Welcome to the third post in our series on protecting your warehouse. In Parts 1 and 2, we addressed Theft and Physical Security. Now, we will dive deep into the world of cybersecurity, including the risks and how to protect your warehouse or 3PL from cyber attacks.
According to CISCO, cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. The assaults are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Before exploring potential cybersecurity risks your warehouse or 3PL could face and prevention methods, it’s important to understand the way that access to systems and data has changed and is impacting the distribution industry.
The Grey Area Between IT and OT
Operation technology (OT) and information technology (IT) used to be separate systems. However, the two technologies have converged, becoming cyber-physical systems over the years. Traditionally, OT was an ‘air-gapped’ environment, meaning that it was not connected to external networks or digital technologies while IT was the cyber-accessible data system most at risk for infiltration.
With the influx of automation and software-driven picking tools, many warehouses have been adopting operational tech that is considered ‘smart’ since it is run by software. These include devices such as phones, scanners, robotic machinery, visual displays, and assembly lines. This leaves a company’s operational systems susceptible to being targeted for a cyber-attack.
In an in-depth article, Ortio focuses on the difference between the two technological systems. Here is just a sample:
IT Prioritizes Confidentiality, OT Focuses on Safety
IT primarily involves storage, retrieval, manipulation, and transmission of digital information in which data and confidentiality are a top concern. Strong IT security is crucial for warehouses and 3PLs in order to keep data secure and software bug-free.
In OT, the safety and availability of equipment and processes are the main focus. Physical systems like cold storage rooms, automated packaging machines, and conveyors must maintain stable values, such as temperature, speed, and RPM, all while requiring meticulous system control. Inadequate management of OT systems can lead to extensive financial losses due to temporary halts in operations, and could even result in direct physical harm to an employee as a result of a machinery malfunction.
IT Cyber Threats are More Frequent, OT Incidents are More Destructive
While OT incidents may lead to more destructive operational outcomes for a warehouse or 3PL, IT has more ways in which it can be manipulated and corrupted. Simply put, IT has more touchpoints with the internet and outside influences. These gateways pose higher security risks because each one can potentially be an attack waiting to happen. OT has a lower number of gateways, making it comparatively safer. However, the potential magnitude of compromised physical equipment via a cyber-physical attack tends to be greater than that of a data breach -- like the power system grids attacked by ransomware in the past couple of years.
Types of Cyber Attacks Leading to Data Breaches
Cyber-attacks are tricky and can take on many forms, not just identity theft. Think of them as the scam phone calls you may have received to renew your car’s warranty or that you owe the IRS money (when, in fact, you do not). These kinds of scams gain access in digital form, possibly working in conjunction with a phone call or email. Many types even piggyback off each other to get to a distribution center’s core operating system and steal sensitive data for the best attack. Here are some general examples of cyber-attacks:
Viruses. Cyber-physical systems can catch a virus from anywhere, but they usually come from downloading a malicious software update link, a corrupt link received through an email, or simply by clicking on a website while working on a company's computer systems. This can lead to data breaches, software supply chain attacks, or a denial of service attack.
Ransomware. If your facility’s computer system gets infiltrated by deceitful hackers, they can hold your cyber-physical operating system as collateral unless you pay them to release the hold. Growing ransomware attacks represent an especially worrying danger for warehouses and 3PLs. Hackers now will target a vulnerable supplier of a large company rather than the large company itself. Then, if the hack is successful, they will target the large company for a ransom, knowing they have more money and will be motivated to free up their supply chain.
“Ransomware is the crime most organizations need to prepare for and is the most difficult to recover from,” warns Alan Woodward, professor of cybersecurity at the University of Surrey in a recent Raconteur article. “Businesses have to assume it’s a case of when – not if – it’ll happen and have a business continuity plan that allows the business to continue to operate and to reinstate a trusted version of the systems and network.”
Phishing. Phishing attacks are emails or text messages spoofing an organization or person. The aim is to trick the would-be victim into clicking on a link and entering their bank details or other pertinent company information. These assaults have real-world consequences including breach of customer or client data, accounts being compromised, financial fraud, or even widespread system outage and downtime. Not only can phishing attacks drastically do harm to your warehouse or 3PL, but they can also compromise your client’s business as well.
Removable Media. Removable media, such as USBs, CDs, and DVDs, can be infected in a number of different ways. These range from malware attacks on a single computer or spreading malicious code through a company’s network to stealing data. Totem.tech recommends that autorun should be disabled for all removable media on all of an organization’s computers. If necessary, employees can be trained to run any outside programs on trusted removable media manually (by opening the USB’s folder and clicking on the icon).
Remote Access Tools. The scam often begins with someone calling a company, perhaps claiming to be from an important supplier or business partner. The hacker could also pretend they are calling from the company's bank in order to investigate suspicious transactions on that account. Once they gain your trust, the hacker will offer a simple solution: let us access your computer remotely so we can take care of it for you! Once inside a company computer or network, these criminals steal sensitive data while draining any open accounts until there's nothing left but debts. It’s a crime often used to target individuals but can offer even bigger payloads when it can target systems in warehouses or 3PLs.
Why OT/IT Systems are at Risk for Cyber Threats
A 2020 article from Gartner saw the writing on the wall. “Due to their very nature, cyber-physical systems face security threats unlike those affecting enterprise IT systems,” said Katell Thielemann, VP Analyst, Gartner. “They are typically used in operations or mission-critical environments where value is created for organizations, so attackers are increasingly targeting them.”
“Unlike most IT cybersecurity threats, cyber-physical threats are of increasing concern because they could have a wide range of impacts, from mere annoyance to loss of life.”
Katell Thielemann, VP Analyst, Gartner
Due to the nature of cyber-physical systems, any incidents can quickly lead to physical harm to people, destruction of property, or environmental disasters. Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of focus and spending on security for these assets.
In an article from MHI Solutions about cyber threats with the rise of the digital supply chain, Jeannette McMillian, National Counterintelligence and Security Center noted, "Risk assessments have also evolved to incorporate the impact of a cyberattack. The prevalence of such attacks can no longer be disregarded, and just hoping that it doesn’t happen to your company isn’t a viable strategy."
Growing ransomware attacks represent an especially worrying danger for warehouses and 3PLs. Even your clients and suppliers are vulnerable. Your distribution facility’s security no longer depends solely on its own resilience. A weak link in a third party’s products or systems may create an entry point into the entire supply chain for cybercriminals.
Craig Moss, a director of the Cyber Readiness Institute and the Digital Supply Chain Institute said, “Hackers now will target a vulnerable supplier of a large company rather than the large company itself. Then, if the hack is successful, they will target the large company for the ransom, knowing they have more money and will be motivated to free up their supply chain and avoid "a business continuity nightmare.”
Tips to Prevent Warehouse Cybersecurity Threats
- Have your IT/OT security team train staff well and institute company policies on all equipment, systems, and removable media that could be susceptible to attack. This will help prevent phishing, malware, viruses, password attacks, and overall system exploitation.
- Require strong passwords with changes regularly needed and multifactor authentication to keep the prying eyes out. Password attacks happen more often than you think, so it's best to be prepared.
- Always keep up with timely software updates on business and personal devices that are connected or used for company business. This also included updating your warehouse management system software on a regular basis.
- Test your system – hire a hacker. Yes, that’s what we said. It may seem scary, but ethical professional hackers or pen testers are skilled professionals available to hack into IT systems to pinpoint their weaknesses for their owners. Then there’s the question of what to do with the results. Once you know your weaknesses, be sure to act! Bizarrely, many companies fail to act even when they’ve been alerted to serious chinks in their armor.
- Hire cyber security solutions experts. If your warehouse or 3PL's IT/OT department does not have the time or ability to manage a cybersecurity threats analysis, consider hiring an expert in cyber security solutions and critical infrastructure to protect your business.
How Secure is Your WMS Software from Cyber Attacks?
When reviewing your current warehouse management system (WMS) software or considering a new provider, be sure to thoroughly investigate their approach to cyber-security. As noted above, hire a hacker if needed. “Regardless of the vendor’s reputation, the product itself might have security gaps,” says Heinrich Smit, deputy chief information security officer at cybersecurity specialists Semperis in a Raconteur article. “When working with newer companies, be sure that you can view the company’s product controls. Independent code reviews and application vulnerability reports are very helpful as well because they evaluate a product both inside the code as well as in situ from a penetrability perspective.”
Consider this list of areas that can present cybersecurity threats and how to prevent them:
- Scalability requires ongoing development and testing of new processes, increasing cybersecurity risks. Make sure your WMS is flexible enough to properly keep your data secure.
- Higher e-commerce functionalities from your WMS and shipping software and through third-party services may present a risk for cyber attacks, including sites belonging to Big Box retailers and Amazon’s marketplace.
- Management of inventory and data across multiple sites decreases the physical security of the system, making it easier for someone to breach the system accidentally. Tighten up your cyber security protocols with continual training, strong logins, and unique passwords on a regular basis.
- Ease of use is key to preventing issues. When users understand how to use a system, frustration is less likely to occur, which helps prevent errors in judgment, and will help curb potential cyber threats.
- Institute constructive metrics within the system ensure everyone maintains the proper processes and uses the system correctly, reducing risk along the way.
- Abiding by vendor protocols for upgrades and implementation also presents an additional risk, giving another company access to your information and resources. However, if you are working with a reputable WMS software provider, your risk is minimalized.
Risks aren’t limited to warehousing either. Since warehouse and logistics make up a vital intersection of modern supply chain management, cybersecurity threats may exist within the systems of your transportation network or procurement and vendor-selected systems. Evaluate everything that touches your systems and data for protection against advanced persistent threats.
ASC Software works hard to keep your data safe. We use the latest encryption techniques and never forget that you are our top priority! ASC always follow-ups on security threats with customers to prevent data breaches including making sure all users have their own unique legitimate access, as well as teaching them about password complexity rules available through ASCTrac. This enables warehouse employees to stay productive on both stationary and mobile devices all while protecting the distribution center from would-be hackers looking for any vulnerability within the operating systems.
Veridian, a project planning and software selection company, offers this advice: “Cybersecurity must be a crucial part of your risk management plan and overarching strategy for your WMS implementation. Make sure your organization considers cybersecurity before, during, and after WMS implementation.” If your partner is working with your data in any way then they are essentially your data processor.
This means that a simple self-certification in a spreadsheet questionnaire should no longer be acceptable from a potential WMS software provider. Questionnaires are a somewhat outdated way to evaluate a company's cyber security. They do not provide true insight into the state of your IT practices and ability, which is why questionnaires should be used along with other sources like feedback from employees or third-party audits when making decisions about suppliers.
Cybersecurity capabilities can only really reflect what you find out through conversations during interviews; so, always require an onsite interview when renewing or choosing a new WMS provider. It’s important that warehouse and 3PL management take responsibility for preventing cyber-physical system supply chain attacks. Forbes notes that “Executive leadership needs to monitor their organization’s application attack surface, prioritize supply chain risks correlated to applications, and manage and mitigate these risks in real-time.”