September/October 2018
Cybersecurity is Emerging as Key Freight Industry Issue
Improving cybersecurity is emerging as a key issue across the intermodal freight industry that will require stepped up efforts to prevent future attacks.
Comments from Intermodal EXPO speakers and trucking, rail and federal security officials illustrate the scope of the potential threat, as well as the harm that can result from a single incident.
Christy Coffey, executive vice president of operations for the Maritime & Port Security Information Sharing and Analysis Organization, described the consequences of the attack on ocean carrier Maersk’s computers last year.
While the ocean carrier estimated its own losses at about $300 million, she estimated that lost productivity, delays and disruption cost the entire global intermodal freight network a total of about $10 billion, citing a White House survey.
For example, hundreds of trucks were stacked up near the Port of New York and New Jersey docks, forcing New Jersey’s Governor Chris Christie to order that the trucks be taken off interstate highways and diverted into temporary parking lots, she said. For several weeks, workers with clipboards and walkie-talkies relayed container information that normally moves through computers.
Coffey shared that ocean carriers have been vulnerable in several ways. Even as maritime carriers increase cybersecurity awareness and technology, adversaries can track a vessel online and gain access to the line’s internal information system through a ‘side door,’ meaning a contractor.
Learning Experience
“The Maersk attack is a good one to learn from,” said Lars Jensen, CEO of SeaIntelligence Consulting. “Rest assured you will get penetrated. Do your finest effort to keep everybody out. But if someone gets in, make it difficult to have an attack spread through your system.”
To illustrate, he noted that Maersk found 50,000 computers disabled in just seven minutes. It became more difficult to track what happened, he added, because they were turned off, losing valuable data that could provide clues.
Susan Kohn Ross, a partner at Mitchell Silberberg & Knupp LLP, said, “You can’t worry about being hacked. You will be. The question is what do you do from a personal perspective and from a business perspective to minimize the probability. If it happens, what is your plan of attack.”
Jensen said ocean carriers as a group have taken a gradual, at best, approach to cybersecurity that needs greater attention throughout the industry.
He noted that it was discovered after the Maersk attack that about half of ocean companies didn’t update their systems in response to a Microsoft message to do so to reduce vulnerability. Jensen’s firm found user names and passwords on sticky notes on some vessel computers.
“What we find is that this is not rocket science,” Jensen said. “Should we be afraid? Yes, [carriers] are under attack all the time.”
“The misperceptions come in several forms,” Jensen continued. “One is that it is an [information technology] problem. It is a business problem, and a people problem. Things go wrong when someone in the organization does something they are not supposed to do. Many companies think they need a cybersecurity suite. It does no good to have fantastic cybersecurity if you don’t do the mundane and boring stuff — like upgrading systems. The problem is that right now it is not getting done.”
Steps to Take
Jensen recommended that passwords be 25 characters, which makes them unhackable. A typical eight-character password can be hacked in as little as four hours, he said.
Reusing passwords also isn’t recommended because, once hacked, all of the other data that is supposed to be protected by them is accessible as well.
Ross said not to keep passwords in email programs, but on a separate piece of paper. She also advised mandatory password changes on a regular basis.
Ross advised that businesses should have a crisis plan, and test it in advance. One watchword is to not turn off computers because someone will have to track down what happened.
With data in hand about how the incident occurred, experts can go back and determine what needs to be done to prevent a recurrence. A particular vulnerability is third-party vendors, whose security systems need to be scrutinized when contracts are made, she added. Older operating systems also need to be updated, she said.
Ross believes the underlying question about cybersecurity that needs to be asked — how long can we afford to have a business shut down completely — should be directed to the CEO level to make sure the issue gets its necessary attention.
Other Preventive Measures
Additional guidance offered by Ross was that the question isn’t whether to have a backup system, but rather which one will be most cost-effective. After the 9/11 terror attacks, she noted that the bond trading firm Cantor Fitzgerald’s systems were back up and operational the next day because those systems were off-site, even though their World Trade Center offices were destroyed.
Asked how the entire transportation network can catch up on cybersecurity, Jensen advised companies to continue the development of systems unabated, no matter how difficult the process may appear to be.
Ross insisted that transport businesses must pay the same kind of attention to cybersecurity as almost any other business from a legal standpoint. That means discussing how cybersecurity events affect contract conditions and indemnifications, particularly for cross-border transactions facilitated through the Customs Trade Partnership Against Terrorism Program. That program includes some cybersecurity compliance provisions, she said.
Increasing resilience through strong risk management and improved cybersecurity to the nation’s most critical systems and functions is at the core of our mission, said Department of Homeland Security spokesman Antonio Soliz, citing transportation, water, power and other vital systems.
DHS focuses on reducing risks for transportation and all other critical infrastructure through partnerships with law enforcement, intelligence agencies and other government offices as well as private sector operators, he said. The result, he explained, is a collective defense model to mitigate threats.
“The last five years have brought a marked increase in concern regarding the potential for cyber-based attacks on critical infrastructures, and the number of cyber-based incidents across critical infrastructure sectors that asset owners reported to the National Cybersecurity and Communications Integration Center has risen,” he said.
Still more government level attention is expected in North America, said Ross.
In January 2020, a new California law will take effect that will have the same sort of tighter computer security requirements as the European Union’s General Data Protection Regulation, which took effect on that continent earlier this year. The impact extended to North America, affecting firms that do business in Europe.
Rail, Trucking Industry Initiatives
“To help ensure the security of their information technology networks and systems, America’s major railroads have taken proactive and multi-faceted steps to prevent, respond to and build resiliency against cyber threats,” Association of American Railroads spokeswoman Jessica Kahanek told Insights. “Railroads perform thorough assessments of potential vulnerabilities, implement protective countermeasures and recruit and train specialized cybersecurity staff.”
The industry relies on the Rail Information Security Committee, which was formed in 1999, as the focal point of unified and coordinated efforts, including analysis of both successful intrusions and blocked attempts to target private and public sector entities, Kahanek said.
On the trucking side, American Trucking Associations has created Fleet CyWatch for motor carriers to report cybercrimes that affect fleet operations.
In a statement, ATA President Chris Spear said, “As the industry responsible for delivering America’s food, fuel and other essentials, security is of paramount importance, particularly in an increasingly technologically connected world. Fleet CyWatch is the next logical step in our association’s and our industry’s commitment to working with law enforcement and national security agencies.”
ATA’s Technology & Maintenance Council and its Transportation Security Council worked with the Federal Bureau of Investigation to create CyWatch as a method of reporting information about internet crimes in the trucking sector, while also delivering a method for informing motor carriers about private and federal efforts to increase cybersecurity in the sector.
