This is a story about how cybersecurity, in an abstract sense, is a lot like freight transportation, logistics, trade compliance, or supply chain writ large. That is to say, data and systems security is largely seen as a cost center, rather than a competitive differentiator.
In late June, the biggest cybersecurity incursion into the world of shipping and logistics on record occurred when the systems of the A.P. Moller-Maersk Group were infected by a virus that, depending on who you ask, may have been so-called “ransomware” or may have been something called “wiper malware” masquerading as ransomware.
Ransomware is a virus that locks a hard drive, rendering it inaccessible to the user, until a ransom is paid, generally in a cryptocurrency not tied to any regulated banks.
Analysts still aren’t quite sure what to make of the attack that crippled Maersk and other businesses across multiple continents this summer.
“I don’t think anyone is clear about whether it’s Petya or NotPetya,” Holley said. “Based on the post-mortem articles I’ve seen, this had to do with a specific vulnerability with Windows to first infect, and then to spread.”
Third-Party Risk. Whatever the exact characteristics of the attack, the implications going forward are clear. The shipping industry, like just about every other industry on Earth, is far more vulnerable to hacking than anyone would care to admit.
Industry soothsayer Lars Jensen, chief executive officer of SeaIntelligence Consulting, predicted as much several years ago, when he said most carriers were vulnerable to simple hacks due to inadequate email password protection, never mind an all-out attack on their systems.
But the good news, according to a handful of logistics technology providers that agreed to speak with American Shipper off the record, is that there are steps companies can take to make sure they aren’t as affected as Maersk was in the event of an attack. Maersk estimates the attack impacted the company’s bottom line to the tune of $200 million to $300 million, Group Chief Executive Officer Soren Skou said in an Aug. 16 earnings call with analysts and media. Sources told American Shipper the figure was likely on the higher end of that spectrum, as much as $50 million a day for the first few days, when all the company’s data was locked up and port facilities operated by subsidiary APM Terminals were shut down.
Let’s start with some fundamentals. The global shipping and logistics industry is a highly decentralized universe. The largest ocean carriers, logistics companies and shippers are all multinational corporations, with physical offices on multiple continents, often in dozens of countries.
The industry is also highly reliant on networks. Shippers and forwarders must interact with the systems of a carrier in some way, whether directly, or through intermediary software systems where they can make bookings or receive visibility milestones, among other connected data points.
All of those parties are in some way linked, either through direct data feeds, shared access to a common portal, or through the most common digital link of all: email. When Maersk was hit, each one of these entities was at some risk of being affected, depending on the data that was conveyed to them, the way it was conveyed, and the cybersecurity protocols they had in place to protect them.
Holley’s consulting firm, Information Systems Integration, doesn’t work within the shipping industry, but he said this kind of “third-party risk” is in no way unique to the world of supply chain and logistics.
“It’s not unusual for an industry to be so interconnected,” he said. “It goes back to some level of third-party risk. Whatever the number of companies in my supply chain, I need to be verifying that my third-party folks are falling under some sort of compliance and governance.
“It doesn’t matter if you’re in five or 100 countries. If you have a sense of your systems, you’ll be able to keep those systems up to date. There’s been a lot said in defense of firms not being able to pivot, but that reasoning is specious. You should know what your crown jewels are, where your data is. You should have a grasp on everything.”
Cultural Disconnect. According to Holley, the nature of a business—global or domestic, centralized or decentralized, dependent on third parties or not—doesn’t necessarily make it more or less vulnerable to cyberattacks. A much better indicator is the company’s philosophy toward maintenance and prevention.
Holley, whose firm’s primary business is helping major U.S. lobbying firms protect their systems from potential threats, pointed to a fundamental disconnect between the IT people dealing with cyber threats at the ground level and the executives charged with strategically protecting those companies.
Larger corporations, like Maersk and the world’s top freight forwarders, likely have a couple of things working in their favor as it relates to cybersecurity. They have the resources to staff security positions in-house and, as Holley noted, they probably have a lot of custom code written into their systems that they maintain more rigorously than if they were using strictly off-the-shelf systems.
If those resources are focused on maintaining protection and patching older systems, that in-house capability is a plus. Most companies, however, don’t have the internal IT expertise or bandwidth to research existing and future threats. For instance, Holley said part of what his firm does for clients is constantly search the so-called “dark web” to keep abreast of the next weapon to be developed by hackers.
Cybersecurity firms come in all shapes and flavors, and Holley said almost every industry has its own set of niche consultants that understand the particular threats faced by its businesses. Lobbying associations, for example, are often attacked by activists and corporate espionage agents, so his firm focuses first and foremost on countering those threats.
“The cybersecurity industry is just that— an industry,” he said. “It’s growing, stock values are going up. But it’s an industry that thrives on obfuscation. The thinking is, if we can insert doubt, we’re going to make more money.”
That obfuscation is caused, in part, by the scope of the cybersecurity problem. As more companies become reliant on data, their exposure to bad actors increases. But the broader the exposure, the more overwhelming it can be to protect vital assets. That sense of being overwhelmed often contributes to malaise at the executive level. And what’s more, many companies believe they’re safe because they assume someone else must be monitoring these things. That “someone else” might be a governmental body, or even their company’s software provider.
Human Element. As more companies gravitate toward open source systems, where programmer communities collectively build, maintain, and protect systems, this passive outsourcing of security could grow.
“In general, the average user of cloud systems is more secure than they’d be able to do on their own,” he said. “There’s so much that can be done in an agile, cloud-based environment, so many economies of scale to be leveraged.”
Many companies operate under the assumption that “we haven’t been compromised, we haven’t been breached, so what we’re doing must be working,” he said. “You have to overcome that level of ignorance, and demonstrate that they are in fact vulnerable.”
This is another way that cybersecurity resembles supply chains, particularly as it pertains to trade compliance. Just as supply chains have traditionally been seen by shippers as cost centers, investment in trade compliance is often seen as an expense that’s not worth making until something goes wrong. Holley said this thinking permeates the business world when it comes to cybersecurity.
Maersk’s experience with Petya (or NotPetya) should be a wakeup call for the entire shipping and logistics industry. No longer can a small shipper say that cyberattacks don’t affect them. No longer can small freight forwarders say they are insulated from the effects of such an attack.
If anything, smaller businesses are often more vulnerable, since they don’t always have the in-house resources to monitor dark web activity, maintain systems patches and ensure all their partners are similarly diligent.
Holley pointed to the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) as a good starting point for companies looking to protect themselves and their IT systems. NIST developed a cybersecurity framework under the Obama Administration and continues to update it.
Without prompting, Holley also mentioned that the Internet of Things (IoT) has the potential to rapidly escalate the cybersecurity threats facing the world. IoT, of course, is a hot topic in supply chain circles as companies seek to get constant, real-time data about the movement of goods.
All that data is great from a consumption and analytics perspective, but it also introduces more pathways to attack. Think of sensors on containers connected to a ship at sea, connected to a satellite signal that’s received by a mobile phone, that in turn feeds data into a backbone system. That’s a lot of openings for those with malicious intentions.
“I’ve been doing this for more than 24 years,” Holley said. “We still, by and large, rely on humans to monitor system logs, to patch systems, to monitor threats and to provide threat intelligence. We haven’t yet woven in [artificial intelligence] and automation to solve what we do.”
Maybe it’s a matter of messaging. Maybe the cybersecurity community, across industries, hasn’t done a proper job of conveying the magnitude of the problem, or that there is also an achievable path forward, Holley said.
“I’m struck by the fact that whatever message exists doesn’t seem to be resonating, particularly around SMEs,” he said. “They’re not prepared. The fact that we’re vulnerable is not resonating. There has to be a reason behind it. The danger is not overstated. It’s real and it’s there.”