In a previous post, we discussed the rapidly changing landscape of software supply chains. Now, we turn from containers in Kubernetes to containers on cargo ships, from digital supply chains to physical supply chains: the people and organizations managing the ships, trains, trucks, warehouses, and other physical critical infrastructure on which we all rely for our daily food and other goods.
With supply chains in the news every day as disruptions from border closures to changing consumer behavior ripple through the global economy, logistics organizations have had to take a new look at their operational capabilities.
This means the same “digital transformation” that has completely changed other industries: digitizing existing processes, connecting with customers and partners, and refining processes through automation and analytics.
In practical terms, this means integrating mission-critical information systems to eliminate silos and allow supply chain partners to work together. In technical terms, this means using application programming interfaces (APIs) to connect systems, data, and businesses to address supply chain cyber security threats.
But with digitization and new ways of working come new challenges, particularly regarding cybersecurity in supply chain and, ultimately, a logistics organization’s ability to execute.
In this article, we’ll cover:
- Why APIs matter in supply chain cybersecurity
- How supply chain APIs can become vulnerable
- What security teams can do to safeguard their supply chain and capitalize on today’s high demand
Why APIs matter to supply chain cybersecurity & logistics
The disruptions to supply chains from COVID-19 highlighted how complex and, at times, fragile global supply chains have become, as just-in-time manufacturing met the hard reality of unavailable parts and materials.
As supply chains became more efficient, they also became more complex as the number of things that had to go right increased. For example, sufficient raw materials being mined or manufactured, parts being loaded onto containers in time, enough ships and trucks being available, and so on.
Furthermore, the number of information systems – software, internet-connected devices, and networks – that supply chain participants rely on has continued to grow. Supply chains are fundamentally collaborative enterprises, and as systems of record have transformed from physical folders and notebooks to digital systems, the amount of data and traffic has grown exponentially. The system sprawl is hard to overstate:
- Freight forwarders have often created proprietary systems and been in the spotlight with the backlog at US ports.
- Shippers rely on inbound visibility systems to track orders of raw materials, enterprise resource planning (ERP) systems to manage orders, warehouse management systems (WMS) to manage inventory stored for shipper customers, and yard management systems and appointment scheduling systems for scheduling deliveries and pickups.
- Third-party logistics providers (3PLs) rely on their own WMS systems, time clock systems for warehouse workers, transportation management systems (TMS), remote sensors like temperature sensors for cold chain shipments, and real-time transportation visibility providers (RTTVP) to store products, arrange shipments, and track deliveries.
- Freight brokers rely on transportation management systems to cover shipments and manage carrier relationships, plus telematics solutions to provide visibility into shipment locations and ETAs.
- Carriers (mostly trucking companies but also air freight, rail freight, and ocean freight) rely on digital freight marketplaces (DFM), load boards, and legally mandated systems such as electronic logging devices (ELD) that monitor drive time and location.
All of these supply chain participants strive to stand out from the competition, driving further adoption of collaborative logistics solutions to provide superior customer experiences, business intelligence systems or “control towers” to uncover insights in data, and various other tracking apps and systems to reduce annoying check-calls.
The Stakes Are High
As freight brokers and 3PLs know well, the stakes are increasing as competition increases. That means that the potential costs of disruptions in information systems cyber security are increasing too. If systems go down or are compromised – whether from cyber attacks or simple mistakes – the consequences for customers and partners can be considerable. Some examples include:
- Lost revenue from an inability to cover shipments
- Unhappy customers from incorrect or missing tracking information
- Carriers and drivers choosing to work with competitors who can pay faster
- Lost packages and warehouse chaos
- Insufficient drivers at peak times
- Delays from inefficient or erroneous appointment scheduling and yard management
- Excessive demurrage fees and long dwell times
- Spoilage from manipulated temperature control systems
Role of APIs in Supply Chain Cybersecurity
If all of that is at stake, what role do supply chain APIs play? APIs in logistics connect all of those mission-critical systems and enable them to work together. It’s much like how freight brokers need phone and internet connections to communicate with drivers: systems become more useful and valuable when they can talk to each other. But that also creates a dependency that can become a vulnerability in supply chain cybersecurity.
These potential vulnerabilities could be exploited by various actors for various reasons:
- Foreign governments might try to disrupt the logistics operations of a rival country’s economy
- Non-state actors such as hacker collectives might try to shut down supply chains for political, ideological, or religious reasons
- Ransom seekers might try to make a quick buck by holding critical infrastructure hostage
Then there are the problems that arise out of simple mistakes or misconfigurations that might accidentally leak data, send too much data and slow systems down, or cause errors that humans have to spend valuable time trying to fix.
5 Ways supply chain APIs can become vulnerable
What should supply chain & logistics leaders know about protecting their APIs for mission-critical information systems cyber security and data?
Without getting too technical, there are a few things worth being aware of to understand the challenges your security team faces or, if you don’t have one yet, to ask about as you build that important function.
First, understand that APIs are ubiquitous. Although “API security” is a relatively new field, APIs are everywhere, so, unfortunately, there’s no avoiding the issue. You’ve probably experienced APIs first-hand whenever you’ve signed in to an app on your phone with your Google, Microsoft, Apple, or Facebook account. When you take photos, and they’re available in multiple apps or backed up to the cloud, that’s all made possible by APIs. For a more detailed overview of API security, check out “API Security 101 – 6 Things You Need to Know.”
Second, there are great organizations of cybersecurity professionals setting standards and educating the market. The Open Web Application Security Project® (OWASP), for example, is “a nonprofit foundation that works to improve the security of software.” They do excellent research and maintain lists of top threats that leaders need to know about, such as the OWASP Top Ten and the OWASP API Top 10. As previously mentioned, these are good for executives to know about, whether to ask about when interviewing potential security hires or to understand what security leaders (such as CISOs) are concerned about when advocating for resources, processes changes, and so on.
Third, understand that the “top ten” lists are just that: the top challenges but not the only challenges. There’s a lot more that security professionals have to protect against, as Noname Security’s Matt Tesauro described in a recent webinar, “Are you Safe from OWASP #11?”
Fourth, understand that all sizes of companies are potential targets for hackers and attackers. While it’s easy to think that hackers only want to target the “big fish” in an industry, such as major carriers or 3PLs, the reality is that the smaller companies, with less sophisticated security organizations, are often the better targets. Therefore, every organization should be investing in supply chain cybersecurity, especially API security for APIs in logistics, given how interconnected supply chains are.
Fifth and final, know that cybersecurity is not just about preventing attacks from malicious actors like hackers. Many cyber security risks in the supply chain that jeopardize performance, efficiency, and customer relationships come from simple mistakes or misconfigurations that can send the wrong data to the wrong people or expose internal, confidential, or personal data to the internet by mistake. This is another reason why even those companies that don’t think they’d be a target need to invest in cyber security and logistics.
3 things security teams can do to safeguard their supply chains
In the past couple of years, demand for logistics companies’ goods and services has skyrocketed as supply chains have been disrupted. To capitalize on today’s high demand and build a strong foundation for future growth, high-performing organizations should focus on three fundamental elements in establishing formidable supply chain cybersecurity:
Any successful initiative requires alignment of these three factors, and supply chain cybersecurity initiatives are no different. Let’s look at each in turn.
- The most basic element of securing the organization’s information and environment is having a fully-staffed cybersecurity team. Business leaders should understand that when a CIO or CISO is advocating for more headcount, they are not merely seeking to enlarge their budgets. As technology becomes increasingly specialized, potential attack vectors more numerous, and potential attackers more sophisticated, it’s necessary for security teams to reflect that growing specialization as well.
- The other important element is building relationships between people and groups. Today’s most successful companies operate by breaking down silos and identifying opportunities for teams to work cross-functionally. The same is true for the most successful cybersecurity teams.
- Leading CISOs understand that security should permeate the organization and that many people have important roles to play in keeping the organization’s information and their customer’s information safe and secure.
- Once relationships with other stakeholders are established, they must be nurtured and expanded. That is, those people must work together effectively, which means establishing clear processes for how to handle incidents, how security teams can efficiently inform developers of vulnerabilities, and how developers can secure their code early and often.
- The particular processes will vary based on the strategic goals of the company and its organizational structure, but in general good processes will enable fast, efficient, and effective action.
- Working together across teams to agree on priorities, expectations, values (e.g. speed vs thoroughness), and other important dimensions will help craft processes and frameworks that help teams move quickly when needed, rather than hinder action when desired.
- The final element, technology or tools, completes the triangle by empowering the people and processes that organizations have worked hard to recruit, train, and build.
- In practical terms, this means implementing a comprehensive supply chain API security solution and logistics API integration that helps security teams understand the current security posture, secure traffic in real-time with runtime protection, and equip developers with the tools to test and secure APIs before they ever make it to production.
- In other words, help them understand where they’ve been, where they are, and where they’re going.
Conclusion: APIs enable the next generation of logistics leaders
Just as how supply chains and logistics organizations connect the physical world, APIs connect the digital world. They make all of the digital experiences we enjoy possible, and, importantly, they enable the next generation of leading logistics firms to operate more effectively and better serve their customers.
To realize that potential, companies must not only adopt the best information systems and accompanying processes, but they must secure them as well. Their data is as important as the ships, trains, and trucks that move goods, the warehouses that store them, and the customer relationships that make it all possible. Specifically, logistics organizations should invest in supply chain API security as part of their broader application security and cybersecurity in supply chain initiatives.
Ready to take the next step and see how your company can secure your APIs? Schedule a free consultation today.