TIACA Executive Summit 2016
Cyber Security Panel
Wednesday, May 25, 2016 2:15 pm – 3:30 pm
Cybercrime is a significant threat to global supply chains. Organized criminals are increasingly attacking shippers and logistics companies to misdirect international payments, spy on transport activity targeting physical cargo theft opportunities, and of course there is exposure to acts of terrorism which thankfully have not manifested.Unfortunately, the air cargo segment of the logistics industry is chronically behind the technology curve (and by extension, the security curve) compared to the mainstream consumer, e-tail, B2C sectors. The subject matter experts and panel participants addressed some worrying trends related to cyber-crimes and identified potential solutions.
Subject Matter Experts:
· Moderator: John DeBenedette, Managing Director, Worldwide Information Network (WIN)
· Michael Morey, Director, AdvanceCargo Solutions, Franwell
· Jos Nuijten, Vice President, Network Integration Strategy, Descartes
· Gregory Crabb, Chief Information Security Officer and Digital Solutions Vice President, USPIS
SUBECT MATTER COMMENTS AND GROUP DISCUSSION
John DeBbenedette,chairing the panel, started off the discussion by stating that we are entering a new era for the aircargo supplychain. The new era is going hand-in-hand with new physical screening procedures, whether looking at PLACI or e-Air Waybill, or simply meeting the needs ofcustomers for visibility.
"The old existing advance data for customs, or the new layer that PLACI represents, relies on patterns and theconcept of the known shipper," said DeBenedette.
DeBenedettecited six examples of cyber security breaches involving multinational banks, including where a fake email account was used to reroute large sums of money. He added there was a settlement system to help mitigate those risks.
Michael Morey, Franwell, said industry was up against a wall with the regulatory deadline, and that we now have an opportunity to present some ideas before the deadlinecomes into force.
GregoryCrabb, United States Postal Inspection Service, said several months ago thechief financial officer of the postal service had forwarded emails from someone purporting to be the post master general, saying they needed an immediate wire transfer.
"For many small businesses the chief financial officer probably does all the banking, and they are more susceptible to those types of lures," he said.
Another example of cyber fraud was when the Milwaukee Bucks team had received a request for their tax information.
"We have to realize that email was not designed for security," said Crabb.
"The source and destination can be suspect. It's important for organizations to have a training program that will educate their users to the do's and don’ts - we need safe email hygiene.
"One thing I put together in the USPIS was a 15-minute educationalcampaign that each employee has to have access to. This kind of education is extremely important, if a false message comes to the employee, the employee is required to report that suspicious activity so we can eliminate any messages from a would-be attacker."
He cited that cyber security presented one of the biggest risks to the global financial system. "All of theseadd up to show that companies need to be diligent in their cyber security practice," he said.
DeBenedette said in aircargo, industry is struggling with the level of IT.
"However, email is not the best way to do business, but the truth is it is the de facto way that business is done," he said.
"In terms of security, using email is like matches, and not havinge the best practice in place is the gasoline. All of the PLACI programs in the world are not going to have the desired effect if attackers can assume the identity of known shippers."
DeBenedette said companies considering moving off of email should look at encryption, as this helped businesses protect sensitive information.
Jos Nuijten, Descartes, said when we look at security, industry needs to take stock of what assets you have.
"If you are running a Microsoft environment, make sure you use the latest infrastructure that is available," he said.
"Our network is File Transfer Protocol (FTP), many more protocols are much better that have encryption standards. But you need to make sure things stay up to date."
DeBenedette said he had made the choice to go with the biggest and most reputable cloud service providers.
"Google and Amazon have thousands of engineers, Microsoft has a cloud based service," he said.
"Going with big players, that takes off the burden from that one IT guy. The vulnerability to this kind of hacking comes in viruses attached to little emails. I believe that in this day and age it is crazy to try and do this yourself.
"Before I used Googlemail, I used to have to spend time and money worrying about viruses. I haven't yet run into issues that bigger companies might face, and maybe those are the hurdles I will face in the future. But moving my email up to Google helped the problem go away. It may be that this opens the door to new problems."
DeBenedette said steps we can all take were having security best practices, finding out what that means, and making it a priority from the top down.
Michael Morey, Franwell, said in regards to advance data, the supplier is the one who needs to gather and hand over information to the regulators.
"So you introduce a risk there with each hand off of this information being poached," he said.
"What we are proposing is like a license plate related to one specific RFID Electronic Product Code (EPC).
"As that data moves on to the next part of the chain, it goes back to that license plate.
"It's not a method of introducing cyber security, but making it more difficult to trap information in the hand off."
He added the postal service had their own methods of creating consignments, relying on carriers to tell them where the consignment or mail is.
DeBenedette saidcyber-crime had been used in one instance by pirates who boarded a container ship and stole high value goods.
"Email is the primary means that most small businesses use, but I think e-Air Waybill is part of the answer."
Nuijten said he was not sure if e-freight was the solution to cyber security, although the two were related.
"One thing you don't want is people hacking into your environment and rerouting your shipment. Why would you steal things if you can just have it delivered to your door. We are seeing cyber security becoming more and more important."
DeBenedette said the priority should be information security an hardening systems, and that moving to the cloud was the best way forward.
"We can draw the conclusion that moving to electronic transactions is better and likewise moving away from emails is good."