Supply chain security is multifaceted and complex. Supply chain security encompasses logistics, supplier ultimate ownership, supply reliability, cyber security, personnel security, ultimate source of materials, modern slavery, and physical adulteration of the items being supplied. Supply chain security is recognised as a security hazard in Australia’s Security of Critical Infrastructure Act 2018 (SOCI Act).
The attacks on Hezbollah’s pager system, which caused the pagers to explode thus killing and maiming Hezbollah affiliates and people nearby, and stifling Hezbollah’s ability to communicate, appears to be an extraordinary example of supply chain security risk being realised.
At a SOCI workshop Pentagram ran for Tasmanian SOCI entities in Hobart of 18 September the Department of Home Affairs guest speaker reminded attendees, when discussing threat, that the 9/11 terrorist event against U.S. homeland targets was, at least in part, enabled by a lack of imagination by U.S. agencies about what a determined and resourced adversary might do. The U.S. did not consider the need to mitigate such a threat as the 9/11 attack partly because that threat had no real U.S.-centric precedent, perhaps the Japanese attack on Pearl Harbour in 1941, but certainly in the Cold War period the prevailing security thinking had been nation states as adversaries based on conventional armed attack, insurgency, nuclear confrontation, and espionage. Terrorists, whilst clearly able to mount bombing acts against large buildings and crowds, were not seen to be as audacious as 9/11 was.
Supply chain attack is not new. In military operations over the last Millenia a key focus was always to attack and disrupt the adversary supply chain of food, weapons, information, and people. In 20th century wars all sides sought to destroy, damage, or otherwise hamper adversary means of producing warfighting equipment, of waging war, maintaining civil cohesion, and collecting intelligence. Most of the attacks in this period were physical and kinetic attacks.
More recently, the 2007 Stuxnet attack in Iranian nuclear infrastructure saw malicious software introduced into a secure network that ultimately caused physical damage to the reprocessing centrifuges being used to make fissile materials to enable a nuclear weapon capability. Iran was also reportedly the target of a supply chain interdiction to sabotage power supplies that would be used to operate the centrifuges to operate. U.S. agencies, during the Trump administration, intercepted large Chinese-made electricity generators the U.S. believed had been altered to house a ‘kill switch’ that could be triggered from outside the U.S. In wars of the 21st century there are accounts of countries introducing components into adversary supply chains that resulted in munitions, explosives and other machinery of war not functioning properly or at all.
The Hezbollah attack is the next step up. Open-source reporting indicates that the pagers were most likely to have had an explosive device inserted into each of them post manufacture, though of course if the manufacturer was co-opted the pagers could have built with the explosive components included. Both scenarios mean that at some point in the supply chain, from manufacturer to Hezbollah, the pagers had been interdicted and adulterated enabling the explosive modification to take place.
Analysis of the supply chain should indicate the point at which access to the pagers likely took place. However, retrospectivity is not helpful in this case, unless of course Hezbollah plans to order another batch of pagers and so might institute a higher standard of supply chain security as mitigation.
From a supply chain security perspective, I see some key questions and learnings that SOCI entities, indeed any entity, might usefully consider.
- Does your enterprise have a contemporary risk assessment? A sound risk assessment will consider assets / operations, the likely threats (see comments below), vulnerabilities (do likely threats have a pathway to access your assets / operations?), likelihood of an attack, the consequences of that attack, where that consequence sits within your entity’s risk appetite.
- Determine, no matter how low (unlikely) the risk may be rated, if your entity tolerate the consequence.
- Is it possible, affordable, mandatory to attempt to mitigate that risk?
- What is your action, recovery, and communications plans if the risk is realised?
On the issue of ‘likely threats’ I see clients sometime include every conceivable threat in their risk register – alien invasion or asteroid strike may be possible but how realistic a threat are they and can the risk be mitigated in any way? To have an effective and affordable security posture you need to ‘keep it real’ when it comes to threat selection and hence to risks that you might seek to mitigate. However, whilst attack by commercial passenger aircraft, Stuxnet, sabotaged centrifuge power supplies, and exploding pagers are certainly at the extremity of likely threats (or were at the time), and so might be assessed as low risks overall, today they are precedents so when considering threat you now have more information to imagine what threats might be possible.
So, to supply chain security. Every point of your supply chain may present a vulnerability with some components more relevant than others to the threat vectors of most concern. As technology evolves, enabling your adversaries to do you harm, how does that change your risk assessment? Risk assessments need to be dynamic.
What method of attack through your supply chain could your adversary, who is highly motivated and suitably resourced, deploy to damage or disable your operation, be that critical infrastructure or any other enterprise?
Active management of supply chain security is necessary and may even be critical for your operation. Accordingly, you need to invest in an enterprise risk management system that fits within the context of your operations. Entity boards and executives should note that this approach provides a documented evidence base of threat assessment, risk assessment and decisions about mitigation so when your enterprise is subject to a novel or unlikely attack at least you will be able to explain, at least in part, something of how the risk was realised.
Remember, your supply chain is only as strong as its weakest link.