Supply Chain Managers Put on High Alert Against “Ransomware”

Cybersecurity threats to the US shipping industry continue to haunt supply chain managers this year, say analysts.

Both the U.S. and Canada have recently issued advisories on “ransomware” attacks. These events permit hackers to capture critical data, denying access to it until they are paid a large ransom.

This attack could potentially cripple key stakeholders like shippers, ports, trucking companies, etc. causing widespread disruptions and confusion, as well as safety issues.

Ransomware uses special encryption software to lock up the targeted data, so that it is irrecoverable until the hackers release the key. The malware is typically spread via phishing emails, infected websites and other means (portable media, vendor networks, ‘botnets,' etc.) - and all it takes is one infected computer to put a company's entire network at risk.

Security analysts report that they've already seen this malware target a wide range of sensitive industries, from Israel's Electric Authority to US police departments and hospitals. Analysts add that it's only a matter of time before the shipping industry is impacted.

Jason Glassberg is co-founder of Casaba Security, an “ethical hacking” firm in Seattle that simulates criminal cyber attacks and advises many Fortune 500s, as well as critical infrastructure, transportation and government agencies. In this exclusive interview, he explains how managers can do more to secure their supply chains.

Supply Chain Management Review: What kind of supply chain is most vulnerable to this kind of attack?

Jason Glassberg: Any supply chain is potentially vulnerable, unless it's completely air-gapped and undiscoverable from a public-facing web server. However, this is unlikely - it is exceedingly difficult to silo networks and data in such a way that malware can't get through and still be able to manage them easily.

Keep in mind, ransomware infections are initiated in three ways: phishing emails, “drive-by download” attacks via infected websites and network vulnerabilities that allow an unauthorized person to get inside the network or inject into it. Lately, we've been seeing more attacks that utilize the third tactic, which is the hardest to prevent and the most damaging when it occurs, since the attacker can hijack large sections of the network, or the whole network itself, before the company realizes what is happening.


SCMR: Are there greater risks associated with region?

Glassberg: Not especially. Ransomware is a very easy and successful money making operation for cybercriminals. It doesn't matter where the business is located, or even what type of work it is involved in. All that matters for this scheme to work is the company or agency has data that it needs access to. The more important the data, as in the case of supply chain management, the more likely it is to pay a ransom to get it back.

That said, any company that has an operational footprint in Europe or Russia may be somewhat more at risk of infection. I say this because Eastern Europe/Russia is widely considered the birthplace of ransomware, and these scams used to be heavily concentrated in those areas. But these days, ransomware is so widespread that I wouldn't want companies to think they're somehow less at risk if they don't have a footprint in those regions. Everyone is at risk today.

SCMR: Who are the bad actors in all of this activity?

Glassberg: Ransomware originated in Eastern Europe and Russia, but is now spreading all over the world. Within the cybercrime “industry,” there have always been certain groups that specialized in particular areas, such as banking Trojans, credit card theft, etc. However, because ransomware has been so wildly successful, a broad range of cybercriminals are now entering the market - and they're bringing with them new skills and levels of expertise.

What the logistics industry needs to know is that ransomware is becoming a very diverse industry, with both high and low criminals who operate within it. A company may be targeted by a low-level operator with very little technical skill, someone who merely buys an off-the-shelf exploit kit on the black market and spams email addresses hoping for a point of infection, or it may be a highly sophisticated crew that is able to custom design its own ransomware variant and exploit holes in the corporate network to get deep inside the company's systems in order to have the greatest impact.

Over the next few years, ransomware infections may be one of the biggest IT risks for companies across all industry sectors, and the supply chain industry should start prioritizing this threat now.

SCMR: What government agencies are most involved with prevention and enforcement?

Glassberg: The shipping industry will find some level of support from various government entities, such as the FBI, DHS, Department of Transportation and local law enforcement. However, companies should not depend on the government to help them. These agencies will have little to no ability to prevent ransomware groups from targeting companies, nor will they be successful (much of the time) at prosecuting them after the fact. It's difficult for investigators to figure out who is behind a ransomware attack, and in many cases the operators may be outside of the country, creating additional challenges for law enforcement.

The bottom line, unfortunately, is that companies are largely on their own when it comes to ransomware. In fact, FBI officials have even stated publicly that ransomware victims should just pay the fee to get their data back.


SCMR: What are the initial steps supply chain managers should take to mitigate risk?

Glassberg: The key to defending against ransomware is to have a strong layered defense, which is equal parts prevention and damage control.

This is where most companies screw up: they focus too much on prevention. When it comes to ransomware, the reality is, companies should do just the opposite - assume you will be infected and plan your security strategy around that assumption. This might sound counterintuitive, but keep in mind that all it takes is one point of entry, and a ransomware crew can bring your entire organization to its knees - indefinitely.

To put this in perspective, if I did a security audit today on any supply chain company, I would more than likely find several instances of malware infections, as well as unaddressed network vulnerabilities, misconfigured software settings, and publicly discoverable sensitive information. Any one of those weaknesses could be exploited by a hacker to infect the target with ransomware. No company will ever be 100% malware-proof, so if you're betting on a strong perimeter to keep you safe, you'll find yourself in real trouble down the road.

The first step is to assume you will be infected. How would your organization respond? Which data can you not afford to lose?

Start your security planning by determining which data and systems must remain operable and accessible in order for the company to avoid disruption. Then, establish a back-up process so that both data and systems can resume normal operations shortly after a successful attack occurs. This is key.

SC
MR