Security experts had long warned the transportation industry was a major target for cyberattacks — then, a bombshell malware incident levied against international ocean shipper A.P. Moller Maersk publicly laid bare what was at stake.
Several months after the so-called NotPetya cyberattack hobbled Maersk’s worldwide fleet-management IT systems last year, details about the magnitude of the attack and the collateral damage began to unfold.
Maersk Chairman Jim Hagemann Snabe, for example, revealed during the World Economic Forum that took place earlier this year that the ransomware attack cost the company $250 million to $300 million. It also required the replacement of 4,000 servers, 45,000 computers and 2,500 applications over the course of the 10 days Maersk’s shipping information network was held hostage to the ransomware attack.
Of course, the IT infrastructures of fleets and motor carriers in the United States do not represent an apples-to-apples comparison to those of Maersk. However, the IT networks’ underpinning of transportation companies share several similarities to those of the shipping conglomerate, including the underlying logistics and supply chain management systems. While it’s difficult to gauge the effect of the Maersk attack on the collective mindset of the trucking industry, the incident likely served as a wake-up call for many motor carriers.
“I know that we have always considered ransomware a threat,” said Robert Loya, director of operations at CMI Transportation. “But I certainly think it is possible that other carriers maybe hadn’t considered it as much of a real menace than they previously did.”
And, it also is likely many privately held carriers already have experienced firsthand a ransomware attack but have not shared the incident publicly, said Ron Godine, a vice president at TMW Systems.
“Firms might not disclose an attack until they are really in severe trouble or they cannot handle it — and then they’re asking for help,” Godine said. “Or they’re able to take care of it internally themselves by destroying the evidence and then recovering from backups that they might have in place.”
Ransomware is obtained and downloaded on forums for a relatively small fee. Ultimately, the perpetrator locks out access to a firm's data or even the use of computers and servers while demanding a ransom to decrypt the systems. (Getty Images)
Indeed, carriers generally did not wish to discuss ransomware and its risks on the record for this article in consideration of, among other things, the negative attention of being associated with victims of attacks. One representative from a carrier, for example, described how it was “an awful feeling knowing you risk losing millions of dollars a day” in the aftermath of a ransomware attack, but wished to remain unnamed.
NotPetya, a modified variant of the Petya ransomware attack, is but one of many strains of malware that are in active circulation at this time. Ransomware variants targeting other industries include WannaCry and SpriteCoin, which is distributed as a cryptocurrency.
The modus operandi of cyber extortionists who orchestrate ransomware attacks is straightforward. As the recently revealed details about the arrest of the Ukrainian perpetrator who was responsible for spreading Petya shows, ransomware malware is easily obtained and downloaded on forums for a relatively nominal fee. All it then takes is for one employee from a company to unwittingly click on a link in a phishing e-mail in order for the malware to begin infiltrating the network. The perpetrator eventually locks out access to a firm’s data or even the use of all computers and servers connected to the network while demanding a ransom to decrypt the systems.
Protection and preparation for ransomware attacks require investments in IT security, which may prove challenging for smaller carriers. Boyd Brothers Transportation Inc., for example, a carrier with revenue of $200 million, has the means to protect itself against ransomware and other kinds of cyberattacks more than a mom and pop firm with only five trucks might be able to.
The NotPetya cyberattack crippled ocean shipper A.P. Moller Maersk's worldwide fleet-management IT systems last year. (Glen/Flickr)
“The smaller guys have a much bigger exposure to risk than the bigger companies do,” said Chris Cooper, president of Boyd Brothers Transportation, which is part of flatbed firm Daseke Inc. “While the larger firms have more to lose if you monetize it, the smaller guys risk losing their entire business.”
Overseas attackers who are relatively difficult to track down and prosecute from the United States with little to lose and much to gain often cast a wide net when seeking ransomware targets. “If the attacker can evoke an attack on thousands of companies per day, then they are usually not selective of the companies they target, and are only concerned the company has operational software solutions that can be affected,” said Ben Barnes, chief information security officer for McLeod Software. “Transportation operations have become extremely dependent on software solutions, and by default, are as valuable a target.”
The biggest risk in IT security largely remains the inside threat. Employee education is thus critical, while cybersecurity training should be part of new hires’ onboarding process.
“Carriers have good training procedures for drivers and everybody that touches the equipment,” said Mark Zachos, president of DG Technologies. “So, they should offer something very similar for ransomware and cybersecurity protection training.”
Before Boyd Brothers Transportation revamped its security policies and educational processes, more than 35% of its vice president- and director-level executives clicked on a fake phishing e-mail link. The e-mail was designed to look like it had originated from a legitimate transportation-related website like a real phishing e-mail would. Upon completion of a companywide training program, the percentage of users tricked into responding to the fake phishing e-mails dropped to below 1%, Cooper said.
“The numbers were astonishing,” Cooper said. “It was incredible to see how easy it is to click onto what you might think is a benign e-mail before receiving the proper training.”
Boyd Brothers Transportation's president says his company can protect itself against cyberattacks more so than a smaller carrier. (Boyd Brothers via YouTube)
In addition to employee education, truck carriers need to ensure their IT departments are following standard industry IT security practices. These include documenting applications and systems, closely managing systems-access, backing up data, installing effective network firewalls and virus security software, consistently installing patches and updates, creating a recovery plan in the event of an attack and active network monitoring, said McLeod Software’s Barnes.
Truck carriers also have access to industry groups that can support their ransomware protection practices. American Trucking Associations’ recently created Fleet CyWatch, for example, was created to offer support against cyberattacks, with ransomware prevention receiving much attention. Among other things, Fleet CyWatch members receive by e-mail information about cyber incidents, while all details of targeted companies remain anonymous, except for membership status, vocation and industry descriptions relating to the victim company, said DG Technologies’ Zachos, who also is a Fleet CyWatch steering committee member.
In preparation for a possible attack, for example, Fleet CyWatch members learn how to follow procedures and to gain access to their data in order to get their systems up and running again. They also know whom to call, such as the FBI, so the authorities can take the appropriate action.
“We try to encourage a wide exchange of information. The beauty of Fleet CyWatch’s affiliation with ATA is that it’s spread among all ATA affiliate associations and reaches many smaller carriers,” said Ross Froat, director of engineering and IT with ATA. “If you don’t have a clue about cybersecurity and you subscribe to Fleet CyWatch and follow its recommendations, you can learn directly about the policies and best practices your firm should follow.”
Putting policies and best practices in place can thus go a long way for ransomware attack readiness.
“Quite frankly, if you spend time and resources into putting the necessary backups into place, ransomware attacks do not have to cost millions of dollars,” said Cooper of Boyd Brothers. “But if you do not and your system is down for more than a week, then your company is at threat of going out of business.”