Adopt Best Practices Now

As we’ve previously discussed, assessing cyberrisk and risk mitigation measures should extend to the entire ecosystem in which businesses operate. It involves conducting a complete 360-degree analysis that includes company processes and structure, as well as those of every vendor in the supply chain.

The process should consider systems in the broadest sense (information technology, operational systems, equipment, machinery, etc.) and the people that run them, as digital security is still often compromised by human error.

The first stage of working toward greater cyberresilience consists of mapping operational systems. Drawing up the list of attack surfaces to determine the most vulnerable systems and the scope of risks the organization is facing helps define what level of protection is appropriate and what measures should be taken.

That means making cybersecurity a priority in all day-to-day operations and at the highest levels of the organization, for easier decision-making and resource mobilization. Changes to the organizational structure may be needed to ensure responsibility for cybersecurity is entrusted to the right people with the skills to make the necessary decisions.

The next stage involves implementing an operational cybersecurity program that includes a review of the corporate computer architecture. Business technology systems can be accessed in multiple ways, and every point of contact should be considered – critical systems, of course, but also interconnected subcontractor systems that handle increasing volumes of data. That’s why collaborating with the various parts of the supply chain is essential to securing systems.

Successful cybersecurity programs rely just as heavily on cross-functional collaboration within organizations. Having specialized teams take part in the process helps limit the impact on systems, as they have an invaluable understanding of technology.

Change management underpins the entire process. It is important to lay the foundation for the teams involved, and more broadly, to raise employee awareness about the nature of cyberrisks and how employees can make a difference day to day, helping them grow more vigilant. Communication, education, and training efforts are necessary. Areas of responsibility can also be reviewed so that the organizational structure of the business reflects the importance placed on cybersecurity.

Beyond integrating a well thought out operational cybersecurity program to operations, periodically reviewing and validating measures in place is essential to keeping systems secure and adapted as technology develops.

The last stage consists of conducting regular audits of the cybersecurity program, along with complementary activities including surveillance and continued training for the teams involved. With these tools, businesses are in a better position to keep up with the new standards and regulations they will have to integrate over time, both when it comes to securing current systems and to designing and developing future systems.

Rising to the Challenge to Set Yourself Apart

The threat is latent. Business rolls on and it is in the interest of businesses to stay one step ahead and maintain their competitive edge.

Overlooking cybersecurity could put essential business relations at risk and threaten the survival of organizations. Businesses whose systems perform well but fail in terms of cybersecurity could be excluded from requests for proposals. Conversely, businesses with solid cybersecurity programs would be in an influential position and could prompt its own customers to adopt higher security standards, for the benefit of their entire ecosystems.

Operational systems that are covered by cybersecurity programs could even provide a competitive edge over the short term, as the vast majority of businesses are only beginning to implement such programs. Being ahead of the curve puts organizations in an enviable position.

While being prepared for attacks doesn’t prevent them from happening, it does help targeted businesses react quickly and appropriately. In doing so, they demonstrate their earnestness, skill, and professionalism, all of which inspire trust among customers and suppliers.

Technology is developing rapidly, and new fields of expertise are emerging in both computing and engineering. As a result, organizations should secure the right skill sets to uphold system cybersecurity over time.

Standards in the field are also evolving. Staying abreast of regulations and certifications being adopted in the markets in which businesses operate help them make sure that their systems are designed to upcoming cybersecurity requirements. It seems likely that regulations stemming from the ISO 21434 standard will be adopted progressively across North America. Businesses can draw from this standard to set up robust processes that ensure the highest levels of security.

In a similar vein, staying on top of legislative developments could lead organizations to make a real difference, or at least foster the adoption of secure practices. Keeping a log of cyberincidents is a good example. Beyond the documentary interest in strengthening organizational security processes, such logs could become standard in the near future. Canadian regulations are evolving, and bill C-26 is set to make it mandatory for businesses to report the cyberattacks they fall victim to, rather than the current voluntary disclosure.

Anticipating the adoption of such rules and complying with them now, if not outright going beyond set security criteria, puts businesses one step ahead in a changing environment. Taking the lead could even help set them apart and give them a say as these new regulations are developed.

Cyberthreats are ever-shifting disturbance vectors businesses must learn to deal with. Cybersecurity is not an end in itself, but it is becoming one component of businesses’ operational and financial health, and ultimately, of their survival.

As with any threat or crisis, the degree of preparation is often an indication of how quick and efficient organizations will be in recovering and resuming normal operations. Businesses can adopt a preventive approach to cyberthreats and develop greater agility, making a major positive difference in the long run.

Depending on the nature of the conclusions drawn when data is collected and questionnaire results are analyzed, businesses can review and improve their supplier selection process to strengthen minimum cybersecurity requirements. In time, certain organizations will choose to consolidate their supply chain to make it easier to enforce subcontractor requirements.

Whether they are long-time suppliers of the organization or new, it is important to integrate them fully into the assessment process and communicate clearly with them to ensure the entire supply chain is secured.

Setting clear minimum cybersecurity requirements is always easier when entering into new contracts than it is when dealing with long-standing partners. It is nonetheless vital to address cybersecurity issues and requirements with the latter, with the support of procurement department representatives (purchasers) and legal teams. They will be the catalyst for awareness and the necessary review of internal processes and contractual procurement clauses. These professionals will have to be appropriately trained on minimum cybersecurity requirements that could feature in negotiations with subcontractors.

As cybersecurity-enhancing regulations and certifications are adopted and applied across the industry, integrating specific cybersecurity measures will have to be considered as part of contractual supply operations.

The ISO 21434 standard calls for close collaboration between a system’s integrator or designer and its various suppliers, thus requiring that the roles and responsibilities of both parties be clearly identified, documented, and mutually accepted. The integrator will then have to ensure that set cybersecurity processes are followed, both in their own organization and by subcontractors.

Anticipating Risks

According to Statistics Canada, 47% of cyberattacks in Canada in 2019 targeted small and medium enterprises(3). The more than 1.14 million such businesses across Canada(4) are an essential part of the national economic fabric.

Believing themselves too small to present an attractive target, they often underestimate the cyberthreats they could fall victim to. SMEs often have less robust security systems that present more easily accessible back doors to penetrate the information systems of larger businesses.

Customers could limit such vulnerabilities by being proactive in encouraging a collaborative approach with all partners to strengthen the supply chain from end to end. They could also prompt SMEs they deal with to develop their cyberresilience by leveraging dedicated cybersecurity resources.

While international standards are still being developed or adopted, many solutions already exist to support SMEs in securing their information systems, including the federal government’s CyberSecure Canada program(5) that gives SMEs access to resources to better understand the risks they face. Barring the implementation of specific security checks, they can opt for certification to reflect their best cybersecurity practices.

Subcontractors that integrate cybersecurity policies to the very design of their products and/or systems emerge as winners in the process, benefitting all customers by reducing cybersecurity risks. This collaborative approach is mutually beneficial to everyone involved, and the supply chain is all the more secure as collaboration between parties is enhanced.

Maintaining high cybersecurity levels among all supply chain members becomes a prerequisite to its proper operation, but it requires long-term investments and efforts, the benefits of which are difficult to assess. Sharing information and best practices between customers and suppliers will enable organizations to take part in a broader-scale drive to increase their mutual cyberresilience. By investing time and effort in analyzing and strengthening the cybersecurity of their supply chain, businesses will help build value for their entire ecosystem.

⁽¹⁾ https://www.pwc.com/ca/en/services/consulting/cybersecurity-privacy/digital-trust-insights

⁽²⁾ https://www.enisa.europa.eu/understanding-the-increase-in-supply-chain-security-attacks

⁽³⁾ https://www150.statcan.gc.ca/n1/daily-quotidien/201020/dq201020a-eng.htm

⁽⁴⁾ https://cyber.gc.ca/publications

⁽⁵⁾ https://cybersecure-canada/en/get-started

In light of the efforts needed, it appears that certifying operational systems poses several challenges and compels businesses to follow a strict process that involves mobilizing significant human and financial resources. And while implementing an operational cybersecurity program may constitute a first step toward certification, its impact on existing IT systems should not be overlooked.

As is the case for all major projects, proper planning is crucial to successfully transitioning to an operational cybersecurity program, including a precise mapping of the systems involved and the assistance of experienced resources to support businesses in their efforts. Successfully implementing such programs then simplifies business processes when responding to RFP going forward.

(1) Source: ISO/SAE 21434 Automotive Cybersecurity Standards Guide (beyondsecurity.com)

(2) Source: Operator Connected Car Strategies Statistics: Market Summary | Infographics (juniperresearch.com)

What Risks Are Businesses Exposed to?

While profit remains the main motive behind cyberattacks, potential damages can vary widely, depending on the perpetrators.

In the transportation sector, cyberthreats can, for example, seek to take control of equipment to disrupt, cripple, or even destroy a transit system. One recent example involves a computer virus attack on the transit authority of a large North American city. The infiltration affected over 60% of the organization’s servers, as well as a number of workstations, which forced it to mobilize vast resources to restore its servers and ensure no data was stolen. The cyberincident had no effect on the operational bus and subway systems, but other organizational platforms were disrupted, including its website and phone lines.

Another thought-provoking example that served as a wake-up call for the automotive industry involved two American scientists taking remote control of a Jeep Cherokee in 2015. The two information security specialists wanted to show that it was possible to disrupt certain car systems by infiltrating the onboard computer. Conducted with a journalist in the driver’s seat, the operation led Fiat Chrysler to recall over one million vehicles to correct identified vulnerabilities.

Although not all cyberattacks are alike in scope or severity, consequences can still be harmful to victim organizations, jeopardizing their financial health, reputation, and even their continued success.

According to a survey conducted by Deloitte (2), 32% of top executives worldwide indicated that the most significant repercussions are on an operational level. They also mentioned the theft of intellectual property (22%) and drops in share price (19%).

Operational systems are at even greater risk as they were often designed independently of organizational infrastructure and include no cybersecurity components. Generally built to last with life cycles of 10-plus years, operational technology relies on equipment and software with vulnerabilities that are often well known to hackers or become so from lack of updates.

Are Businesses Ready to Respond?

The very diverse nature of cyberthreats makes them difficult to anticipate and forces businesses to develop their cyberresilience. From inventorying assets connected to a network to identifying the skills needed to know, understand, detect, and prepare to face these new risks, businesses must rally their forces to present a united front against these threats.

On a global scale, governments, work groups, and regulatory bodies are also organizing to define new rules. Fighting against cyberrisks will soon involve clients and businesses demonstrating their ability to meet minimum cybersecurity requirements.

In the US, the National Institute of Standards and Technology (NIST), a non-regulatory federal agency, has developed a cybersecurity framework that includes several standards, guidelines, and best practices and made it available at no cost to private organizations seeking to develop or update their own cybersecurity programs. 

In the transportation industry, the United Nations has also drafted standards to prompt vehicle manufacturers to develop secure operational systems that include cybersecurity considerations right from the design phase. Adopted in 2021, UN regulations R155 and R156 lay the foundations of a cybersecurity framework for vehicles in various regions around the world, applying to both cybersecurity management systems and software update management systems. The European Union intends to impose these new measures to road vehicle manufacturers by 2022 for all new vehicle types and by 2024 for existing platforms.

In Canada, Transport Canada and various levels of government are taking these new security standards into account, particularly standard ISO/SAE 21434 (Road vehicles—Cybersecurity engineering) that seeks to integrate cybersecurity engineering practices at every stage of a vehicle’s life cycle.

The digital transformation is well underway and shows great potential for the transportation industry, in that it enables manufacturers to achieve greater efficiency and helps improve transportation safety for riders.

However, cybersecurity challenges are a growing concern for businesses, who should give them due consideration at the highest levels of the organization. They will have to assess organizational exposure to cyberrisks, mobilize the necessary resources to protect themselves appropriately, manage incidents and potential crises, and update operational systems. Adopting a comprehensive approach that includes third parties will also be important in managing the inherent risks of the supply chain, as we will discuss in upcoming articles in this special report.

Read the second feature of our series.

(1) Critical Infrastructure Partners (publicsafety.gc.ca)

(2) The Deloitte 2021 Future of Cyber Survey polled nearly 600 C-level executives about cybersecurity at companies with at least $500 million in annual revenue, between June 6 and August 24, 2021. the