As one of the most critical links in the global supply chain, shipping is often considered the lifeblood of the global economy, which makes a cyber attack against it a potential cause of a massive coronary.
Just recently, the global shipping giant Maersk, struck by this summer’s ransomware attacks, announced a loss of around $300 million and significant business interruption during its malware-induced shutdown. In truth, it could have been a lot worse. The breach did not result in data loss to third parties and it caused no physical destruction.
More importantly for the global economy, the attack did not trigger a large-scale ripple effect across the supply chain.
But it could have. Consider, for example, a cyber attack on an oil tanker that causes it to run aground and spill its contents while traversing the narrowest point of the Straits of Malacca, the 1.7-mile-wide stretch through which 15 million barrels of oil are transited per day, not to mention an estimated 25 percent of all global shipping. Such an incident would not only cause an environmental catastrophe and a cataclysm for those directly involved, but it would also induce cardiac arrest across the global supply chain.
Essentially, the more interconnected we are, and the smarter our supply chains, the more efficient we can become, and the more market opportunities open; but, at the same time, the more vulnerable we are to disruption. Lloyds of London recently estimated that the true cost of a serious cyber attack could exceed $120 billion dollars, about the same amount as a category five hurricane. An attack on a cloud service provider designed to trigger system crashes among users, Lloyds estimated, would sweep across industries and the global supply chain, causing all to lose income and incur significant expense.
But as the hypothetical shipping cyber attack shows, even that $120 billion aggregate figure may be too low.
Smartphones are another critical link in the supply chain, which present startling vulnerabilities, even as they continue to contribute to great efficiencies and opportunities. Smartphones tap into increasing numbers of business functions and they themselves are the product of vast supply chain. Researchers in Israel, for example, have identified that smartphone touchscreens, and other similar hardware components such as orientation sensors and wireless charging controllers are often produced by third party manufacturers, not by the phone vendors themselves, providing attack vectors for bad actors. The researchers conclude that “attacks by malicious peripherals are feasible, scalable, and invisible to most detection techniques,” such that a “well motivated adversary may be fully capable of mounting such attacks in a large scale,” in addition to against specific targets.
Supply chain attacks are not just a hypothetical fear and they can point from components to end products, from origination to final delivery. In October 2016, bad actors, making use of a botnet, co-opted set-top-boxes, wireless security cameras, and even coffee makers to execute a massive Distributed Denial of Service (DDos) attack against a web hosting company used by some of the internet’s largest household names. The attack successfully shut down access to these websites and services for the better part of a day, further highlighting the fact that greater connectivity can lead to greater vulnerability.
Similarly, in December 2015, the Russian hacker group Sandworm successfully attacked the Ukrainian power grid, disrupting power to more than 225,000 customers. Fortunately, this attack was less damaging than it could have been. Plant operators were able to restore power within hours by manually resetting the circuit breakers. But, as more utilities move away from manual controls to digital controls—even as they attempt to isolate industrial control systems from the public internet—cyber bad actors will increasingly find nefarious ways to jump the air gap and cause disruptive effects that not only affect the utility itself, but all companies and homeowners for whom they provide power as well.
But there is hope.
One mitigation strategy for this pervasive and growing supply chain problem is for each link, on its own, to develop a proactive, holistic, risk-based and well-practiced cyber strategy. Another option, which is picking up momentum, is for regulators to impose cybersecurity preparedness regulations, either directly or through mandating third-party reviews. For example, the New York Department of Financial Services (NY DFS) Cybersecurity Regulation is not only requiring cybersecurity precautions among its regulated entities, but it also requires that those entities implement written policies and procedures to ensure the security of Information Systems and Nonpublic Information that is accessible to, or held by, third party service providers. Similarly, to get ready for European General Data Protection Regulation when it enters into effect in May 2018, organizations (including some U.S. companies) are already undertaking comprehensive reviews and auditing of third party contracts and supply chains to ensure compliance.
Still another way to reduce the risks across the supply chain is through the imposition of industry standards that, while voluntary, risk loss of business for organizations that do not comply. For example, the Oil Companies International Marine Forum (OCIMF) recently updated its Tanker Management and Self Assessment guide, considered a critical tool for tanker vessel operators in achieving high standards of ship management and safety. The guide now includes cybersecurity standards for the first time. Those tankers that fall short of those guidelines risk scant business flowing their way.
Ultimately, there are real opportunities with advanced technologies but there are also real risks that must be addressed sooner rather than later, preferably before each new smart elements come online. Hackers from nation states to common criminals are recognizing that the global economy has a soft underbelly caused by the supply chain’s increased connectivity to the internet. Even if an organization thinks it won’t happen to them, a cyber attack can devastate them nonetheless by impacting its supply chain or distribution network. Or, its lax cybersecurity could be the weak link that causes the system to break down.
On the other hand, each component that strengthens itself, strengthens the entire body.
Michael Bahar is the leader of the Eversheds Sutherland (US) cybersecurity and privacy team, based in Washington. He can be reached at firstname.lastname@example.org. Trevor Satnick is a data privacy and security consultant at Eversheds Sutherland (US) in New York. He can be reached at email@example.com.