The rising risk of cybercrime in the supply chain

In recent years, the logistics sector has become an increasingly tempting target for cybercriminals for a whole host of reasons. The first is that logistics is one of the most profitable industries worldwide and is an important part of the economy, making it a logical focus for criminals seeking to make a big disruptive impact. Second, although logistics is focused on the physical movement of goods, it also has a big digital footprint. The logistics component of today’s supply chain has come to rely on a significant volume of data processing and information sharing. For example, industry forms that were traditionally paper-based—such as invoices, export compliance certificates, and bills of lading—are now digital. Consequently, fleet operators are now sharing more data digitally with partners and vendors than ever before, which opens them up to more cyber risks. Finally, the cargo supply chain consists of many disparate parties that have varying levels of cybersecurity systems in place. This presents cybercriminals with an opportunity to identify and exploit the weak links in the network.

Given the rapidly evolving nature and the deep sophistication of cyberattacks today, it is vital that transport and logistics firms and their customers stay up to date on the cyberthreat landscape. Doing so will help them better understand and defend against a wide range of existing and emerging cyber risks. Due to the interconnected nature of the supply chain, it is also crucial that they work with key suppliers and partners to ensure that best practices in cybersecurity are implemented throughout the network.

Threats to watch 

Some of the major cyber risks that have affected the transportation and logistics sector include: ransomware, phishing, and sensor and industrial technology intercepts.

Ransomware: Ransomware is a malware that prevents users from accessing their system until a ransom is paid. According to Cybersecurity Ventures, a cybersecurity research and publishing company, ransomware is one of the fastest growing types of cybercrime and is expected to attack a business, consumer, or device every two seconds by 2031. The transportation and logistics sector has proven to be an especially attractive target for these attacks. In May 2021, the Colonial Pipeline attack disrupted jet fuel and gasoline supplies to large areas of the southeastern region of the U.S. Whilst the direct financial impact was the payment of a $4.4 million ransom, the indirect financial and socio-economic impacts to the associated supply chain were far greater. Further evidence of the significant financial and disruptive impact of a ransomware breach was shown in this year’s attack on the logistics service provider Expeditors. The crippling attack cost the company $40 million in charges on lost shipping opportunities and a further $20 million in investigation, recovery, and remediation expenses.

Phishing: Logistics and shipping companies are increasingly being targeted by phishing attacks. Phishing involves cybercriminals contacting target organizations by email (phishing), telephone (vishing), or text message (SMSishing), and posing as a legitimate person or organization. The aim of the attack is to lure the recipient into giving up sensitive data and passwords to illicitly access data for financial gain. A very pertinent example was during the pandemic when cybercriminals used phishing techniques to target the COVID-19 cold supply chain. The attack gained access to the low-temperature storage manufacturer Haier Biomedical’s network before using its own email system to distribute further phishing emails to partners involved in transporting the vaccine.

Other examples of phishing attacks specific to the sector are “bill of lading ransom” and “freight forwarding fraud.” In the case of a bill of lading ransom, cybercriminals pose as freight forwarders to negotiate with an unwitting client. Once goods are packed onto a ship or truck from the port of loading, the criminals then deny the release of the bill of lading until a ransom is paid. If the bill of lading is not released, it can cause severe supply chain delays and disruption. It can also cost companies thousands of dollars in losses, especially if goods in transport are no longer of good quality due to disruptions.

Freight forwarding fraud involves cybercriminals impersonating a legitimate freight forwarding company by essentially copying its website. The aim is to steal freight forwarding fees or make off with any cargo that falls into their possession. Such methods can also be referred to as “brandjacking” and are often used to directly tarnish a corporate brand’s reputation.

Sensor data and industrial technology intercepts: Transportation and logistics companies are increasingly relying on sensors and internet of things (IoT) devices to track and monitor cargo. However, many companies don’t treat their operational technology and IoT technology with the same level of care that they do their information technology, creating an opportunity for cybercriminals. For example, cyberthieves may seek to intercept communications between a logistics firm’s sensors and its IT systems, and then either sell the data to a competitor or use it to guide a physical attack on valuable supply chain shipments.

Protecting against such risks can be difficult due to the innate design of IoT devices. IoT devices are designed with ease of use in mind rather than security. For example, many of them leverage default user credentials (such as “admin”), which are easy to hack, creating cybersecurity vulnerabilities. Additionally, it is often easy to download product sheets for many IoT sensors that specify exactly how the sensor is designed and what security they do and do not have.

Furthermore, companies should be aware that malware attacks can spread from a company’s IT systems to its operational technology and IoT technologies. This was seen when the shipping giant Maersk was hit by a vicious malware called NotPetya in 2017. Although the malware attack initially infiltrated the company’s active directory systems, it spread to the operational technology and IoT technologies used at Maersk’s port facilities. As a result, Maersk’s entire logistics system was shut down.

Similarly, many operational technology (OT) systems, such as industrial controls, are often riddled with vulnerabilities. In a typical OT environment, reliability is the primary concern during the design process, and basic information security precautions are often overlooked. Furthermore, many OT systems are older legacy systems that were never designed to be operated remotely or connect to the internet. As a result, cybersecurity measures were not built into the system’s design.

Fighting against the threats 

Cyberattacks can leave damaging effects on an organization. It is, therefore, essential for an organization to have protocols in place to mitigate these attacks. No matter how small or established the organization, if bad actors see an opportunity to infiltrate, they will. To mitigate the exposure to major cyber risks, supply chain executives should first make sure that their organizations are taking the following steps internally: educate employees about potential threats and how to protect themselves, update devices and software regularly, and create an effective remediation plan.

Educate employees. It’s helpful to teach employees to look out for specific threats, such as phishing emails or vishing calls, and flag them to the appropriate person. Employees are usually the first target when bad actors are trying to infiltrate a company’s network. Therefore, it is vital that organizations empower and equip their employees with the knowledge to serve as the first line of defense against potential cyberattacks.¹

Update devices and software regularly. Most technology providers are constantly testing their products for any weaknesses and release patches or updates when they discover them. It’s essential then that companies update their devices and existing software applications on a regular basis. This ensures that devices and applications are not only better protected from attacks but also are operating efficiently. Operating from an outdated device and/or software application creates vulnerabilities and loopholes for bad actors to slip through and potentially compromise an entire network system. In addition to updating devices on a regular schedule, companies should also regulate what software and applications employees can download onto work devices. Restricting unauthorized software applications can help mitigate exposure to potential attacks.

Create a remediation process. Even the best-prepared organizations with the most robust training programs can experience a cybersecurity breach. For this reason, organizations need to draw up a plan, or remediation process, for how they should respond if a breach occurs or if they detect a weakness or flaw in their information system architecture. Additionally, organizations should periodically reflect on where and how they need to improve their cybersecurity measures.

Addressing third-party supplier risks

In addition to the internal tactics described above, companies should also involve their external suppliers and partners in their cybersecurity programs. Given that so much of the cargo supply chain is outsourced, advancing third-party and supplier cybersecurity programs is paramount to protecting your own cybersecurity. Organizations need to ensure that the security measures that are important to them are also in place at their suppliers’ and providers’ organizations, otherwise they risk having their own security undermined by lax practices at their partners. To create strong, secure practices, companies need to work proactively with their suppliers before a breach occurs and build an open relationship with them to ensure communications are received in the right way. 

In order to address third-party supplier risks, companies should:

• Evaluate a potential supplier’s cybersecurity risk level. This evaluation needs to be part of the due diligence process that takes place during any third-party selection. Companies need to make sure that their supplier’s internal controls—or their policies and processes for managing external risks—are in line with their own internal controls. For example, if company A has a high standard for internal controls, but receives services and supplies from Company B, which has a low standard for internal controls, then Company A is now exposed to any potential risk because of Company B’s weak point.
• Decide how you are going to communicate. You need to have a simple way to communicate with your supplier (and your supplier with you) if an incident happens. This could be a phone call, an email, or an instant reporting mechanism. Whatever mechanism you choose, it needs to work for both parties across the various channels.
• Identify who is managing third-party suppliers and supply chains. Many organizations think of cybersecurity as an IT-only issue, but those stakeholders who are dealing with third-party suppliers also play a key role in preventing or mitigating a cyber risk. These stakeholders need to be up to date on possible threats and need to know how strong a supplier’s cybersecurity program is. They also need to know whether their supplier is subcontracting with other suppliers or service providers and what the level of cyber risk those downstream suppliers hold.
• Be transparent with your suppliers about your cybersecurity program. This transparency should include educating them about the purpose of your program and updating them as relevant on the purpose and risks being managed.
• Define each supplier’s cybersecurity “risk tier” and the degree of care that they require. Many companies are now assigning their suppliers to risk tiers. A risk tier is based both on the criticality of the service or product that the supplier provides and on the supplier’s risk rating (or whether—based on the supplier’s internal cybersecurity controls—they are considered a high risk, a medium risk, or a low risk). That risk tiering then determines how much control or care you extend out to the supplier in terms of cybersecurity. For example, a supplier that provides a noncritical product or service and has a high level of internal cybersecurity controls would be placed in a low-risk tier. Your company would not need to extend its internal controls to the supplier’s external environment. However, if it’s a critical supplier with a low level of risk maturity, you  want to either consider looking for a new supplier or extend your own internal control mechanisms out to their operations. The most common mistake that many organizations make when evaluating a supplier’s risk tier is they base it on the value of spend rather than the criticality of the service that's being provided or the sensitivity the data that's being shared. For example, you probably don’t spend a large amount of money on the agency that produces your annual report, but that company has access to very sensitive information and should be using rigorous cybersecurity measures.
• Carry out an external cybersecurity “posture scan” of your suppliers. There are tools available that allow you operate like a hacker and probe your suppliers’ systems to see how secure they are. These posture scans or probes help you determine whether your third-party suppliers are following security protocols.
• Identify who your supplier’s suppliers are. One weak spot for a supplier can be other contracted organizations within its network. Therefore, it is important for you to review the context of these supply chain relationships and their potential impact on your organization.

Becoming cyber resilient 

The past two years have proven the vital role that the transport and logistics industry plays in the overall economy. At the same time, the past two years has also shown the scale of the cyberthreat facing the industry. These two factors mean that taking steps to defend IT systems against cyberattacks is crucially important.

Cybercriminals are becoming craftier as they create more sophisticated ways to infiltrate networks and steal data for financial gain. Therefore, organizations cannot simply focus on the technological aspects of cybersecurity by assessing potential vulnerabilities in IT systems, they must also take steps to address them through best practice security and access controls. The impacts on business processes, products, employees, and customers alike must be understood to preserve the value chain, keep the global supply chain moving, and enable a position of cyber resilience.

Notes:

1. For practical tips on communicating well with employees on cyberthreats and best practices see “How to educate employees about cybersecurity,” Analytics Insight, (June 2, 2021): https://www.analyticsinsight.net/how-to-educate-employees-about-cybersecurity