Analysis: Secure your supply chain

Up to $1 trillion of intellectual property is stolen by cybercriminals each year according to a survey by Purdue University, so is this figure not enough to suggest that bad security could cost the automotive industry more in the long run?

The automotive industry relies heavily on its secure and reliable communications for key business operations, such as supply chain management via electronic data interchange (EDI), computer aided design (CAD), computer aided engineering (CAE), and product data management (PDM).

One could say that the systems and data that enable these communications are the lifeblood of the automotive supply chain, potentially even the automotive industry. Make a poor decision that affects the ability for the supply chain to move, and the results could be globally catastrophic.

However, as the industry struggles to operate more efficiently with fewer expenses, these collaboration and document exchange services become a very large and natural target for cutting costs.

The US Automotive Industry Action Group (AIAG) established a committee of global industry representatives to find cost-effective alternatives to dedicated private collaboration networks.

It met with other global industry representatives during the recent “Collaborative Supply Chain Data Network Connectivity” event held Michigan, and the cost-cutting topic ran hot through most of the sessions.

Security and reliability did not.

The industry could save money by following suggestions to leverage the public internet through lower technology and service acquisition costs.

However, this decision could come at the expense of trade secrets being stolen, supply chain productivity decreasing, and even increased operational overhead.

And while the globalisation and commoditisation of IT have driven businesses to store increasing amounts of precious corporate data in the cloud, cybercriminals have discovered new ways to target it.

The industry should not take lightly the task of finding the right balance of cost versus functionality versus risk.

Two firms very familiar with this space, ANX in the United States and ENX in Europe, have described two key areas within the automotive data exchange environment which represent the core of the automotive supply chain collaboration space: engineering data and EDI, split at 80 and 20 percent, respectively.

The companies said in the engineering collaboration space 80 to 90 percent of the risk exposed would primarily be associated with the loss and theft of design and other engineering documents, such as the theft of highly-sensitive CAD design drawings.

The firms also expect that 70 to 80 percent of the risk exposed in the EDI space is associated with delayed or failed order transactions. A significant failure within a just-in-time manufacturing process could take down an entire production line.

While cost is certainly a factor, the price of the service becomes a non-issue if the low-cost alternative introduces weakened security measures, unacceptable reliability, and inadequate performance.

If the communications are not fast enough, or introduce the risk of sensitive data being leaked or stolen, it won't matter how little the service costs.

In an effort to help suppliers make an informed decision, captured below are some of the primary concerns associated with the secure and reliable exchange of intellectual property and EDI communications.

The information is presented in the form of questions to ask the service provider before making tradeoffs based primarily on cost.

• Can the service substantially reduce the complexity, errors, and overhead of setting up multiple secure OEM communications?
• Can the service provide a one-call setup and configuration process with always-on, end-to-end communications across multiple countries, languages, and internet service providers?
• Can the service provider protect against unauthorised access to, and loss of, highly sensitive information such as engineering designs and documents?
• Can the service provider properly protect against breaches and denial of service attacks such that they can guarantee an end-to-end service without disruption to critical just-in-time EDI transactions?

The actions toward these goals, however, should not come via the introduction of risk to operating the supply chain with reliability, integrity, or security.

Don't let $1 trillion in theft prove you wrong. Ask questions. Verify answers. Choose wisely.

Sean Martin is a CISSP and founder of imsmartin consulting. He can be reached at sean@imsmartinc.com.

This article originally appeared at scmagazineus.com