JULY/AUGUST 2019
Cybersecurity Focus Benefits All Intermodal Participants
Cybersecurity continues to be a key issue to be addressed throughout the intermodal industry.
In light of recent events both inside and outside the freight transport industry, Intermodal Insights asked expert representatives from every segment of the intermodal supply chain to share their perspectives on how best to address cybersecurity. Their comments highlighted several points, including the interconnection of data among intermodal users, how cybersecurity is being implemented, what kind of challenges are being encountered and recommended practices to address situations that may arise.
Ted Prince, chief operating officer of Tiger Cool Express, and David McLaughlin, Jr., vice president, information technology at RoadOne IntermodaLogistics, outlined the wide-ranging importance of the subject.
"As intermodal transactions become more and more interconnected, it is a real issue," said Prince. "It’s scary. I worry about it."
"Cybersecurity, especially with today’s technological landscape, is not only a part of our everyday business but it has become a culture we have adopted," McLaughlin n said.
"Cybersecurity is like insurance; you hope you never need to use it but when you do you are relieved to have it. Every member of our company now has it ingrained into their everyday routines to always stop and think before they execute."
Intermodal cybersecurity is only as good as the weakest link in transactions, said Prince, as some companies have nine-figure budgets for information technology and security and some are able to spend far less, raising their risk profile.
Interaction Is Vital
Angie Barr, executive director of technology, and Tim Schneider, network engineer, provided the perspective of Evans Network of Companies.
"It’s important to think about how much data has to be interchanged with others," said Barr. "Transportation is a little behind the curve. There are many smaller businesses that don’t have the money to invest in security infrastructure.
"That creates a level of vulnerability. As long as we do our due diligence with all of the people we have to do business with, we are fine," she added. "It’s important to learn from those who have been through an attack, and learn what has to be done to remediate. Those are the best models for us."
"First of all, it’s important to harden our own network," Schneider told Intermodal Insights. "It’s also important to address the subject of cybersecurity with our partners. Experience has shown that attacks haven’t come from our partners. They have come from malicious players."
Other experts shared their views on how to best manage the flow of information through the intermodal industry.
"In a perfect world companies could just build the biggest cybersecurity wall possible, hardening it from all external attacks," said McLaughlin. "You need to determine a healthy balance between being secure, but not so secure that it disrupts your daily business work flow. This is why educating your users on cybersecurity and utilizing cyber defenses … is a must and no longer optional."
William Dupre, director of security for Railinc, believes the importance of assessing the sensitivity of data is critical before interaction begins.
"Determining that sensitivity can be achieved through a data classification process which categorizes data and information based upon its impact to the company and its customers and partners," according to Dupre. "Informed by this categorization process, measures can then be put in place to protect the confidentiality, integrity and availability of the data and information."
Port Sector Involvement
Cybersecurity is a focus of the port sector.
Earlier this year, an American Association of Port Authorities report stated that 85% of its members expect "direct cyber or physical threats to their ports to increase over the next 10 years." Costs solely for cybersecurity needs over that period were estimated at $1.27 billion in the report.
The Port of Los Angeles has proposed to create what was described as a "cyber resilience center" with its stakeholders. That project could advance the effectiveness of a cybersecurity department created in 2014 and potentially complement the port’s ongoing efforts with General Electric to enhance visibility and interconnectivity for international container cargo. The new approach would expand the cybersecurity focus beyond the command center’s concentration on Los Angeles’ own maritime infrastructure.
A working group has been created that includes ocean carriers, marine terminal operators, railroad companies, labor and representatives from the trucking industry. The goal is a collaborative effort to help companies prepare to fend off cyber risks.
"Ports are a key part of a complex system that must address cyber risks," said Tom Gazsi, deputy executive director and chief of public safety and emergency management. "Over the past few years, we have seen how cyber incidents have impacted some ports across the world, threatening the operations of the entire maritime supply chain. That’s why we’re taking a collaborative approach to strengthen our cybersecurity posture."
Government Perspective
Michael W. Lowder & Global Associates, provided a government-related perspective.
"The big challenge is to maintain connectivity, and have reliable security within their own systems and with their suppliers," said the former Department of Transportation official who now leads his own consulting firm. "You have to be able to do that quickly, efficiently and accurately."
Lowder, who directed the agency’s office of intelligence, security and emergency response until last year, believes that intermodal cybersecurity is more complicated because an already complex system is being expanded to include other companies.
An important subject is government information interaction with freight transport companies, Lowder said. Governments have had to put in more measures for information security, including both those for internal use and communications across multiple modes of transportation. Very complex and cumbersome government systems need to be adjusted to work a common objective that coordinates closely with industry, particularly in a multimodal setting, to have consistent formats and configurations to improve and enhance the movement of information. It is important to make those adjustments during the planning process, when information is being shared, rather than try to fix a system once it is in place.
He compared the process to combining apples, oranges, pineapples and grapefruit and still finding a way to make a good fruit salad.
How It Is Done
"It is extremely important to either have secure internal networks or work with secured network service providers (cloud systems)," said Jordan Zeldin, an account executive at insurer Avalon Risk Management. Having an up-to-date cyber security team or partnering with a third party for this service is vital to making sure that potential hacker windows are shut and that best practices are followed.
"Cybersecurity should be hand in hand with operations," Zeldin noted. "Why is it necessary? Think about the environment today. Even in transportation, computers and internet communication are necessary for a successful business. Cell phones are becoming the driver’s office, storing financial information, cargo information
and potentially customer information as management systems are becoming applications. As trucking companies push to incorporate newer technology to save on their bottom lines, the exposure only grows."
Barr and Schneider provided some details of Evans’ approach.
"We do encryption down to the database level," Evans’ Barr said. "Our sites are all protected. Firewall rules are in place. We have to look at data such as social security numbers and [automated clearing house] data. We have to be sure for everyone’s sake that partners have secure systems in place."
Schneider said the company uses cutting-edge technology, which is not inexpensive. However, he said the expense is worth it to be able to be operational in hours instead of days or weeks if there is an attack.
Tiger Cool takes multiple steps to protect its systems. Threats are minimized, Prince said, because the company has a network but it doesn’t have any servers that can be attacked. Another protective measure is the increase in security audits.
"We train everybody," he explained. "We run tests. This is a business where we are buried in email. People click on stuff that they shouldn’t. That is the biggest single threat out there.
"We are completely in the cloud, and we are dependent on our cloud providers to make sure they have cybersecurity in place," he said.
Best Practices
"In most cases the cause of a security breach is not from a lack of network security appliances or policies, but yet from an end user being tricked into letting the bad guys in," McLaughlin believes. "Whether it is a common spoof attack or a phishing email it is mission critical that every company invest in educating and training their users about, and how to deal with cybercrime."
Railinc’s Dupre noted several steps that can be effective.
"With intermodal being part of critical infrastructure of the United States, following the National Institute of Standards and Technology guidelines, specifically the NIST Cybersecurity Framework, is a great place to start. It is also important to establish programs covering the following areas: vulnerability management, patch management, endpoint security and employee awareness."
Zeldin also offered guidance, focused on executive buy-in and training. "Two-factor authentication on all payments with at least one c-suite approval is vital," Zeldin said, along with at least biannual training on best security practices including use of emails, mobile phones and any applications tied to the network.
Vendor verification either in-house or through a third party also is important, he added.
