The last year has seen the freight industry rocked by significant damage and costs caused by cyber attacks. Just as the air freight business knows no borders, the hackers can strike almost anywhere there is an internet connection.
The attacks rendered the computer systems of leading freight organisations inoperable, demonstrating that no one is immune. “The most recent attack that got Maersk, they had to buy 4,000 servers and 45,000 PCs almost overnight to get up and running.
“So, you see how dangerous this was and for all you know it was done by some bloke in his bedroom,” British International Freight Association (BIFA) director general, Robert Keen, tells Airline Cargo Management.
The cyber attacks last year brought chaos to Maersk’s operations and cost TNT parent company FedEx $300 million because of the computer network disruption they caused.
The different types of malicious software behind these cyber attacks are referred to as ransomware, according to the University of Connecticut’s Information Security Office.
Once ransomware infiltrates a computer or a network it will lock the computers up, stopping any user from using them and demand that a payment is made to unlock the machines.
The payment can be demanded in a crypto-currency such as Bitcoin. However, sometimes computers are not unlocked after payment.
Maersk commented: “We anticipate that Maersk, as well as the wider industry, will also in the future experience more attempted cyber attacks; both indirectly as was the case with the NotPetya and as a direct target.”
NotPetya was one of the ransomwares to strike industry last year.
Accusations by experts and governments about the perpetrators were many, from allegations of hackers and organised crime to the Russian government being blamed, as one attack began in Ukraine and spread across the world.
FedEx’s problem with TNT’s computers began with a Ukrainian tax software product, according to its July 2017 financial filing.
In the filing, the company stated that the “worldwide operations of TNT were significantly affected by the cyber attack known as Petya, which involved the spread of an information technology virus through a Ukrainian tax software product.”
The statement went on to explain that while TNT computers in Ukraine were ‘compromised’ other FedEx company systems elsewhere in the world were not affected.
FedEx also claimed that, despite the attack, “no data breach or data loss to third parties is known to have occurred as of 17 July 2017.”
FedEx founder, chairman and CEO, Frederick W Smith, said in his company’s 1Q18 earnings statement:
“I strongly believe FedEx will emerge from the cyberattack as an even stronger, more resourceful company.
“And I’d like to thank the thousands of FedEx team members who worked tirelessly to remediate the TNT system’s problems and take care of our customers.”
Attacks have not been aimed at freighters, but the business infrastructure that supports that core activity of flying cargo around the globe.
In response to such threats, BIFA advises its members to train their staff, but does not provide training itself. “You tell your staff, ‘if you don’t know who it [the email] is from, delete it’,” Keen explained.
“It really is that simple. There [are] great education programmes, step-by-step, that talk to people about the various [cyber security] issues. We don’t do them, it is up to the [corporate] members to tell their staff.”
This sort of training comes under headings like enterprise risk management and there are wider industry efforts relating to cyber risks.
In its December 2017 cyber security fact sheet, the International Air Transport Association (IATA) states:
“Many airlines and airports have robust systems in place to address common hacking threats, but they haven’t always taken a holistic approach to the IT environment or considered the broader threat to the aviation system.”
IATA puts forward a three pillar strategy for this holistic approach. The pillars are called risk management, advocacy, and reporting and communication.
The risk management is the policy and technical aspects; advocacy is interacting with regulators and supporting the security system developers; and, reporting and communication is about raising general awareness of the challenge and making sure people know they can report anything they encounter.
It is widely advised that airlines implement a comprehensive enterprise risk management strategy with support from senior management to ensure its adoption across an organisation. Insurance is also recommended.
However, the industry does not have a good history of tackling this subject. “We see less investment in air cargo as compared to financial services or the public sector,” says information technology firm Unisys’ vice president and global head for travel and transportation, Dheeraj Kohli.
“Because of this low- security maturity index, Unisys carried out a survey sometime back and the maturity index in air freight is very low for security.”
Kohli explains that, traditionally, air cargo security was focused in two areas. One was, security related to what is inside the container and then the second is the chain of custody as the freight moves, to avoid theft.
However, today, all industries are exposed to the cyber threat. For example, the move into what is called the cloud, where corporate data is held off site in a vast data bank somewhere along with everyone else’s information, creates another vulnerability.
“The cloud aspect that is coming up is emerging. It is related to cyber security. It affects all the industries, the entire cargo supply chain,” Kohli says.
Unisys is launching its product, TrustCheck, which, as Kohli explains, “would identify the scale of the cybersecurity risks in an organisation, in a particular division, or a whole stream, or the entire infrastructure.
Then, it would place a risk score against the cyber risk. There could be 15 to 20 such risks”. By putting a score against each risk, TrustCheck can help the user identify the possible economic cost of a successful attack.
According to IATA, it can take four years to put in place a mature cyber security programme, starting from a general corporate condition from a lack of awareness about the extent of the problem.
The elements of such a programme include people as well as the technical side. As usual, organisational silos where people do not speak to one another is one weakness hackers can exploit. IATA estimates that more than 70 per cent of hacks begin with interaction between staff and the hacker.
Phishing is an activity where the hacker tries to get information from company staff that will help them overcome the security, typically by pretending to be someone they are not.
Facebook’s chief executive, Mark Zuckerberg, has had to testify to the United States Congress over his website’s use by individuals and organisations for unethical or possibly illegal behaviour, and social media is helpful to criminals.
Keen said that hackers could build up profiles of business personnel by looking through social media postings to gather personal details that can help them understand their target.
However, just as easily, a spoof email can be sent to a staff member who releases the malware when they open the email’s contents.
Large businesses may want to invest in sophisticated systems like TrustCheck. Smaller air freight firms may want to follow a different route to securing their systems.
Signum Solutions is the investigations arm of insurance and professional services firm Thomas Miller.
Its investigators are experienced career detectives from the London Metropolitan Police’s criminal investigation department or other specialist squads. One of Signum’s investigators, David Thompson, gives presentations to third parties about security.
Thompson says that the individual that clicks on the spoof email is the weakest link and that staff awareness is important.
Cyber attacks do not need to come from sophisticated ransomware. Companies routinely receive emails or letters from organised crime’s hackers, purporting to be from senior management; or alleged suppliers who supplied nothing; or genuine subcontractors with the claim they have changed their bank details.
The new bank details are the criminals’ and the money will later disappear, transferred through a variety of accounts which are closed soon after. The fake senior management emails often tell purchasing staff to pay a large sum to a fake company.
A more extreme example is where company’s whole websites have been cloned to trick their customers into paying for services they will never get.
“Websites get cloned, but you can spot the differences in the address, they will be a bit inaccurate or the postcode won’t match. And there is never a landline [phone], only a mobile [phone number]. There is not much you can do if your website gets cloned, but you need to tell your customers,” says Keen.
All air freight companies are potential victims to the tactics described above. Ultimately, the individual employee has a role as important as any cyber security team. Not opening strange emails or attachments is the most important way of stopping the malicious ransomware that struck TNT and Maersk.
While those attacks were spectacular in the costs they imposed, the air freight community is no different to any other industry where susceptibility to cyber attacks, hacking and ransomware threats are concerned.