Supply chains are becoming more digital by the day, as companies add electronic sensors to everything from pallets and containers to conveyors, forklifts, and dock doors. While all that hyperconnectivity is great for supply chain visibility, connecting every truck and warehouse to the internet of things (IoT) also has a downside: It makes businesses more vulnerable to hackers, who can use those links to steal data or install ransomware—software that freezes a company’s entire network until the victim pays a steep fee.
Fortunately, companies don’t have to go it alone when it comes to security planning. There’s a wealth of information on cybersecurity available online, including protocols developed by government agencies and industry organizations to help businesses lessen their risk (see sidebar).
A COMPLEX PROBLEM
That’s not to say it will be easy. In the logistics sector, keeping track of every online asset can be a complex job, says Sharon Reynolds, chief information security officer (CISO) at the Dallas-based telematics technology vendor Omnitracs. In the transportation sector alone, trucks are rapidly becoming digitalized with internet connections like in-cab devices, IoT sensors, and links for routing and dispatch tracking.
Furthermore, modern supply chains involve complex webs of suppliers, who often share real-time data with each other. “Before, you could screen partners by just checking the financials of the company to make sure they’re reliable, and maybe get references. But with supply chain, even your suppliers have suppliers, so you need to identify your third-party and fourth-party risks. Now, you have to understand your entire cyberthreat exposure, because all the partners are interconnected,” Reynolds says.
That web of connections makes companies more vulnerable to attacks because a network is only as secure as its weakest link, agrees Pal Narayanan, executive vice president and chief information officer–Americas at contract logistics and supply chain services provider Geodis.
“You have partners with partners, and some of those partners operate right within your four walls,” Narayanan says. “That’s because the rising demands of e-commerce require increased automation and mechanization, like robotics, conveyors, or warehouse control systems. They’re all bringing their computer systems inside your [warehouse].”
In Geodis’s case, those connections add up quickly, as the company operates 160 warehouses and partners with 15 automation providers. Narayanan’s challenge is to get all those automated devices to work together and still be secure. “To protect your systems, you need to have security along with nimbleness and flexibility,” he says. “If you’ve got Fort Knox-level security, then you can’t grow your business because nobody’s coming in and nobody’s going out. So you have to find a balance.”
THE PRICE OF FAME
Striking a balance between business agility and cybersecurity has become increasingly difficult in an era when hackers are ramping up their attacks on the sector. “In the past, logistics was flying under the radar. Before Amazon, it wasn’t sexy, it wasn’t in the mainstream, so hackers focused on financial, banking, and medical companies,” Narayanan says. “But now, with how important online shopping has become and the impact of Covid, logistics has been thrust onto center stage, and with fame comes a challenge.”
A recent industry report underscores that point. In a study titled Supply Chain Disruptions and Cybersecurity in Logistics, cybersecurity services company BlueVoyant reported that hackers launched three times as many ransomware attacks on shipping and logistics companies in 2020 as in 2019.
Most of the recent attacks resulted from phishing—where hackers posing as legitimate companies persuade employees to disclose their passwords—or access to unprotected network connections called “remote desktop ports,” BlueVoyant said in the report.
But that’s hardly the only threat. Another rapidly growing vulnerability is the spiraling number of IoT connections, which are forecast to grow to 23.6 billion worldwide by 2026 from 8.6 billion in 2021, according to technology advisory firm ABI Research. While that exponential growth will usher in a new era of connectivity and productivity, it will also result in new threat vectors, ABI says.
CLOSING THE SECURITY GAP
The good news for logistics professionals looking to bolster their digital defenses is that, as relative latecomers to the game, they can learn from other industries’ experiences, says Omnitracs’ Reynolds.
For example, many companies suffered painful hacks in past years because manufacturers of IoT-enabled devices like webcams and digital video recorders (DVRs) had originally released their products without basic security requirements like password protection. It wasn’t long before hackers began taking them over as “botnets,” which are collections of private computers that have been hijacked to send out spam and malicious software.
Those botnet attacks can also be launched from home appliances like printers and refrigerators, which connect to residential internet networks that are typically far easier to hack than their office counterparts, says Chris Sandberg, vice president of information security at freight fleet technology specialist Trimble Transportation.
And that botnet threat matters not merely because a hacker might take over your fridge, but because the ubiquitous kitchen appliance is a node on the internet and can be used as a resource to launch attacks on any target worldwide.
That security gap means that many companies have become far more vulnerable over the past year as their employees started working from home offices during the pandemic. “The more people work from home, the larger your attack surface is,” Sandberg says. “If you push a fence out and can’t see it all, you can’t see what cuts through that fence.”
And the same principle applies to trucks that are increasingly wired with connected devices like infotainment systems, manufacturers’ diagnostic sensors, telematics, and electronic logging devices (ELDs), he adds.
ADDING LAYERS OF CYBERARMOR
As for what companies can do to protect themselves, Sandberg recommends starting with policies where you can rack up some easy wins. His advice: Identify critical resources and vendors, create disaster response plans, train employees not to share accounts, urge them to use multifactor authentication, encourage them to create complex passwords and change them frequently, and add cybersecurity awareness to truckers’ pre-trip checklists.
Other security specialists remind companies to conduct frequent data backups across their entire systems, decreasing the chance they’ll have to pay hackers a ransom to get their data back.
Building better cyberdefenses might sound daunting, but corporations can succeed if they approach it as a business problem like any other, says Omnitracs’ Reynolds.
“Complicated business problems are being solved by these companies every day. So, they just need to treat it like risk management. And there are only four things you can do with risk: Avoid it, reduce it, transfer it to someone else, or accept it,” she says.
Given the mounting threats, Reynolds urges logistics professionals to get out ahead of the problem and ensure they have a comprehensive cybersecurity plan in place. “I think you can’t afford not to; this is a part of doing business,” she says. “But we can learn from other groups that have discovered these realities,” Reynolds adds. “This is an incredibly resilient industry, so I don’t think it’s a challenge that’s insurmountable.”
