The 2021 cyberattack that shut down the Colonial Pipeline for days sent Defense Logistics Agency Energy officials scrambling for new ways to get fuel to East Coast customers and underscored the need for supply chain resilience.
A new strategy being drafted by DLA will become the agency’s roadmap for addressing such vulnerabilities and protecting the security of the Defense Department supply chain that serves troops and federal partners around the world.
“How do we protect against disruptions? And are we doing the right things to make sure our supply chains will continue to produce what’s needed? Those are some of the things we’re addressing as we build our framework,” said Peter Battaglia, director of DLA Logistics Operations’ Mission Assurance Directorate.
Operations, acquisition and information technology teams at DLA Headquarters are outlining the strategy, which will chart how the agency detects and responds to problems in supply chain operations caused by threats like natural disasters, geopolitical developments, diminishing manufacturers, cyberattacks and nefarious activities.
Battaglia said he expects the strategy to be shared with major subordinate commands for input this fall. Protective measures are being refined or developed in four areas:
-
DLA systems and data
-
Suppliers with information such as controlled unclassified information, export control data and other DLA data
-
Critical supplier operations
IT specialists on the Cyber Emergency Response Team already monitor DLA’s 100-plus systems 24/7 for cyber threats, improper logins and other issues. They work to reduce risks and build defenses as well.
Battaglia said more measures are needed to protect information like technical quality data that the agency shares with suppliers, whether it’s through IT systems or business discussions.
“Say we’re providing our logistics data to one of the contract service suppliers that we operate with. We’re determining measures we can take to ensure they’re not going to lose our data, be it through malicious data breaches or inappropriate internal management,” he said.
Behavior-based monitoring will be part of the plan and includes limiting access to systems to only those who need it and looking for indicators that a company has or could be hacked. While the agency already has some measures in place, Battaglia said the goal is to adopt practices and tools that pinpoint potential problems so they can be addressed upfront.
DLA is also determining cybersecurity expectations it might need to impose on suppliers who provide critical items such as fuel.
“Because DLA is largely an acquisition element within logistics, we’re extending supply chain security all the way to our suppliers to make sure they’re able to continue operating and providing us with the required supplies and services,” Battaglia said.
That includes ensuring suppliers and sub-suppliers have access to raw materials, especially those that are scarce but critical to military equipment. DLA Strategic Materials already manages material that’s critical to national security. Additionally, through DLA’s Warstopper Program, acquisition specialists arrange contracts for essential go-to-war items that might need sudden, rapid production.
DLA may also need to integrate with organizations like the Cybersecurity and Infrastructure Security Agency, which is responsible for protecting 16 critical infrastructure sectors in the United States, Battaglia continued.
And as agency officials determine how DLA will ensure supply chain security, they must also consider the cost.
“If protection measures double the cost but only take us from 95% security to 97% security, is it worth it? What’s the cost-value-benefit ratio?” Battaglia added.
DLA has 61 years of experience in supply chain risk management to build upon and has already had successes, he said, pointing to a program in which DLA Land and Maritime validates and certifies microelectronics that are susceptible to counterfeiting.
Battaglia noted that all DLA employees have a role in keeping the supply chain secure, much like with operations security.
“It’s an extreme example, but if DLA suppliers start doubling production of all chem-bio defense items such as chemical protective gear and gas masks, that information could send a very big signal throughout the world. So, it’s important for employees as well as our suppliers to always keep security in mind,” he said.