In the second article in our series on cyber-attacks, Jack Carfrae asks how operators can beef up their digital security to ward off hackers.
(FEATURE FIRST PUBLISHED IN TRANSPORT NEWS AUGUST 2024)
A direct line into suppliers’ IT systems, a reputation for using old, unsecure tech, and a general lack of awareness. They are the three fundamental reasons why the haulage industry is such an open goal for cyber criminals.
Transport News unpacked them in detail in our previous issue – it’s worth saying this is not pointing the finger at hauliers, this is just the way it is – and it was a scary story.
While there is no guarantee of protection against hackers, there are plenty of ways to bolster digital defences and reduce your chances of becoming a victim.
As always, methods vary according to the size and resource of the business, so we’ve broken them down for hauliers large, small, and everyone in between.
- THE BIGGER THEY ARE
A common branch of cyber security is known as ethical hacking, which involves simulating exactly what a real hacker would do – without nefarious intent – to highlight the weak spots in an organisation’s IT so they can be plumbed.
Penetration testing or offensive security, as it’s also known, is now considered essential to the point that big companies include it as part of their in-house IT and/or security departments.
Some contract out the job to external specialists, but it is not uncommon for PLC-level firms to have an in-house team routinely performing such functions, likely led by a chief information security officer, who would oversee the entire digital security strategy.
Shutterstock.
A LinkedIn search revealed that Royal Mail, DHL, and Culina Group – the UK’s first, second, and fourth biggest logistics firms according to the 2023 Motor Transport Top 100 – each employ director-level staff with a variation of that job title.
The team is known as a security operations centre (SOC), which is the first of many abbreviations and acronyms to come, and its daily grind typically involves monitoring and reacting to SIEM (security information and event management) software, which combs a company’s systems for anything that looks iffy.
“The software will flag up any event, so if anyone, say, enters their password too many times – that’s low-level stuff – all the way up to what’s called scanning or probing information to try and penetrate things, the software will ping up a notification,” explained Alistair Wesson, director at Mongoose Cyber Security.
“If the finance director has attempted 200 logins, it’ll tell you, and you’ll think, ‘that’s interesting, maybe we’re under attack’. Then, the software might also say, ‘yeah, we’re having a lot of inbound traffic from Beijing’. They’re really quite clever.”
It can also apply the same security criteria to multiple users, so if it recognises that one company is under threat, it can then automatically up the shields for equivalent parts of a fellow user’s system.
“Let’s say Eddie Stobart has IBM software [a major SIEM provider],” he added, “if it notices that these five IP addresses from Russia are firing loads of malicious traffic out, that software will block them automatically for everyone that has it.
“They call them IOCs – indicators of compromise – and they are tiny, unique identifiers – IP addresses or a type of file. If that software flags it, it’ll send those IOCs out to everyone and block them automatically before they get anywhere.”
- GREAT AND SMALL
None of the above comes cheap, and any operator beneath the rarefied public limited company atmosphere will, quite rightly, think, ‘I can’t afford that’. The good news is you don’t have to.
While apathy towards cyber security is its greatest enabler, it is reasonable to assume that the scale and sophistication of potential attacks will increase with the size of the business.
That categorically does not mean the very smallest firms can’t and won’t fall victim – quite the reverse – rather that some straightforward security essentials will instantly tighten up an small to medium sized enterprise’s defences, and they don’t need an in-house team to get there.
Shutterstock.
“Updates are the number one thing,” Alistair Wesson continued, and cautioned that those who could update their computers with little more than a click, but haven’t, are most at risk.
“I’d be inclined to say a software update is more important than antivirus software,” he said.
“The first thing a penetration test will check for is what version of software you’re running. If [software is] brand new, it’s come out this week, [hackers have] probably not seen it before.
“It takes time to reverse engineer and creating an exploit is a massive faff –it takes weeks or months. But often, the reason updates and patches exist is because of security issues – even on your phone.”
Two-factor or multi-factor authentication is another quick, easy, and free technique. It’s best known for public-facing online accounts (private email address, social media, PayPal etc) but can be applied to all sorts, and is the secondary code that you receive, likely via your phone or email, to prove it’s really you when you attempt to log in. Apps such Microsoft Authenticator are designed expressly for this purpose and well worth using.
Passwords: make them at least 16 characters long, include letters, numbers, and characters (Google secure online password generator; there is no end of sites that do it for you), and don’t use the same one for everything. A password manager (again, just search for one) will store and remember them all.
Off-the-shelf aftermarket security/antivirus software is also worth a look, as Alistair explained: “Use some sort of endpoint security – something ideally a little bit better than your Windows Defender [standard PC security]. Sophos is a very good brand.
“Get the basics done well,” he added, “that makes things a whole lot harder [for hackers]. These things can be bypassed by big hitters – nation states etc – they can intercept them. But your guy in his bedroom is not going to be able to do that.”
- ALL AND SUNDRY
As stated in the previous issue but it’s worth saying again: a chat with a cyber security specialist is more than worthwhile, irrespective of the size of your business.
If you need convincing, this is what Paul Abbott told Transport News: “What I would say is, if you’re going to spend two grand on a set of tyres for your truck, spend £500 talking to a company that can give you some good advice about cybersecurity. They [hauliers] should have an independent internet cybersecurity audit by a qualified, approved company, specialising in cyber risk management.”
Shutterstock.
Paul Abbott was director of KNP Logistics/Knights of Old, which was the victim of a ransomware attack in June 2023. The business which was founded in 1865 and employed 900 people across the group, closed its doors in September that year as a direct result.
Now a consultant, he specialises in cyber security, among other matters, and also recommends specialist cyber insurance, which doesn’t protect against attacks but does provide help if things go wrong.
Transport News contacted the Road Haulage Association and Logistics UK to find out if either trade body offered its members guidance or assistance with cyber security. Neither did, so independent specialists remain the best option.
Though we mentioned it in conjunction with big companies, penetration tests/ethical hacking may prove equally worthwhile for medium-sized firms and again, a good specialist will do it to scale.
Other techniques for businesses of varying sizes include what’s known as conditional access, which prevents those in certain locations from logging onto a system.
“Any user that logs on must comply with a number of conditions, including, but not limited to, coming from a particular IP address or a particular region, or having a specific user name, or be running a machine with a particular spec and a particular operating system which requires multi-factor authentication,” explained Richard Payne, support business development manager at Fusion IT Management.
“Access can even be limited to a certain time to guard against login requests at an unusual or abnormal time… in a nutshell, you can specify exactly what a valid user needs to ‘look’ like to get into your system.”
His colleague, client strategy director Jim Houston said: “Probably a good soundbite for that one is: if you don’t any users working in Japan, or Germany, or Nigeria, why would you ever let them log onto your systems from there?
“It’ll probably annoy the directors if they’re on holiday and want to check their emails, but you can live with that. Why open the door to such a wide population if you don’t need to?
“The majority of hacking groups these days are from either Russia or China, so if something’s coming from that particular part of the world, it’s probably not friendly.”
For those issuing employees with phones, tablets, laptops or anything of the sort, mobile device management (MDM) is also worth a look, especially if the devices in question are getting on a bit.
“Some companies run chronically old versions of Android on their devices, but they have an MDM tool, so at least you can protect it,” said Houston, “it’s like a wrapper. Imagine you’ve got an iPhone, and you can only install 10 apps that I let you install, and if you lose it, we can press a button and wipe it.
“That’s something that they [hauliers] should have everywhere, but I reckon not a lot of people do. Your one-man band won’t have it, because if he loses his phone, he’ll buy a new one, but your 20 or 30 truck operators should be starting to think, ‘actually, I could do with this.”
PLAN B: PREPARING FOR A CYBER ATTACK
Even the most robust of cyber security is not impenetrable, so it’s worth having a backup (literally) plan to understand what a potential attack might do and how your business would get back on its feet in the aftermath, preferably with as little interruption as possible.
“You’re never going to be 100% protected from a hack, so you need to have a decent disaster recovery or business continuity plan in place,” said Fusion’s Richard Payne, “the key thing about this is having some backups that haven’t been encrypted.
“What some companies have found is that, when they’ve suffered a ransomware attack, they then went to recover their server backups only to discover that they have been encrypted [by the hacker], so it’s also important to have what we call immutable backups that can’t be touched by the cyber criminals.”
Another initiative is a recovery time objective (RTO). This is essentially working out how much time the business would have, if someone hit the kill switch on its IT, before complete disaster ensued, and is used to inform the approach to backups and other security measures.
“If you were to lose everything, can you recover to, say, half an hour ago, or could you suffer that kind of thing for longer?” he said, “where do you need to go back to for your data? It is a skilled practice in defining how much downtime you can afford. In transport… it’s probably if you lost the next days’ worth of deliveries.”
THE HAULIER’S CYBER SECURITY CHECKLIST
The list below, ranked by difficulty, is in no way exhaustive, but it’s a start point for operators that lack any real cyber security and don’t know where to begin. If any of this is beyond you (and if it is, that’s completely forgivable) then skip straight to point eight, Google up your nearest specialist, and don’t be shy about asking for help.
Easy
- Ensure all computers and mobile devices have been updated and are running on the latest available software.
- Passwords should be at least 16 characters long, include letters, numbers, and symbols, and never used for more than one account.
- Enable two-factor authentication for all accounts.
Harder
- Educate staff if you can. Phishing emails are the most common entry point for hackers, so tell them what they are and how to spot them (grab a copy of our previous issue for a detailed explanation).
- Rigorously back up your servers and/or cloud storage systems.
- Secure Wi-Fi networks.
- Establish a strong firewall.
Just do it
- Contact a cyber security specialist.
THE ACRONYMS
IP = unique internet protocol address that identifies a device on the internet or a local network.
MDM = mobile device management.
RTO = recovery time objective.
SIEM = security information and event management.
SOC = security operations centre.
