At 04.00 on June 26 last year, Jim Hagemann Snabe, chairman of AP Moller-Maersk, was woken by a phone call from his office. That’s when he learned that the global shipping giant had fallen victim to a cyber-attack. Over the next few hours, the true severity of the incident became clear: a malicious computer program, dubbed “NotPetya”, had infected thousands of computers across the organisation’s worldwide operations, locking users out and encrypting data stored on hard drives.
The real-world impact on Maersk’s business was immediate. A number of port terminals operated by the group’s APM Terminals division were forced to close, and when they reopened, staff had to do their best to manage operations the old-fashioned way: using pens and paper.
Speaking to an audience at the World Economic Forum in Davos earlier this year, Hagemann Snabe described the “heroic efforts” of the company’s IT staff to undo the damage. With no way to unlock the infected computers, Maersk had to rebuild its IT infrastructure almost from scratch, installing 4,000 new servers, 45,000 new PCs and 2,500 applications over the course of ten days.
Maersk was not the only major company affected by that attack; NotPetya also infected systems at FedEx and at DHL’s Express Division and its operations in Ukraine. It struck glass-maker Saint-Gobain along with major players in advertising, pharmaceuticals and consumer goods.
NotPetya arrived hot on the heels of other major cyber-security events. In the weeks before that attack, carmakers including Renault Nissan and Honda were forced to temporarily shut assembly plants after computers on their production lines were infected with another piece of ransomware known as ‘Wannacry’.
These incidents speak volumes about the varied nature of the cyber-threat, and of industry’s current vulnerabilities. It seems most likely that the motivation of the Wannacry attackers was straightforward financial gain; after locking the user’s computer and encrypting its files, the program demanded a ransom (paid in bitcoin) to obtain the necessary decryption keys.
NotPetya, used in the Maersk attack, was a more sinister beast. It initially appeared to be another ransomware attack, and its name comes from its superficial similarity to Petya, an older piece of ransomware. As the attack progressed, however, it soon became clear that the attack’s perpetrators had little interest in money; indeed, they had no way of accessing any ransoms paid, or of generating the necessary keys to unlock damaged systems. Instead, the program seems to have been designed simply to cause disruption.
While its impact was felt worldwide, many of the victims of the attack were companies with operations in Ukraine, and the program is thought to have been introduced through a hacked version of an accounting program that is widely used in the country. That has led analysts to suggest that this was a state-sponsored attack on Ukraine itself, and that other affected organisations were, in the words of Maersk’s Hagemann Snabe, just “collateral damage”.
Then there is the apparent ease with which these malicious programs appear to have gained entry and spread through the computer systems of major companies. The Wannacry attack targeted computers using older versions of the Windows operating system, relying on the fact that many organisations have been reluctant to bear the cost and disruption of upgrading their systems, even in operationally critical areas like manufacturing automation systems. NotPetya used versions of hacking tools stolen from the US National Security Agency. And Maersk was far from naïve about cyber-security, being one of the first maritime organisations to publicly announce the appointment of a chief information security officer.
The 2018 Global Risks Report, published by the World Economic Forum and Zurich Insurance Group, suggests the number of cyber-breaches recorded by businesses worldwide has almost doubled over the past five years, from 68 per business in 2012 to 130 in 2017. Furthermore, the annual cost of responding to cyber-attacks rose more than 27% in 2017.
It is also likely that cyber-crime remains significantly under-reported. While big attacks that cripple companies’ operations cannot escape public notice, in many cases attackers hope that their victims will not even realise their systems have been compromised. The perpetrators may want to steal sensitive technical or commercial information, or modify financial systems to redirect payments to illegitimate accounts. And even if they do know a hack has occurred, companies may try to avoid admitting it. News of successful cyber-attacks can send share prices plummeting and customers running.
Sven Dharmani, global supply chain leader for the automotive sector at accounting and consultancy firm EY, says that cyber-security is now very high on the agenda for automotive companies. “It is probably one of the biggest risks they are dealing with. These companies spend so much money on R&D and IP, and on keeping their operations running, so any potential disruption is a massive problem for them.”
“[Cyber-security] is probably one of the biggest risks they are dealing with. These companies spend so much money on R&D and IP, and on keeping their operations running, so any potential disruption is a massive problem for them.” – Sven Dharmani, EY
And cyber-attacks, he notes, have the potential to cause more damage than almost any other risk. “Cyber-security in the value chain is a bigger issue than even physical supply chain disruption, because it may not just affect a single site – it could bring a whole company to its knees.”
Alongside the huge potential for harm, adds Dharmani, technological change in both products and business processes is creating new opportunities for malevolent activity. “Everything is connected now. The whole supply chain is connected, the vehicles themselves are connected. There is the Internet of Things; we are using smart sensors everywhere, trying to optimise the efficiency of our supply chains and connect more effectively with consumers. There really is no air-gap any more,” he explains.
To manage cyber-threats, he suggests, a critical first step for automotive companies is understanding the true extent of the IT networks that stretch through their extended supply chains. “Best practice requires a comprehensive assessment of what your supply chain looks like and where the entry points are. That’s the way to build an understanding of the threats, and once you do that, you can actually start to remediate those pain points and issues.”
How does the automotive sector measure up against these best practices? Dharmani suggests there is still work to do. “The automotive industry certainly lags behind other sectors in its approach to cyber-security,” he says. “You only have to look at all the investment that has been made in manufacturing technologies, in electrification and mobility, and compare that with the attention that has been paid to security issues.”
Dharmani also points out that it would be a mistake for companies to assume that their smaller suppliers present higher cyber-security risks than large ones. “It’s almost the inverse, in my mind,” he says. “Vulnerability comes from access to the network; getting access to systems and getting access to the data and information that you hold. Larger organisations may actually be more vulnerable because they have more connection points and they may have more than one entry point into the network.”
Outbound cyber-security lags behind
The automotive sector knows that it needs to keep raising its cyber-security efforts, says Andrea Amico, president of vehicle transportation and logistics specialist Jack Cooper, but it is only just beginning to tackle vulnerabilities in the finished vehicle supply chain. “Many automakers have a cyber-security czar, who is often tied to the IT and product development parts of the organisation,” he notes. “They started by thinking about security in the design of the car, and are now moving up into the supply chain to align security practices with select tier one suppliers, for example ECU [engine control unit] manufacturers and firmware vendors.
“But I think we are among the first logistics providers to have meaningful conversations with OEMs about what happens from the moment the car leaves the factory until it reaches the hands of the customer.”
Jack Cooper’s chief information officer, Kirk Hay, says that cyber-security issues have been high on the company’s agenda for a while. “People sometimes talk about cyber-security as a project or an initiative, but that’s not enough,” he says. “It has to become part of the organisation’s DNA. Every presentation I make to the board of directors has a cyber-security element to it, and we discuss the topic on our weekly executive calls.”
When it comes to implementing good security practices, Hay believes that a holistic approach is essential. “It’s important that companies spend a lot of time on the ‘big three’: protection, detection and awareness. Under protection and detection, you are talking about policies, procedures, software tools and services, security partners, that kind of thing,” he says. “But the best defence is really awareness – making sure employees are aware of the risks of things like clicking a link in an email.”
While Amico emphasises the importance of in-house cyber-security expertise, especially as an organisation works to develop a security-aware culture, Hay notes that collaboration with external parties is important too. “We have adopted a hybrid approach, with several different tools and systems that we run ourselves, and the support of specialist consultants,” he says. “Like most companies, we are also moving more processing and more services to the cloud, so it is important that we talk to our service providers about their security posture. I probably talk to them more about that than any other single item.”
As for Jack Cooper’s interaction with automotive OEMs on the topic of cyber-security, Amico says discussions are ongoing to organise “table-top exercises” to simulate a joint response to a potential cyber-attack, and such dry-runs already form part of in-house contingency planning.
Establishing industry standards
Elsewhere, efforts are underway by various trade bodies and industry groups to establish guidelines, standards and support for cyber-security. On the transportation side, the American Trucking Associations (ATA) has just launched a new cyber-crime reporting tool for its members called ‘Fleet CyWatch’. Ross Froat, director of engineering and information technology at the ATA, says that the inspiration for the new offering came directly from the organisation’s members, who wanted to share cyber-security information.
Fleet CyWatch was developed by ATA’s Technology and Maintenance Council and Transportation Security Council, in conjunction with the Federal Bureau of Investigation, to assist fleets in reporting information about trucking-related internet crimes and cyber-attacks, and to provide information to fleets about threats that might affect their operations. Subscribers to the service can use it to report incidents, which are then communicated to the authorities.
The information collected is also shared – anonymously – with intelligence analysis agencies and other subscribers. The programme will also provide information on cyber-security training and education, cyber-threat trends and best-practice development.
Meanwhile, a working group including OEMs such as GM, Ford, Honda North America and FCA, plus cyber-security specialists for the US Department of Defense, has been developing a 30-page document intended to become the basis of a standard for the automotive supply chain. Creation of ‘Automotive Industry Third Party Information Security Requirements’ began one year ago, as OEMs and suppliers recognised the challenge of diverse security requirements developed by different carmakers.
To ensure that the new guidelines are robust and widely transferable, they are closely aligned with existing ISO and Department of Defense cyber-security standards, and the working group also received input from a major US defence contractor with considerable expertise in the field.
Lang Ware, director of supply chain products and services at the Automotive Industry Action Group (AIAG), says that work is “99% complete”. He believes that the speed with which the players involved have been able to reach agreement is testament to the urgency of the cyber-security conversation.
“People sometimes talk about cyber-security as a project or an initiative, but that’s not enough. It has to become part of the organisation’s DNA… It’s important that companies spend a lot of time on the ‘big three’: protection, detection and awareness.” – Kirk Hay, Jack Cooper