TT Talk - Appreciating supply chain cyber risk

Few in the international freight supply chain can be unaware of the 'NotPetya' cyber event that struck at the end of June 2017. The repercussions should have caused organisations to review every existing assessment of the risk exposures arising from cyber activity.

Cyber risk has long been a 'when' not 'if' issue. Now there is merely increased urgency on the task of completing a thorough, holistic assessment of the risks facing every business. Perhaps the greatest challenge is simply that this is a new paradigm, for which existing or historic models may be inadequate. Cyber risk is big, complex, diverse and largely hidden, but has the ability to impact organisations in the most fundamental ways.

Uncomfortable realities

The uncomfortable realities are twofold: firstly, the interconnected infrastructure on which global business relies is inherently insecure and, secondly, human nature and ingenuity is at once the greatest strength and the greatest weakness. If any doubted the intensity of the struggle of 'good' and 'evil' in this arena, the launch of Operation #LeakTheAnalyst at the end of July should be a claxon wakeup call.

Consideration of the well-publicised WannaCry and NotPetya cyber incidents cannot rest on the technology aspects, albeit that these are important. Both were, apparently, strains of encrypting ransomware that targeted commonly used Windows operating systems. The means of infection is typically an email distribution that includes a malicious link, usually from an unknown sender. Once launched inside an organisation's network, the ransomware can quickly spread and infect other vulnerable devices, servers and systems.

"Consideration of the well-publicised WannaCry and NotPetya cyber incidents cannot rest on the technology aspects"

For the most part it may be assumed that organisations will be unwitting victims, although corporate espionage and the like cannot be totally discounted. The recent events struck across the globe and affected a broad range of activities, including food companies, law firms, shipping, banking, utilities and health. The simple conclusion is that criminals are exploiting weaknesses across the board, and both extorting money and causing significant disruption.

Supply chain exposure

It is surprising that the intermodal supply chain has, apparently, not been more exposed and disrupted through cybercrime activity. In part this may be due to low level of transparency and reporting; anecdotes certainly suggest that many stakeholders are the subject of prolific 'attacks' of various kinds on a continuing basis. It is understandable that organisations tend to be coy about the incidence and manner of cybercrime activity; A P Möller's undertaking to reveal lessons learned from the recent event is to be welcomed.

In reality, the intermodal supply chain is peculiarly exposed, since it is increasingly reliant on information and communications technology (ICT) linking offices between different countries in each individual organisation, depending on interactions with multiple third party stakeholders and often operating on custom-built/proprietary applications, where security protocols may not be alert to recent vulnerabilities. Added to these, many entities will, in the ongoing economic and competitive environment, create overall risk appetites that are aligned other than to cyber risks, prioritising scarce budget accordingly.

"Many entities create overall risk appetites that are aligned other than to cyber risks"

The variety of impact is vast, ranging from simple theft or fraud, through the potential for system or equipment control or manipulation, and extending to release of data or intellectual property.

As with human virus exposure, essential hygiene lessons are generally well-known, including:

  • Ensuring that software patches are applied regularly, probably now recognising that there is little time to assess collateral impacts on dependent applications;
  • Maintaining effective anti-virus software and strong spam filtering (most vendors will rapidly add detection capability for evolving malware strains); and
  • Systematically backing up key data regularly, including ensuring that the backup files are held offline so they cannot be infected by any subsequent ransomware.

Many companies have additionally reviewed email security arrangements in an effort to reduce the volume of potentially fraudulent email. Measures can be put in place to strengthen email sender identification prior to release into an internal email system, including 'sender policy framework' (SPF) validation. SPF confirms a message is from a legitimate domain associated with the sender company; further checks are still necessary to filter out potentially malicious content.

Assess human behaviours

Clearly, system mitigations support the human interface, but each individual must still be alert to risks. Thus, such risk mitigation techniques need to be combined with engagement with the 'elephant in the room': human behaviour. The structure and culture of each organisation will fundamentally impact the way in which its employees and counter-parties react to cyber threats and vulnerabilities. The articulation of clear policies - including in relation to topics such as whistle-blowing - and effective, regular awareness and good practice training are necessary mitigation to combat at least the careless insider threat. For example, the ability to spot suspicious emails and handle them correctly remains vital.

"Recognise that people have lives outside the workplace"

There also needs to be clear recognition that people have lives outside the workplace. Organisations need to consider the interfaces with devices such as smartphones, let alone the potential vulnerabilities presented through social media usage. At both personal and corporate level, a considered balance is required between the strength of perimeter security and its ease of use. This needs to encompass not just matters such as password/PIN complexity, but also clarity concerning connection and use of peripheral devices and USB flash drives.

"Assessment of cyber risks needs to lead to mitigation that recognises that perimeter defences are insufficient on their own"

Together with the reality that ICT is thoroughly pervasive in achieving personal and corporate objectives, assessment of cyber risks needs to lead to mitigation that recognises that perimeter defences are insufficient on their own, concluding that focus should be given to the human factors alongside additional detection and remediation techniques. Experience to date may yet be minor skirmishes.

We hope that you have found the above interesting. If you would like further information, or have any comments, please email us, or take this opportunity to forward to any colleagues who you may feel would be interested.

We look forward to hearing from you.

Peregrine Storrs-Fox

Risk Management Director, TT Club

Staff Author

TT Club