Over the past decade, the state of near unlimited connectivity characteristic of modern digital technology has produced sweeping changes in the business world, including now in industries such as logistics and utilities, which have traditionally been cautious in their adoption of new technologies. In 2018, however, the benefits of connectivity have become undeniable, and corporations are rushing to incorporate networked technologies into their businesses in an effort to increase their ability to monitor operations and improve productivity. Nevertheless, the opportunities of these new technologies carry with them a new set of risks, including some to which logistics and utilities companies may be particularly vulnerable. We were reminded of this last year, when shipping giant Maersk was infected with the NotPetya ransomware through a third-party accounting software, causing their ports to grind to a standstill and costing upwards of $300 million.
Logistics and utilities can be attractive targets for hackers seeking to cause damage, because of the critical importance of their operations to consumers and other businesses. In July 2018, the United States Department of Homeland Security revealed that a group of Russian state-backed hackers had infiltrated the computing systems of hundreds of American utilities companies, to the point that they would have been able to trigger large-scale electricity blackouts. Officials fear that many more companies may already be breached than those that have been detected so far. In this post, we’re going to go over two of the biggest cybersecurity threats facing logistics and utilities companies, reliance on older technologies and vulnerabilities via third-parties, and what can be done to prevent breaches like this in the future.
Unlike most newly formed “digital-native” companies, many logistics and utilities companies have been operating their services continuously since the pre-internet era and are thus faced with the difficult task of adapting existing infrastructure and technology to the new connected reality. This often requires the integration of early non-networked computing systems and control devices into new IT systems. This process can greatly improve efficiency, but also introduces new risks, since these devices were never designed to be online and so do not have built into them the security features required of networked technologies. As these systems are brought online, sometimes as publicly discoverable internet-connected devices, they may increasingly be targeted by cybercriminals seeking to break into a system or damage key physical operations.
One particularly striking example is Supervisory Control and Data Acquisition (SCADA) systems. This control architecture, which predates the internet, has often been incorporated in a makeshift way into internet-connected software control systems. This leaves many SCADA devices exposed but completely unsecured. The IP addresses of SCADA devices can often be found using a simple online search, which gives hackers a way to target and take over essential physical systems in ports, warehouses and factories across the world. However, many experts in SCADA, who are responsible for setting up and maintaining these systems, have no security backgrounds themselves. As a result, they are often not fully aware of the vulnerabilities in the systems, which can lull companies into a false sense of security. In 2010, just such a vulnerability was exploited by the US and Israeli governments to sabotage Iran’s nuclear program, using a worm known as Stuxnet, which targeted SCADA systems in order to destroy Iranian uranium centrifuges.
Companies which rely on SCADA devices for their operations, as many providers of essential services do, must take extreme care in their integration into modern computer networks. Executives need to ensure SCADA experts are properly trained on the vulnerabilities of the devices, and implement policies requiring risk assessments prior to integrating SCADA and other legacy devices into online control systems. Wherever possible, this should be avoided entirely, leaving SCADA devices isolated from the rest of a network. Failing that, users need to update SCADA security settings and use best practice when it comes to passwords and data privacy.
Logistics companies tend to have relationships with many third-party logistics providers (3PLs) who manage parts of a supply chain, particularly warehousing and “last mile” delivery. These 3PLs, which may be smaller and less technologically sophisticated than the company contracting them, can make ideal staging targets for would-be hackers. A multinational conglomerate may have an airtight security system preventing their systems from direct attack, but that will all come to nothing if a hacker can get access via the system one 3PL uses to organise deliveries. The aviation industry may be particularly vulnerable in this regard, due to their heavy reliance on small 3PLs for maintenance, repair and overhaul. Forbes reports that of a range of aviation 3PLs they surveyed, only 67% described themselves as prepared for a cyberattack.
Companies need to be proactive in containing vulnerabilities arising from their third-party links, by increasing visibility across supply chains and enforcing agreed cybersecurity standards. This is by no means an easy process, requiring fundamental restructuring of business partnerships and increased transparency across relationships which many companies have been all too happy to leave opaque. In the long term, though, the spread of improved security standards throughout industries will help to make everyone safer and save companies a lot of losses in the future. This shift also presents a big opportunity for smaller contractors willing to get ahead of the curve by offering good cybersecurity practices as a key selling point in coming years.
– Jonathan Sharrock, Cyber Citadel.