It’s not just temporary gridlock; supply chain issues are expected to persist through 2023, further jeopardizing crucial infrastructure and making it a prime target for a cyberattack.
The supply chain and transportation industries are already behind when it comes to securing their systems, and resources are spread thin dealing with mounting pandemic-induced backups. With 93% of firms globally admitting they have suffered a direct cybersecurity breach because of weaknesses in their supply chains and the average number of breaches increasing 37% year-over-year, the threat for cyberattacks across the entire supply chain sector will only continue to grow in 2022.
The U.S. supply chain is at a cybersecurity tipping point. It will require federal and state action and individualized business responses to safeguard the critical infrastructure underlying nationwide operations.
How did we get here?
Threats to the transportation and supply chain industries have been mounting. A combination of pandemic-related challenges, a lack of managerial oversight, and improved hacking methods make these industries more vulnerable than ever to cyberattacks.
Although supply chain challenges did not begin with the pandemic, COVID-19 deepened issues that now occupy all of a transportation manager’s attention, and efforts to combat potential cybersecurity threats have taken a backseat. The speed of the U.S. “just-in-time” supply chain also creates more breakdowns, yet a historically high labor shortage across the U.S. trucking and warehouse sectors means there are fewer workers to fix them. And with companies digitizing more supply chain processes to keep up with the increasing pace of the movement of goods, each digital link provides another entry point for hackers to take down an entire system.
These vulnerabilities have only emboldened hackers to target New York City’s Metropolitan Transportation Authority, the Steamship Authority of Massachusetts ferry service, and the Port of Houston, among other institutions, in the last year alone. Since older industries based in rural states, such as rail and oil and gas, lack the tools to combat cyberattacks, they will be the first casualties. Without resources from the rural states, metropolitan areas will equally fall apart.
Meanwhile, hacking strategies are becoming more complex. On the whole, hackers are more quickly capitalizing on common vulnerabilities and exposures (CVEs) and creating more sophisticated cyberattacks that occur quicker than most companies can even detect ransomware. Hackers will often target less secured but no less crucial processes adjacent to physical operations for supply chain companies.
In the Colonial Pipeline cyberattack, hackers targeted the billing system, leading to a breakdown of pipeline operations. Despite a lack of physical damage, the hack still severely affected southern states, with some reporting 71% of their filling stations ran out of fuel. The attack was perpetrated through credentials stuffing, which uses leaked passwords from a previous hack to infiltrate other protected systems. This practice is only growing more common as cyberattacks proliferate.
Today, a lack of oversight and advanced hacking methods combine to create a lethal threat to U.S. transportation and supply chain networks.
What are the political roadblocks to supply chain cybersecurity?
Political parties’ lack of cybersecurity awareness and a disjointed approach to data privacy leave the U.S. vulnerable to devastating cyberattacks.
China, and the entire continent of Europe, are guided mainly by-laws that require their industries report breaches and cybersecurity issues to their respective federal governments. In contrast, America has a cacophony of voices shaping data privacy protections, which has created fragmented policy. While states like California, New York, and Virginia have some variation of data privacy laws in place, none are backed by the federal government. The lack of a cohesive response framework makes critical infrastructure a prime target.
What can the government do to address this threat?
While the U.S. government has already put some protective measures in place, it needs to develop a defense-in-depth strategy that installs knowledgeable cybersecurity voices for guidance at all levels of government while proposing and implementing laws to emulate top counterparts in Europe and China.
Some of the most recent action on this front has come in the form of TSA directives requiring passenger and high-risk freight rail companies to report cybersecurity attacks within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA). The directive also required these groups to complete network vulnerability tests and develop cybersecurity incident response plans based on any issues discovered.
In addition, January 2022 saw the passage of the Supply Chain Security Training Act in the Senate, which requires federal employees within the General Services Administration to obtain training to identify vulnerabilities in the new software they are purchasing. Also headed to the House is the State and Local Government Cybersecurity Act, which permits the federal government to conduct cybersecurity exercises with state and local entities and provide them access to tools such as information sharing and vulnerability disclosure programs.
While these measures broadly tackle cybersecurity, securing the supply chain at the federal level will require creating a unified national network through which breaches are communicated, intel is shared, and government resources are used to combat threats in collaboration with private enterprises. The U.S. could also stage proactive nationwide protection exercises such as simulating large-scale attacks on the supply chain to determine vulnerabilities (the E.U. conducted a similar test earlier this year).
While the government continues to step up its supply chain cybersecurity response, individual businesses can also take immediate precautions.
What can businesses do right now?
For supply chain and transportation companies, the most crucial cybersecurity actions they can take are identifying critical assets, testing for vulnerabilities, and creating response plans.
First, an organization should determine which assets are most essential for its continued operation and understand the potential consequences if those were to be compromised. Then, it should designate key managers responsible for the cybersecurity of each of those assets and ensure proper chains of communication are in place should these managers need to jump into action.
Arguably the most important step is limiting potential outside interference with Industrial Control Systems (ICS), which could include validating these systems are protected from the internet and limiting remote access. Finally, companies can use a combination of penetration tests, organization-wide security drills, and consultation with third-party cybersecurity experts to identify less obvious vulnerabilities that could nonetheless become equally as problematic.
For a deeper understanding of how to perform a baseline cybersecurity assessment, managers can reference NIST’s Guide to Industrial Control Systems or use the DHS’ Cyber Security Evaluation Tool (CSET) to determine their organization’s operational resilience.
The future of supply chain cybersecurity
As the U.S. supply chain continues to face daunting backups, malicious actors are waiting in the wings to attack with more sophisticated cybersecurity threats. The time for cybersecurity action is here and now, and the government and individual businesses both need to act.
While cybersecurity threats to the U.S. transportation system and supply chain have never been greater, proper regulation and decisive individual prevention measures will ensure vital infrastructure is safe as the nation creates an even more dynamic and responsive supply chain.
The blog was originally published in SDCEXEC. You can read it here.