Cyber Resilience and Challenges in Securing Today’s Hardware Supply Chain

SCRS Conference Day 1 Session #13

Cyber Resilience and Challenges in Securing Today’s Hardware Supply Chain

By Mr. Yung Hsu, Senior Director, Microsoft

In a world where digital transformation drives progress, ensuring the security of technological and operational infrastructures is paramount. At the Supply Chain Resilience and Sustainability (SCRS) Conference 2024 in Shanghai, Mr. Yung Hsu, Senior Director at Microsoft, delivered an enlightening keynote on cybersecurity. His address was both timely and critical, highlighting the complexities of modern cyber threats and offering strategic insights for safeguarding digital and physical supply chains.

The SCRS Conference, organized by the Transported Asset Protection Association Asia Pacific (TAPA APAC), is renowned for its focus on advancing supply chain resilience and security standards. As a trademark event in the supply chain industry, it brings together leading experts, industry leaders, and practitioners to discuss and address the latest challenges and innovations. This prestigious conference serves as a platform for sharing knowledge, best practices, and technological advancements crucial for enhancing supply chain security and resilience. 

The Evolving Landscape of Cyber Threats

Yung Hsu’s keynote commenced with a stark reminder of the evolving nature of cyber threats. As technology continues to advance, so do the tactics of cybercriminals. The four main areas of concern he identified were malware, targeted attacks, insider threats, and supply chain attacks.

1. Malware: Malware remains one of the most pervasive threats. Yung Hsu cited the case of a major chip manufacturer that suffered a malware attack disrupting its production line. This incident underscored the potential for malware to cause significant operational downtime and financial loss. He explained that such malware often spreads via infected devices like USB sticks, emphasizing the need for rigorous digital hygiene and security protocols. Other examples involve ransomware attacks affecting global freight forwarders. These incidents disrupt not only the affected companies but also their partners and customers, emphasizing the need for comprehensive supply chain security measures.

2. Targeted Attacks: The rise of sophisticated phishing schemes and spoofing attacks has made targeted attacks more prevalent. Yung Hsu shared examples of how criminals employ these methods to deceive individuals into divulging sensitive information or installing malicious software. 

3. Insider Threats: Insider threats, whether from malicious intent or negligence, pose a significant risk. Yung Hsu recounted real-world incidents where insiders exploited their access to cause damage or theft. A notable example was a gang operating in the Port of Antwerp, who used insider knowledge to smuggle drugs by manipulating port systems. This highlighted the necessity for robust internal controls and monitoring to mitigate such threats.

4. Supply Chain Attacks: The interconnectivity of modern supply chains has made them a prime target for attacks. The SolarWinds attack, where hackers inserted malicious code into SolarWinds software that was then distributed via their normal update channel, exemplified the potential for targeted attacks to compromise entire networks, including those of high-profile organizations and government entities.

“Understanding where risks lie is crucial for effective cybersecurity,” Yung Hsu emphasized. 

Yung Hsu mentioned that cyber risks could emerge from various facets of business operations, including facilities, IT infrastructure, and personnel. Mr. Yung Hsu discussed the critical importance of aligning multiple supply chains within the organization to enhance cyber resilience. “We have a digital supply chain and a hardware supply chain that manufactures all of the servers that go into the data centers,” he explained. The most significant risks often come from external partners and suppliers. He highlighted the importance of assessing the security posture of all partners and vendors. This approach involves evaluating the cybersecurity measures of third parties and ensuring they align with the organization’s security standards. By adopting a holistic view of supply chain security, companies can better safeguard themselves against potential breaches.

Strategic Solutions for Cybersecurity

In addressing cybersecurity challenges, Yung Hsu outlined several strategic solutions tailored for both large and small enterprises.

• For Large Companies: Large organizations like Microsoft employ rigorous security requirements and standards across their supply chains. Yung Hsu detailed Microsoft’s approach, which includes in-person supplier audits, regular engagements, and adherence to global security standards. These measures ensure that all partners meet high security standards and are equipped to handle potential threats effectively.

• For Small Businesses: Smaller companies, often lacking extensive resources, need practical and cost-effective solutions. Yung Hsu recommended leveraging available online resources and tools to bolster cybersecurity. He advised small businesses to implement basic security measures such as regular software updates, strong passwords, and employee training on recognizing phishing attempts.

TAPA Standards and Their Role in Cybersecurity

Yung Hsu also touched upon the role of TAPA Standards in enhancing supply chain security. TAPA Standards are instrumental in setting benchmarks for security and operational excellence in the supply chain industry. TAPA Standards provide a comprehensive framework for integrating advanced technologies and security practices into supply chain management. They emphasize the importance of secure handling of goods, robust physical security measures, and the integration of digital security protocols. For companies navigating the complex landscape of supply chain security, TAPA Standards offer valuable guidelines for mitigating risks and enhancing resilience.

To tackle cybersecurity challenges effectively, Microsoft examined global security requirements and association standards. “We assessed what enterprises and governments are demanding in terms of security and integrated these requirements into our own protocols” By aligning their standards with global benchmarks, Microsoft developed robust security measures across the physical supply chain.

Collaborative Efforts and Industry Engagement

Yung Hsu stressed the importance of collaboration and industry engagement in enhancing cybersecurity. Microsoft actively partners with peers in the tech industry to share data, best practices, and threat intelligence. This collective effort aims to raise the security bar across the industry and foster a culture of continuous improvement. 

Looking ahead, Yung Hsu emphasized the need for ongoing vigilance and adaptation. The rapidly evolving cyber threat landscape requires organizations to stay ahead of emerging risks and continuously refine their security strategies. By embracing innovation, investing in cybersecurity, and fostering collaboration, companies can build a more resilient and secure digital future.

One of the key takeaways from Yung Hsu’s address was the need for industry-wide collaboration to tackle cybersecurity challenges. By working together, organizations can share insights, address common vulnerabilities, and develop more effective security solutions. TAPA APAC provides the platform for businesses with physical and digital supply chains to strengthen their defenses, enhance their risk management practices, and maintain operational continuity even in the face of potential cyber threats and other risks.

To learn more about TAPA Standards, visit our website www.tapa-apac.org or email us at info@tapa-apac.org

About the Speaker

Mr. Yung Hsu
Senior Director, Microsoft

Yung Hsu started his law enforcement career in Southern California as a deputy sheriff with the Los Angeles County Sheriff’s Department. His last assignments as a detective were with the cargo theft task force, the Asian crime task force, the vehicle theft task force, and the Southern California High Tech Task Force. He is currently responsible for various aspects of supply chain security across Microsoft, including cargo security. Over the last year, thefts of Microsoft Xbox and Surface products were reduced by 64%. This was attributed to a multi-layered security program implemented across Microsoft’s manufacturing and transportation channels consisting of holistic requirements across multiple security domains, regular supplier engagement, in-person supplier audits, and strong partnerships with law enforcement.

Email: Yung.Hsu@microsoft.com
LinkedIn: https://www.linkedin.com/in/yunghsu/