Guarding Against Cyber Attacks
By Mariano Nunez
Shipping companies are now so dependent on the secure availability of accurate data to run their businesses that it is essential they learn any lessons they can from recent high-profile cyber attacks. The rise in reports of hacks from overseas, notably China, and the implications they might have for unprepared U.S. maritime businesses are of particular concern.
Recent reports claim that Chinese hackers have been using malware to attack American companies, accessing core business systems and stealing customer, financial and logistical data. One group headed by Stephen Su conspired to hack several U.S. companies with access to military data over a period of four years, including defense contractors Boeing and Lockheed Martin. In a further attack, a Chinese manufacturer stands accused of embedding malware into inventory scanners, which were then sold to eight large logistics companies in order to gather and steal sensitive data from corporate networks.
One important lesson to learn is the pressing need for U.S. businesses - particularly shipping and logistics companies - to significantly strengthen cyber security policies and properly secure business-critical platforms. IT teams face a constant battle to proactively maintain defenses against new cyber attacks in the face of evolving threats. Implications for shipping productivity and business reputation include data compromise, financial losses and regulatory censure.
Unfortunately, many companies and organizations aren’t even aware of the threats because they don't monitor key systems such as Enterprise Resource Planning (ERP), Supply Chain Management (SCM), or Human Capital Management (HCM) applications and databases even though these are vaults of business-critical and confidential data.
The “Zombie Zero” Attacks
The recent attacks involving the implanting of malware into logistics pipelines and supply chains – now called the Zombie Zero attacks – highlight the danger of this lack of awareness. Many of the target organizations had ticked off all of the “must have” security measures on every CIO and CISO’s wish list – including antivirus software, firewalls and IDS (intrusion detection system) technology.
However, these precautions were designed to stop external attackers from compromising internal operating systems, whereas the Zombie Zero attack emanated from hardware purchased and deployed inside each business’ own infrastructure. It didn’t attack operating systems but instead went straight for the ERP systems, and in each case it was successful.
Attackers have clearly identified a rich target: the ubiquitous ERP platforms hosting most shipping companies’ critical data and processes. The unfortunate reality is that attackers are now ahead of most organizations because very few have developed mature security protocols to monitor these attacks, nor are ERP systems included in their vulnerability management programs. Additionally, organizations lack the ability to respond to such attacks in a coordinated and comprehensive way.
So why aren’t more businesses monitoring these core systems? The truth is it isn’t a very easy thing to do. Particularly across mature organizations, these business-critical systems have grown organically through individual business units and departments creating and integrating their own systems over time.
This means that truly understanding the scope and interconnectivity of all these systems demands significant overhead and investment of resources. Furthermore, the protocols underlying these systems are often proprietary, meaning traditional IDS technology is unable to distinguish good traffic from malicious traffic.
Additionally, there is the long-held belief that the only relevant security operation for these systems is the concept of Segregation of Duties (SoD). This is the process by which each user is only given the rights required to perform their individual function, the aim being that no single user gains sufficient rights to commit acts of fraud.
While this is sensible, it only solves one portion of the security equation. It entirely ignores the possibility that an unauthenticated attacker could abuse vulnerabilities and issue commands and instructions outside of the process controlled by SoD. This would allow the complete takeover of an ERP, SCM or HCM system.
With all these challenges, it is little wonder that shipping companies operating under real-world constraints sometimes struggle to ensure the complete security of their systems. To these organizations I offer the following fundamental advice to kick-start awareness and help with planning protection and continuous monitoring of core business data, applications and systems:
Identify the systems that handle and store core business data: Ensure that every system involved in critical business activity is identified and categorized correctly.
Establish a vulnerability management program for ERP systems: Develop key metrics and report on the level of security and changes in security on a monthly basis.
Begin attack and vulnerability surface mapping: Periodically assess and map the attack or vulnerability surface of critical systems. The frequency of mapping should be in direct relationship to the critical nature of the data the system stores or processes.
Develop real-time situational awareness of the risk level of all core business systems: In order for CFOs to accurately report on risk to the organization, they need to articulate the security posture as it applies to core business systems. They can only do this through the use of vulnerability scanners, traffic monitoring, and real-time user behavior analysis.
Create a security baseline and measure systems: Any deviation by a system below the baseline should be investigated and the cause identified. In addition, security teams should be able to identify how the security of the system was compromised and when and how long it was in an insecure state.
Sadly, it seems that most modern businesses are now at risk from attacks no matter where or how they are administered, regardless of the markets in which they operate. In the latest Zombie Zero attacks, malware was smuggled into targets via scanner equipment. But next time the Trojan Horse could be a printer, a router, an access point, or some other piece of equipment that most people consider benign.
Traditionally, security professionals have employed a lot of perimeter defensive technology based on the assumption that attacks will likely come from outside their own network. Instead of putting all their effort into trying to stop attacks, firms should instead focus on ensuring that any attack launched has a low chance of being successful or damaging. They can do this by monitoring and assessing their critical business systems on a continuous basis. Additionally, their response process must be well-informed and timely.
This can be achieved by specifically protecting business-critical ERP systems with an active - and monitored - vulnerability management program and by ensuring traffic to and from these systems is then analyzed to identify any attack traffic. The greatest lesson businesses must learn from these high-profile attacks is to shift thinking and take into account both where the attack will likely come from and what in their environment is open to attack.
Stop attacks when possible. Eliminate the risk of attacks being successful when they do escape attention. And identify the origin of attacks in as short a window as possible to reduce the impact. – MarEx
The author is the founder and CEO of Onapsis, a provider of security solutions for Enterprise Resource Planning (ERP) systems.