New Report: The 2022 Gartner® Market Guide for IT Vendor Risk Management Solutions

Toyota Halts Production: Six Steps for Stronger Supply Chain Cybersecurity

A cyberattack against a key supplier halted production at several Toyota plants in Japan. Could your organization weather a supply chain outage? Use these six steps to be better prepared.
By:
Scott Lang
,
VP, Product Marketing
March 01, 2022
Share:
Blog toyota supply chain cyberattack 0322

On February 28, 2022, Toyota announced that the company was suspending operations on all 28 production lines at 14 manufacturing plants in Japan for a day due to a system failure at a supplier, Kojima Industries. Other Toyota partners, including Hino Motors and Daihatsu Motor were also affected by the shutdown. The cause of the system failure at Kojima appeared to be a cyberattack which prevented communications with Toyota and production monitoring systems. On March 1, Toyota announced that they were resuming operations for the first production shift only starting March 2.

This incident is a clear example of the risk involved when a critical supplier is unable to deliver, and it demonstrates the domino effect of negative consequences throughout the supply chain. Shutting down manufacturing for a day (and reducing the number of shifts for additional days) could result in missed production goals, lost revenue, and missed earnings expectations for Toyota – not to mention the loss of customer trust.

Six Steps for Stronger Supply Chain Security

The reality of supply chain security is that, although your organization is not responsible for supplier security, your organization assumes some of the risk. So, how can manufacturers and other organizations mitigate the risks of cyber-related supply chain failures? Consider these six steps.

1. Improve Cybersecurity Evaluations During Sourcing and Pre-Contract Due Diligence

Performing pre-contract due diligence helps to ensure that a new vendor does not introduce unacceptable risks into your environment. The process involves conducting assessments of the supplier’s information security, operational security and business resilience practices. And although this particular incident is cyber-related, organizations should extend their pre-contract due diligence efforts to also include assessments of a supplier’s financial position and reputation. For example, if a supplier has negative news regarding its products, or has shown uneven financial performance, they may be unable to quickly adjust to shifting production demands or could be underfunding security. These insights inform inherent risk calculations that help determine which areas need further evaluation.

To accomplish better pre-contract due diligence, many companies choose to leverage libraries of already-completed supplier cyber risk assessments. Simply downloading a completed assessment will provide much needed visibility into a potential supplier’s risks faster than conducting the assessment yourself from scratch.

2. Establish Enforceable Service Levels in Contracts

Effectively reducing supplier risk requires an understanding of how they are performing against expectations, and that starts with establishing enforceable service levels during the contracting phase. Measurable service levels can include uptime, mean time to detection (MTTD) of the reason for an outage, and mean time to resume (MTTR) operations after an outage. The contracting phase is also the right time to include key clauses to ensure system failover and backup, especially because it’s not easy to simply “switch off” a supplier and replace them with another one. Finally, centrally managing key performance indicators (KPIs) and key risk indicators (KRIs) brings enterprise-level visibility to supplier performance.

With many internal and external parties involved in negotiating contracts, the process can quickly get out of control. To address this, many companies standardize on contract lifecycle management products that provide role-specific views to track key performance attributes, enable version control and embedded discussions, and workflow to move contracts more efficiently through the review and approvals phase.

3. Assess Suppliers Against Industry-Standard Supply Chain Cybersecurity Controls

Pre-contract due diligence will bring needed visibility to the inherent risks that a new supplier introduces to your environment, but risk assessments don’t stop at the onboarding stage. Fortunately, several industry frameworks exist that make the detailed controls assessment process much more standardized than by using spreadsheets. For example, NIST 800-61 and ISO 27036 feature specific question sets designed to evaluate supplier security controls.

Third-party risk management platforms automate the collection vendor questionnaire responses and the assignment and tracking of risks. They also include built-in remediation recommendations to mitigate those risks down to an acceptable level. When suppliers are “too big to fail” you can turn to expert managed services providers to perform the assessment due diligence collection and analysis on your behalf, leaving your team to focus on remediations instead.

8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

4. Continuously Monitor Suppliers for Early Warning Signals

Risk assessments provide a point-in-time view of a supplier’s security controls, and although essential to understanding their security posture, you also need to maintain a continuous view of risks – cyber or otherwise – that can impact your supplier’s ability to deliver.

Monitoring the Internet and dark web for cyber threats and vulnerabilities – as well as public and private sources of reputational, sanctions and financial information – can provide signals of an impending security incident. Consider monitoring:

  • Cyber: Criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases can provide historical and current indicators of compromise.
  • Business: M&A activity, business news, negative news, regulatory and legal information, and operational updates can signal a loss of focus on cybersecurity.
  • Financial: Poor financial performance could signal budget cut that impact security operations.

Incorporating these insights into your holistic supplier review process adds context to events and helps to validate the controls evaluated in Step 3 above.

5. Know Your Extended Supply Chain

Sometimes a cybersecurity incident in your extended supplier ecosystem (for example suppliers of your suppliers) can impact your supplier’s ability to deliver, and therefore your ability to deliver. As part of the pre-contract due diligence step, collect information from your suppliers on their suppliers to assemble a relationship map. This will help you discover dependencies and visualize weak points in your supply chain. It can be as simple as knowing the 4th-party technologies deployed in your supplier ecosystem so you can determine which would potentially be exposed to a targeted breach. Instead of relying on multiple non-integrated tools to gather this information, look for single monitoring solutions that automatically build that database for you.

6. Active Your Third-Party Incident Response Plan

If a cybersecurity incident occurred in your supply chain, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential supply chain problems. A more programmatic third-party incident response plan could include:

  • A centrally managed database of vendors and the technologies they rely on
  • Pre-built business resilience, continuity and security assessments to gauge likelihood and impact of an incident
  • Scoring and weighting to help focus on the most important risks
  • Built-in recommendations to remediate potential vulnerabilities
  • Stakeholder-specific report to answer the inevitable board request

Next Steps for Supply Chain Risk Management

The Toyota supply chain disruption is a reminder that all organizations – regardless of the sophistication and diversity of their systems – can be impacted by a supplier failure or cyber incident. Evaluate your own organization’s supply chain security posture using the six steps included here, or contact Prevalent for a strategy session or maturity assessment of your existing supply chain risk management processes.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo