Transport companies and cyber-risk: 3 questions to Trellix, cybersecurity specialist
- What measures against cyberattacks should a logistics and transportation company put in place to protect its customers?
- Faced with the deployment of IOT throughout the supply chain and in the context of an extended ecosystem, how can a logistics and transportation company control cyber risk?
- How do you see the security and sovereignty of data, which is increasingly stored on cloud infrastructures, owned by large American and soon Chinese companies over which the means of control remain weak?
GEODIS interviewed Mo Cashman, one of Trellix’s passionate leaders in cyber security, on his understanding of cyber risk as it applies to logistics and transportation companies, and how they should respond to control it. He also shares his views on data sovereignty and security today.
Trellix is the name of the new global cybersecurity giant resulting from the merger between McAfee Enterprise and FireEye (October 2021).
What measures against cyberattacks should a logistics and transportation company put in place to protect its customers?
The transportation industry faces many of the same commodity threats affecting most digital enterprises. However, because of criticality to infrastructure and economy as well as their cloud-native applications, we see ransomware and attacks against cloud native applications that threaten their resilience.
Recently, the use of Ransomware as a Service has been an effective way to disrupt business operations. The transportation sector was second highest industry targeted by Ransomware in the last quarter (source: Trellix Threat Intelligence).
It is important to understand that ransomware does not start with encryption. Most ransomware threats today are multi-stage attacks. To protect against them most of organizations have the right controls, such as Endpoint Security, EDR, Secure Web Proxies and Email Security in place already. However, they often lack the threat detection and response processes in the SOC to detect the attack in progress or investing in XDR capability to improve detection as well as rehearsing Incident Response processes are critical to ransomware resilience.
Another key attack vector for Transportation companies is cloud-native APIs and applications. Today, more than 80% of all internet traffic belongs to API-based services. Cloud applications (SaaS, PaaS or IaaS) have transformed the way APIs are generally designed, used and exploited by software developers. APIs have evolved to be the backbone of most modern applications we consume today. The reach and popularity of some of these cloud applications, as well as the treasure of critical data they contain, make APIs a lucrative target for threat actors. The connected nature of APIs potentially introduces additional risks to businesses, as they become an entry vector for broader supply chain attacks. In most cases, attacks on APIs go unnoticed because they are generally considered trusted channels and do not benefit from the same level of governance and security controls.
How to react? In this context, gaining visibility into both application usage with the ability to examine consumed APIs should be a priority for organizations, with the aim of eventually having a risk-based inventory of APIs in use and a governance policy to control access to these services, but also into non-user-based entities within the infrastructure, such as service accounts and application principles that integrate APIs into the wider enterprise ecosystem.
For developers, developing an effective threat model for their APIs and implementing a zero-trust access control mechanism should be a priority, as should effective security logging and telemetry for better incident response and detection of malicious use.
A transportation company needs to protect customer data and maintain availability in order to answer customer needs. To do so, better ransomware and cloud security controls are key tools to enhance to level of protection.
Main security attention point to consider when coding:
- Misconfiguration of API’s resulting in unwanted exposure of information
- Exploitation of modern authentication mechanisms such as Oauth/Golden SAML to obtain access to API’s and persist within targeted environments.
- Evolution of traditional malware attacks to use more of the cloud API’s such as the Microsoft Graph API to land and expand we already saw evidence of this in the Solarwinds attack as well as other threat actors such as APT40/ GADOLINIUM.
- Potential misuse of the API’s to launch attack on the enterprise data such as ransomware on cloud storage services like OneDrive etc.
- The usage of API’s for Software defined infrastructure also means potential misuse leading to complete infrastructure takeover or shadow infrastructure being created for malicious purposes.
Faced with the deployment of IOT throughout the supply chain and in the context of an extended ecosystem, how can a logistics and transportation company control cyber risk?
Zero Trust and Cyber Resilience are two security principles that transportation companies should look to adopt as a strategy to manage risk.
The NIST Special Publication defines Zero Trust as an evolving set of cyber security paradigms that moves defense from static, network-based perimeters to focus on users, assets and resources. Zero Trust requires that no implicit trust be granted to assets based solely on their physical or network segment. This is very applicable to IOT devices for example.
Cyber Resilience, on the other hand, is the ability of an organization to continuously adapt security posture, detect and respond to threats quickly to effectively operate through adversarial conditions. Cyber Resilience today requires a zero-trust based security architecture that works together with other assurance practices such as business continuity and information protection to enable a resilient organization. Transportation companies, like manufacturing or healthcare organizations, are considered critical infrastructure to many countries across the globe. Their ability to operate through a cyber-attack targeting operational technology or cloud-hosted services will be critical to both business success and resilience.
As Zero Trust is an architecture principle and strategy, it is more likely a journey to implement. However, here are some good starting points:
Implement Continuous Monitoring across all enterprise systems. Monitoring should not just be log collection and storage, by rather proactive monitoring for potential malicious activity across the enterprise, changes or vulnerabilities in critical system or service posture, and for anomalous user activity.
Gain as much information as possible about the enterprise assets and services. Asset discovery and understanding should extend beyond IT managed systems and end user devices. According to Zero Trust Principles, all data sources and compute services are resources. So, asset discovery and understanding should extend to cloud services, BYOD, contractor-owned OT automation systems, employee and supplier systems accessing enterprise resources and enterprise data.
Eliminate trusted zones and micro-segment resources. A key zero-trust principal is don’t grant access to enterprise resources solely based on location or network segment. This is especially important between workplace and industrial systems but also extends to remote access networks from suppliers or workers, as well as micro-segmentation between critical business and security systems.
How do you see the security and sovereignty of data, which is increasingly stored on cloud infrastructures, owned by large American and soon Chinese companies over which the means of control remain weak?
This is a challenging issue and I believe we need to take a three-step approach.
One, protecting customer data against theft from external threats regardless of cloud infrastructure hosting platforms or ownership is number one priority in my opinion. And this is a shared responsibility between the data owner (transportation company) and the cloud service provider. Transportation companies must ensure that applications built to run on cloud platforms are secure and access is monitored for signs of a breach. Cloud service providers must ensure that the Iaas and Paas components are secure and provide the necessary third-party certifications as proof of appropriate controls.
Secondly, data and application owners must ensure a privacy by design approach to building the applications powering IOT systems. Minimizing data collection to only necessary items, protecting data through encryption and complying with local privacy regulations such as GDPR or Popia will be critical to managing the risk.
Finally, government bodies, cloud providers and industry should work together to ensure a common understanding of digital borders and solutions can accommodate regulatory requirements without jeopardizing data sovereignty or privacy.