figure out why it was happening until later in the day when I checked my news feeds).

Friday’s cyberattack involved a ransomware virus called WannaCry, and although it didn’t bring the world’s supply chains to a halt, it did cause significant disruptions around the world (over 200,000 organizations affected in more than 150 countries). The French automaker Renault, for example, was forced to shut down factories across Europe. As reported by the Wall Street Journal:

When workers arrived at a Renault plant in Sandouville, in northern France, on Saturday morning, TV screens that usually update staff on company productivity had a different message: A demand, in French, for $300 in ransom. The screens also showed two clocks counting down the time Renault had to deliver the payments before the factory’s files were deleted.

An early sign of trouble at the Renault plant in Sandouville came when the assembly line’s alarm system stopped working early Saturday—right after the demand for ransom appeared on TV screens. Tanguy Deschamps, a 38-year-old who was working at the factory when the virus hit, said the alarms were failing to sound whenever workers tried to alert others to crooked or improperly welded parts.

One of Renault’s factories in France remains closed today as the company continues to run tests.

FedEx, which was the hypothetical example I used in my post (based on an excerpt from the novel CyberStorm), was also affected by the cyberattack, although it didn’t affect operations.

Back in July 2010, I wrote a post titled “The Next 9/11: The Risk of a Supply Chain Cyberwar,” where I highlighted the following excerpt from an article in The Atlantic by James Fallows titled “Cyber Warriors”:

First, nearly everyone in the business believes that we are living in, yes, a pre-9/11 era when it comes to the security and resilience of electronic information systems. Something very big…is likely to go wrong, they said, and once it does, everyone will ask how we could have been so complacent for so long.

The WannaCry cyber attack is another warning for supply chain executives to stop being complacent.

What can you do? Here are three recommendations:

Make sure your IT systems are still supported by the vendors and continuously updated with the latest security patches. This is the biggest lesson learned from this WannaCry virus attack, which exploited a vulnerability in Microsoft Windows systems. As reported by The Verge, “The malware was able to spread thanks to flaws in old versions of Windows…While Microsoft quickly issued fixes for the latest versions of Windows last month, this left Windows XP unprotected. Many of the machines attacked today have been breached simply because the latest Windows updates have not been applied quickly enough, but there are still organizations that continue to run Windows XP [which Microsoft stopped supporting since April 2014] despite the risks.” Simply put, if you’re still running systems from 2001 (when Windows XP was first released) and have fallen behind on downloading patches and security updates, you’re playing with fire and have nobody but yourself to blame when disaster strikes.

Make sure your cloud and software-as-a-service providers take cyber security seriously too, which means they’re investing the time, money, and resources to develop and deploy security processes and systems and they’re obtaining and maintaining relevant certifications. In the early days of software-as-a-service, security was arguably the top concern many companies had about deploying a SaaS application. While security remains important today, it is no longer a roadblock to implementation, as SaaS has evolved from early-adopter stage to broad adoption, and as solution providers have invested in security.

For example, cyber security was one of the topics we discussed at the Executive Forum track at the Descartes Evolution 2017 conference last month. As I shared in my write up, “As a network-based company, security and protecting customer data is a top priority for Descartes and the leadership team, which is why the company invests a significant amount of time, money, and resources on network security. This includes making sure all of its hardware and software systems are updated as soon as new patches are released and going through certification processes for its data centers.”

In short, when evaluating cloud software providers, don’t just focus on the features and functions of their applications — make sure you thoroughly evaluate their network security capabilities too.

Don’t just focus on prevention, focus on minimizing the scope and scale of a disruption too. Here’s a fact: no matter how much you or your technology partners prepare and invest in cyber security, you can’t prevent an attack 100 percent of the time. Your network will get breached. Unfortunately, most companies spend the vast majority of their time and resources trying to prevent an attack and not enough time and energy on developing processes and systems to minimize the impact of a breach when it eventually happens.

For example, not long after the 9/11 attacks, the airport in Atlanta was shut down completely when a passenger ran through the security line and boarded the people-mover train that stops at all the terminals. Since security didn’t know who this passenger was or which terminal he was heading too, they had to close all of the terminals and rescreen everyone through security again. As reported by the New York Times that day, “That single incident produced the most extensive security delay since the Sept. 11 attacks and forced the evacuation of the airport, pushing more than 10,000 bewildered travelers onto the sidewalks and roadways for more than four hours. Scores of incoming flights were delayed or canceled at airports around the country, causing backups from coast to coast.”

What could have minimized the scale and scope of that security breach? A simple power button at the security station that would have shut down the people-mover train, thus preventing the rogue passenger from heading to any of the terminals; the rescreening would have been limited to just those passengers still in the security area. But with so much focus (then and now) on prevention, such a simple solution to minimize the impact of a security breach was overlooked.

The bottom line: assume you will get breached, so don’t ignore or underinvest in disruption minimization efforts.

Embed supply chain risk management within your corporate DNA. As I’ve written many times before, when it comes to supply chain risk management, many companies are falling short. The sooner companies embed supply chain risk management within their corporate DNA, the sooner they’ll be able to adequately address this growing threat of cyber terrorism. Mitigating the threat will also require greater collaboration between the IT and supply chain functions, not only within companies, but across all stakeholders in global supply chains. As the examples above illustrate, criminals and terrorists are already on the offensive — and their actions will only intensify in the months and years ahead.