Jun 23 | 2021
Addressing Technical Debt, Supply Chain Vulnerabilities
By Lori Musser
Cyberattacks can shut down even the largest and most tech-savvy logistics firms. Cyber crooks look for “attractive” data, vulnerable security, companies with systems and training that haven’t been kept up to date, and industries that have to respond quickly, or risk a lot.
Cyberattacks cause harm and companies must manage the risk.
Vulnerabilities exist all along breakbulk and project cargo supply chains.
Anywhere that computers and connectivity exist, there is the risk of having digital data compromised and manipulated. Which means that investing in cybersecurity can create competitive advantages.
All supply chain participants are at risk, even ships at sea. Cybersecurity expert Ken Munro with UK-based Pen Test Partners, said to Breakbulk: “The problem is primarily one of ‘technical debt.’ Ship security didn’t matter so much in the past, as there was very limited internet connectivity … VSAT [very small aperture terminal] changed all that. Now vessels are always online, exposing decades of under investment … Operators and owners are now struggling to play ‘catch up’ and get ahead of the hacker.”
The level of exposure may be exacerbated for vessel and asset owners whose “roots are in traditional loss control.” In bygone eras, security was related to specific times, places and operations. Cyberthreats know no bounds, according to Andrew Kinsey, senior marine risk consultant at Allianz Risk Consulting. “It is a race that is never going to be finished.”
Kinsey said: “I sailed for many years with Maersk and they were ahead of the curve with cyber … but they were still subject to an attack. Constant vigilance is needed. The key is any terminal anywhere in world is a gateway into your network.”
For carriers, a breach could be catastrophic. Munro said: “During test exercises, we have had remote control of steering gear, main engines, generators and navigational systems. A compromise of any of these could lead to serious incidents.”
The threat of GPS jamming is particularly concerning. “The technology for short-range jamming is well within the reach of the average consumer. I believe that we will see a spate of jamming incidents,” Munro said.
While penetration testing has been able to breach almost every onboard technology in an effort to help owners identify shortcomings, “it’s more likely that outages of shore IT systems will prevent a shipping line from operating,” Munro said. That, however, is no reason to be complacent. “IT and OT [operational technology] systems on board are also of interest to hackers. The opportunity to cause fluctuations in commodity prices by delaying shipments is a real possibility.”
Global logistics provider Blue Water Group was hit by a cyberattack in September 2020. In its year-end financial announcement the company confirmed, “Several IT systems have been shut down to stop and limit the attack.” An intensive organization-wide effort “ensured the operation, service and execution of the clients’ transports,” but an adverse influence on the company’s bottom line, related to lower efficiency and additional costs, was reported. The company nevertheless racked up record profits for the year.
Many cyberattacks target large logistics companies, including all of the container majors. In 2017, A.P. Moller – Maersk was the first reported, followed by COSCO in mid-2018, Mediterranean Shipping Co. in April 2020 and CMA CGM in late September 2020.
While most cyberattacks don’t make the news, a quick online search reveals attacks on many project cargo and breakbulk movers, including an attack last August on North America’s largest flatbed trucker, Daseke, which reportedly resulted in stolen data being posted to the dark web, and an attack on Australian logistics giant Toll Group, which resulted in some services being offline for up to six weeks in early 2020. Kinsey told Breakbulk that attacks on the logistics industry have been happening longer than anyone knows, but they didn’t often make it into the press.
Some attacks are not malicious; sometimes companies try to keep attacks quiet; and, undoubtedly, sometimes companies quietly pay ransoms, against the general advice of law enforcement.
In a presentation to a U.S. congressional committee back in 2017, Port of Los Angeles Executive Director Gene Seroka said his port stops a whopping 20 million cyber-intrusion attempts monthly.
In December 2020, the Port of Los Angeles got approval to create a first-of-its-kind Cyber Resilience Center.
“Collaborative cyber-threat information sharing is critical to the safety and security of our port,” said Thomas Gazsi, deputy executive director/chief of public safety and emergency management. The center will put the Port of Los Angeles at the forefront of maritime cybersecurity initiatives he said.
At the Port of Rotterdam, cybersecurity is a top priority. It has cyber resilience specialists on staff and introduced a Cyber Notification Desk in 2018 to give the port sufficient information to roll out an appropriate response when needed. The port was hacked a decade ago. All business transactions came to a standstill as the Tax and Customs Administration’s computer system used for reporting imports and exports went down, according to the port website.
Help at Hand
Carriers, engineering, procurement and construction companies, railroads, ports, trucking companies, forwarders – all have been hacked. But help is available. Munro said: “There are a number of flags, classes, regulators and more who are helping drive ‘cyber’ forward, with varying success. The IMO cyber standard is a good step in the right direction.”
Kinsey added that we all depend on each other: “The big EPCs are relying on the shipping industry, truckers, barge lines, etc. That last mile depends on every piece of the supply chain. They deal with small operators. This isn’t a place where we want to exercise a cutthroat market approach. This is a place where we want to help each other.”
Industry associations like the American Trucking Association conduct cybersecurity educational outreach, helping members navigate the digital age with information on real-time cyber incident detection, or recent attacks against connected fleets. The Association of American Railroads’ Rail Information Security Committee likewise serves as a conduit, sharing information related to cybersecurity, best practices and benchmarking efforts.
The speed of sharing information on current attacks is critical: if one industry member is attacked via an industry-specific vector, others in the know can check their version of that same vector for compromise.
Project Supply Chain Concerns
For the project cargo business, Kinsey said, cyber breaches can impact project delivery. “When we are looking at just-in-time delivery, the cost of an interruption along the supply chain has to include the ripple effect … With project cargo delivery, everything is based on the next step. If a module or compressor is delayed, we have a follow-on impact,” which can be significant if a project has to shut down for even a day.
Business interruption insurance for construction projects (Delay in Start-Up coverage) is a cost of doing business, but there are additional costs related to, for example, business entity reputation risk or negative public sentiment, which can impact a project substantially.
And if getting hacked isn’t enough, there can be penalties for lax cyber security. For example, “the EU is not afraid to level big fines if there is a loss of confidential information for clients,” Kinsey said.
From a contract perspective, it is important to realize that cyber issues and protections are being written into contracts for supply chain services and project development. It isn’t just an individual company’s exposure to risk. “More and more often it is becoming a requirement to have cyber protections in place in order to bid on and get contracts,” Kinsey said.
“Strategically, it’s difficult for an operator to know where to start. Where will investment show the greatest return? This is where a penetration test can help,” Munro said. Once the easiest routes to hack are identified and fixed, operators can “then get started on a program of improvement to comply with IMO MSC.428(98).”
Kinsey said: “Hand in hand with cybersecurity is making sure everything is up-to-date on networks,” allowing companies to “interface with customers who are updated. Mapping and tracking has come so far. Having an agile company now means having an agile network.” It is all part of the new cyber-aware industrial hygiene.
For vessel operators, “Tactically, it’s critical to ensure the security of your satcom systems. Simple passwords, unpatched terminals and weak network segregation on board make for easy routes to compromise a ship remotely,” Munro said.
All in the same boat
There is plenty of help for transportation and logistics companies. Kinsey said: “The fact that this is an all-encompassing threat for everyone utilizing cyber helps.” There are frameworks and guidelines – NIST, Coast Guard, BIMCO, and others, he added. Some are marine- or transportation-related, but this is not just a marine threat.
Moreover, he said: “Make sure you work with your broker to ensure you have coverage. It is belts versus suspenders. You want to make sure you can operate successfully, and always do online updates, cloud backups, hard backups, etc., but you should still ensure you have coverage in the event of an incident.”
Unfortunately, “Most vessel insurance policies will specifically exclude cyberrisk through Clause 380,” Munro said, but there may be cyber buybacks allowed, especially for those demonstrating good cybersecurity controls, and “silent cyber” cover is sometimes present through poorly worded policy terms.
Connectivity is the backbone of the transportation industry as it supports efficiency. “Hackers jeopardize these efficiencies and bring wider risk to your operations,” Munro said. Stopping them, or at least minimizing their impact on the supply chain, has become an all-hands-on-deck effort.
Based in the U.S., Lori Musser is a veteran shipping industry writer.
Image credit: Shutterstock