Do you think you’re ready for the connected food supply chain that the Internet of Things (IoT) is promising?
In preparing for the exciting future of sensor-enabled devices offering better management intelligence, how many of us recognize the security risks this networked future is unleashing? Do we know the data that helps us make better business decisions on farms, factory production lines, in warehouses, and in retail outlets can also cause a lot harm in the hands of unauthorized users?
As exciting as technology is for the food supply chain, companies cannot ignore the parallel growth of organized cybercrime.
Jon Amis, a global supply chain assurance program director at Dell Inc., a computer technology company, told a gathering of supply chain managers in March that cyber threats are different from other risks because they can occur any place, any time. Amis addressed the Supply Chain Risk Leadership Council at Pennsylvania State University. The gathering was well attended, reflecting the growing awareness of cyber risks among supply chain decision makers.
The 2013 data breach at Target Corp. delivered a wake-up call for many consumers, retailers and electronics goods manufacturers and distributors. In that highly publicized attack, hackers got ahold of the personal identifiable information (PII) of 70 million customers as well as data for 40 million credit cards and debit cards.
According to Krebs on Security, a cybersecurity consultancy, the Target attack began when malware infected the computer of an HVAC contractor working for Target. The hackers were able to steal the virtual private network credentials that the contractor’s technicians used to remotely connect to Target’s network. After infiltrating the contractor’s software, the hackers gained access to Target’s billing system.
Supply Chains at Risk
While all software users are at risk of cyberattack, Brian Klenke, co-founder and vice president of incident response at Morphick Inc., a cybersecurity firm, says supply chain companies are especially at risk. “Supply chains are a way in,” Klenke says. The supply chain offers a hacker a path to other business systems, such as billing.
A supply chain is a network, notes Arun Samuga, vice president of research and development at Elemica, a supply chain software provider that serves food processors. If security is compromised at any point in the chain, the whole chain can be at risk. Samuga refers to this as the butterfly effect. “Who they partner with becomes extremely important,” he says.
Samuga says supply chains are more at risk from internal breaches than external ones. Because of this, he thinks companies need to separate employee duties as much as possible.
External breaches can and do affect supply chain companies, however.
Morphick’s Klenke points to the case of an OTR carrier that suffered from an email “phishing” attack. An email that appeared to be from a job applicant contained an attachment that, when opened, installed malware on the company’s server. The malware disabled access to the company’s files. The company had to hire someone to recover their files.
Another OTR carrier received fraudulent orders from product brokers. The brokers hadn’t actually sent the orders; a hacker gained entry into the carrier’s database and placed the orders, then took cash advances from the brokers. The culprits were never caught.
Ocean carriers have suffered similar breaches. The Verizon RISK (Research, Investigations, Solutions and Knowledge) Team, a cyber investigation service operated by Verizon Enterprise Solutions, , reported a shipping breach recently. A global shipping conglomerate advised Verizon they were having problems with piracy.
Pirates were attacking vessels in an unusually targeted and timely fashion, according to the security briefing. They would board a vessel, force the crew into one area, and within a short amount of time they would depart.
When the crews eventually emerged from their confined quarters, they found the pirates had confiscated contents from certain cargo containers. It became apparent that the pirates had specific knowledge of the contents of certain crates.
According to Verizon, the pirates were able hack into the vessel’s software and access bills of lading.
The carrier has since adjusted its security procedures to include regular vulnerability scans of its Web applications and a more formal patch management process.
Klenke advises customers to educate employees in how to spot phishing attempts. Security contractors offer this type of instruction.
“This has got to be a business conversation,” Klenke says. “Computer security has for too long been an information technology problem.”
Information Technology Pros Know the Problem
A recent survey of information technology professionals by Tripwire, a global provider of protection, security and compliance solutions, indicated information technology personnel are well aware of security issues and are taking action. A 2015 study assessed cybersecurity challenges. Eighty-one percent of the 420 information technology professionals surveyed were confident in their ability to protect customer data, but nearly half were not confident that business partners and suppliers could do the same.
Additional findings from the study include:
• While 95 percent of respondents believe a supplier or partner security breach could expose valuable data, 61 percent said they were unconcerned or have bigger concerns.
• Less than half (44 percent) said their organizations require partners and suppliers to pass security audits before they sign a contract with them.
• Thirty-four percent use partners and suppliers that fail to meet their security standards.
• A quarter admitted their organizations do not evaluate whether suppliers met their security requirements.
• Half said they make exceptions or offer different standards for some partners.
Supply chain companies are paying closer attention to cybersecurity.
Is the Supply Chain Prepared?
“As information becomes more dependent on mobility and wireless connections, the security risks increase and become less self-contained,” says Melvin Kirk, senior vice president and chief information officer at Ryder System Inc. “For this reason, Ryder has enabled layers of security protections based on best practices and security solutions for the confidentiality, integrity and availability of its and the customer’s data. The security layers include, but are not limited to, endpoint protection and encryption, mobile device management, wireless intrusion prevention, firewall inspection and prevention.”
“Malware and hacking are always a potential risk to any organization,” Kirk adds. “Ryder’s approach to mitigate these risks is to have monitoring and alerting enabled at our perimeter defenses, ensure a security incident response plan is in place with periodic testing/mock exercises, and ensure the organization's employees receive security awareness training to support the organization's business success.”
Duie Pyle Inc., an LTL carrier, invested $2.5 million in data stability and security after conducting a review. The company has all of its servers housed in two “hardened” data centers that have the highest level of security. The two sites have identical information, so the information will be safe should something happen to one of the two.
“The deeper we got into this, [we realized] we really have to have top tier technology,” says Randy Swart, chief operating officer at A. Duie Pyle Inc. “There were potentially multiple ways somebody could hack into our system. Constantly we’re hit with people trying to do it.”
A retinal scan is necessary to enter one of these A. Duie Pyle sites. The security system automatically checks website links via email before anyone opens it.
DSC Logistics, a nationwide 3PL, has found the U.S. Department of Homeland Security’s Cyber Security Evaluation Tool helpful (See sidebar on page XX.) “We have defensive measures in place, i.e., firewalls, malware detection, anti-virus scans and so on,” says Kevin Glynn, the company’s chief information officer. “We use some encryption and are looking at more. We have third party penetration testing and practice disaster recovery regularly. We have regular meetings to discuss our security measures and projects to improve security.”
Supply chain service providers agree that cybersecurity has become a bigger topic among partners.
John Rosenberger, manager of iWAREHOUSE Gateway and Global Telematics for The Raymond Corporation, a material handling solutions provider, says customers are more concerned about network security nowadays. He thinks the concern has been driven by media focus on recent corporate network attacks involving ransomware, theft of personal information, data corruption and deletion. (Ransomware is a form of malware in which a hacker disables a company’s computer system, then demands a payment, usually in bitcoin which is hard to trace, before returning control of the computer system.)
The expanding use of mobile devices in the supply chain means more susceptibility to malware, says David Eckel, senior managing partner at enVista LLC, a supply chain consultancy and information technology services firm. “The level of automation in a warehouse is increasing,” he says. He says companies should be careful about allowing personal devices to connect to their networks; this could expose a network to malware.
Malware is the most common cybersecurity problem companies experience, Eckel says. The level of damage malware brings varies. In some instances, companies lose all their data and have to install new software.
Distributed denial of service (DDoS) attacks, where a deluge of cyber data targets a single server causing a denial of service, are less common in the supply chain, Eckel says.
No Need to Overreact
As cybersecurity attacks increase, people are advised not to overreact, says Richard Jones, chief technology officer at LINKFRESH Inc., an ERP provider. Jones says there has been a lot of misinformation spread about viruses and malware, such as the claim that Gmail accounts are infected.
“It’s an arms race, but it doesn’t seem to be unique to our sector,” Jones says.
As cloud-hosted systems expand in the supply chain, more customers are asking if these applications are as secure as on-premise systems. Jones and others claim cloud-based systems, if anything, are more secure than on-premise systems.
How Safe is the Cloud?
Agreeing with Jones on this point is Sean Elliott, vice president of corporate technology at HighJump Software Inc., a supply chain network solutions provider. He says many on-site servers lack firewalls. “Everybody gets hacked; it’s just a matter of the amount,” he says.
Elliott says the risk will increase as companies expand into e-commerce because e-commerce systems have access to payment information. “The guys that have that information are much more prone to being hacked,” he says.
Payment systems naturally draw interest from people motivated by financial gain, but money is not the only hacker motivation. Hackers sometimes have ideological and/or political motives.
Brian Larwig, vice president and general manager of the Appian division of TMW Systems, a developer of enterprise management software, says the cloud does provide data redundancy, which provides more security and eliminates the need to back up physical servers as you would with a self-hosted, on-premise system.
The good news is that cybersecurity tools are evolving to meet the rising challenge of cybercrime. Cybersecurity is a rapidly growing industry, meaning more tools will be made available to prevent data breaches.
In the meantime, supply chain decision makers have to recognize that increasing computerization puts all types of businesses at risk. A supply chain, being a network of organizations, has to screen its partners’ data management practices. Companies also have to periodically review their risks and train employees how to prevent and contain risks.
DHS Offers Cyber Security Evaluation
The Cyber Security Evaluation Tool (CSET) is a U.S. Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) by cybersecurity experts, and with assistance from the National Institute of Standards and Technology (NIST). This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes detailed questions related to all industrial control and information technology systems.
CSET is a desktop tool that guides users through a process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems.
The tool derives the recommendations from a database of cybersecurity guidelines.
When the user selects one or more of the standards, CSET opens a set of questions. The answers generate a report showing areas for improvement.
CSET has the following benefits:
Contributes to an organization's risk management and decision-making process
- Raises awareness and facilitates discussion on cybersecurity within the organization,
- Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability,
- Identifies areas of strength and best practices being followed in an organization,
- Provides a method to systematically compare and monitor improvement in the cyber systems, and
- Provides a common industrywide tool for assessing cyber systems.
U.S. Coast Guard Assess Marine Cyber Risks
As part of its mission to reduce the risk of deaths, injuries, property damage and disruptions to the marine transportation system, the U.S. Coast Guard has published a paper, “Cyber Risks in the Marine Transportation System.”
The paper notes that vessel and facility operators use cyber-dependent technologies for navigation, communications, engineering, cargo, ballast, safety, environmental control and many other purposes. Emergency systems such as security monitoring, fire detection and alarms also rely on cyber technology.
While these systems create benefits, they also introduce risk. Vessels rely almost exclusively on networked GPS-based systems for navigation, while facilities often use the same technologies for cargo tracking and control. Each provides multiple sources of failure, either through a disruption to the GPS signal, or malware that impacts the way the signal is interpreted, displayed, and used on the vessel or facility.
The Coast Guard has documented cyber-related impacts on technologies ranging from container terminal operations to offshore platform stability and dynamic positioning systems for supply vessels. In some cases, pirates and smugglers have been the source of these events. Other breaches have been caused by non-targeted malware or insider threats.
For information on the Coast Guard’s cyber risk management strategy, visit www.uscg.mil