Supply Chain Integrity, Transparency and Trust in the Pharmaceutical Industry

What is SCITT?  While it may be yet another term you might not have heard of, it’s sure to become more familiar to pharmaceutical industry players as we strive to ensure traceability, accountability, and auditability across the supply chain.  The term SCITT stands for ‘Supply Chain Integrity, Transparency, and Trust’. While there’s ongoing discussion over its scope and definition, at its core, it’s pretty simple: risk vests in the operator of equipment but originates at every point in the supply chain.

If pharmaceutical companies and other players in the pharma supply chain are to take control of, and responsibility for, their own cyber physical risk, then it’s essential everyone knows exactly what they are dealing with.

This involves finding the answers to questions such as how was this thing made? Who has touched it along the way? What sensitive components are inside?

And crucially, how do I prove to my own and my auditor’s satisfaction that it is safe and secure to consume or operate? Of course, the answers to all these questions are much easier to find if supply chain partners collaborate and share data about shared assets and processes in a spirit of transparency, accountability, and trust.

The problem is that the global pharma industry has grown more than sixfold in the last decade.

Part of this growth has seen supply chains become increasingly global, complex and increasingly opaque. And more and more companies are outsourcing production to contract manufacturers, adding new modalities (such as cell therapy), and exploring novel ways to reach patients. For some products, this results in supply chains so complex they circumnavigate the globe twice.

While new supply chain management continues to drive growth - and creates cost efficiencies - unless the risk that comes with supply chain evolution is properly assessed and planned for, huge losses can occur.

Time for SCITT

Supply chain vulnerability is undeniably a top issue in cyber security, and the pharmaceutical sector is certainly no stranger to cyber attacks. In fact, healthcare, financial and pharma companies suffer the most breaches across all industry sectors.  Data from IBM and the Ponemon Institute's annual Cost of a Data Breach report shows cyber attacks cost the pharmaceuticals sector around US$5.01 million per attack.

Furthermore, reports suggest that ransomware threat actors have shifted focus to pharmaceutical supply chains in recent years, with 12 percent of pharma industry vendors likely to incur a ransomware attack  and pharmaceutical supply chain cybersecurity risk now standing at $31 million annually as of 2021.

We are seeing ever more sophisticated attacks, in which bad actors target less-secure elements such as managed service providers or commercial software platforms in the supply chain.

Governments have now started to take supply chain attacks more seriously than ever before, while companies are struggling to manage threat exposure.

As an example, back in 2021, US President Biden signed Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. Section 4, Enhancing Software Supply Chain Security, is aimed at action “to rapidly improve the security and integrity of the software supply chain which often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. The EO places a priority on the security and integrity of software used by the Federal Government and vital to performing its critical functions.”

Clearly, specifically mentioning supply chain security underlines the importance of this area, with a progress report stating: “Establishing supply chain security criteria is a necessary and important step to improving trust in our government information technology (IT) and operational technology (OT) systems. Guidance resulting from the EO enables the government to dramatically reduce its vulnerability to cyberattacks by individuals, criminal enterprises, and nation states.”

Another report reveals the group that poses the greatest risk to pharmaceutical manufacturers is data management vendors, at an annual risk of $6.2 million.

This group of vendors reported credential-related issues, vulnerabilities due to out-of-date systems, and publicly visible critical ports – mainly due to restricted IT security budgets and resources for data management companies.

Integrity, trust and transparency are especially vital in the pharmaceutical sector, especially given the end products and increasing user savviness.

The UK National Cybersecurity Centre of Excellence is trying to lend a helping hand in the fight to establish greater supply chain trust, on the basis that: “organisations currently lack the ability to readily distinguish between trustworthy and untrustworthy products. Having this ability is a critical foundation of cybersecurity supply chain risk management.”

This year has seen the emergence of the Internet Engineering Task Force (IETF) SCITT Working Group, working towards assurance on the authenticity of entities, evidence, policy and artifacts and how the evidence provided by entities can be guaranteed to be authorized, transparent, immutable and auditable. The group is discussing the need to address gaps in essential primitives, by creating a set of building blocks to guarantee long-time accountability and interoperability for software components and their metadata through their lifecycles.

But they’ve identified that the root causes of a lack of trust in this increasingly digitised supply chain environment include a lack of legally meaningful and persistent supply chain data – which is needed to automate the system; insufficient standards for tamper-proof and independently verifiable data  stores and an absence of decentralised, globally interoperable transparency services.

A McKinsey Global Institute survey identified that supply-chain risk is a significant reason for pharma companies’ susceptibility to disruption, with almost half the respondents citing sole sourcing of inputs as a critical vulnerability, and 25 percent pointing to a lack of visibility into supplier risks.

Supply chain risks may well be unavoidable, but companies can and must minimise their effects through greater visibility, rigorous risk management, and newer technologies.

The way forward for SCITT

A common theme around supply chain risk management is the so-called “Trust Gap”. Trust gaps are nothing new, but when it comes to supply chains, traditional processes lock data away in silos and can’t keep pace with the speed of digital transformation in today’s highly connected supply chains. What’s needed is a decentralised service for ensuring trust in industrial cybersecurity supply chains.

There needs to be a shift in mindset from bullet proof security and silver bullets toward a spirit of zero trust, shared intelligence and resilience in the face of emergent threats. Things are only secure until they’re not, and trust is contextual. It’s not enough to do an audit or security report once then rely on that for the rest of the year. You need to continuously verify security and trust posture in near real time, assume breach, and then quickly deal with problems when they arise.

This isn’t just peddling fear, uncertainly and doubt around cyber attacks or Advanced Persistent Threats (APTs).  Many seemingly innocent or accidental things can also affect security and trustworthiness between organisations, including different risk exposure, different personnel capabilities, different training regimes or different practical operating constraints. And of course, everyone has different commercial motivations.

To cope with all this, we need to move from the impossible task of trying to make cheating and threats impossible, to the more tractable one of detecting and mitigating threats as they arise.

An extreme but essential aspect of this is to understand that SCITT does not prevent attacks or bad actors, rather it holds them accountable through the principle of transparency. If someone cheats or messes up, too often they will be ostracised by the group. If someone refuses to act transparently, they will struggle to gain business. The end result of this is market forces that incentivise everyone to hold themselves accountable and accept responsibility for their own informed risk.

As the IETF states: “We cannot stop authorized supply chain actors from making false claims, but we can make them accountable by requiring their claims to be registered and in a verifiable and transparent data store.” Once this principle and the idea of attestation is internalised, the security benefits of SCITT suddenly become clear. The goal is to have and maintain a tamper-proof, transparent record of who did what, when to underpin trustworthy supply chain operations.

Until we reach this point, supply chains in the pharmaceutical sector may remain untrusted, vulnerable and open to bad actors.