Logistics leaders need to assess risk, build up defenses, and remain vigilant as cybersecurity threats intensify. Here’s how to make sure you’re on the right path.
Victoria Kickham started her career as a newspaper reporter in the Boston area before moving into B2B journalism. She has covered manufacturing, distribution and supply chain issues for a variety of publications in the industrial and electronics sectors, and now writes about everything from forklift batteries to omnichannel business trends for DC Velocity.
Logistics industry leaders are sharpening their focus on cybersecurity as supply chains become more connected and digitized—and as threats from cybercriminals intensify in nearly every sector of the economy. Cyberthreats were listed as one of the top three business concerns among 1,200 companies surveyed by global insurance firm Travelers this fall in the leadup to national Cybersecurity Awareness Month, observed each October. The results echoed data from a Gartner survey earlier this year that showed a heightened focus on the topic in supply chain circles: 60% of nearly 500 supply chain organizations surveyed said that by 2025, they will use cybersecurity risk as a “significant determinant” in conducting third-party transactions and business engagements.
The topic is front and center in logistics largely because the supply chain is a prime target for cybercriminals, according to Dan Matney, a senior solutions architect and cybersecurity expert at supply chain consulting and technology firm enVista. Logistics and transportation companies are especially vulnerable because they can’t afford the downtime and delays that an attack or security breach brings, making them susceptible to hackers’ demands in order to get back up and running.
“We’re seeing very standard cybersecurity threats across pretty much all businesses, but the impact to logistics and transportation [is considerable]. That’s why [attackers] try so much harder in this industry,” Matney says, emphasizing the impact of costly disruptions that can have ripple effects throughout the economy.
Manufacturers are prime targets as well, and for similar reasons, explains Kirstin Simonson, cyber lead for global technology at Travelers.
“In many cases, a manufacturer’s systems need to be kept up and running 24/7/365. A cybercriminal could, for instance, use a malware attack to shut down systems to prevent a manufacturer from operating at all and disrupting the larger supply chain,” she says. “The cybercriminal could then request a significant ransom to restore the manufacturer’s operating systems.”
With the stakes so high, experts say it’s more important than ever to shore up your company’s cyber defenses. Here are three ways business leaders can make sure they’re on the right path.
ASSESS YOUR RISKS
The proliferation of technology on the manufacturing floor, in the warehouse, and on the road only exacerbates the risk of a cyberincident, as it creates more access points for cybercriminals to launch their attacks.
“Anything that’s connected to the internet can be hacked, and with the increase in internet-connected sensors, automated machines, industrial internet of things networks, industrial control systems, [and so forth], each of these creates a potential vulnerability or risk factor,” Simonson explains, adding that cybercriminals will leverage known vulnerabilities and look for areas they can compromise using methods such as phishing and malware. Phishing is an attack via email, phone, or text designed to lure people into giving up sensitive data or access to accounts or IT systems; malware is software that is intentionally designed to disrupt a computer, server, or network.
The experts at enVista point to other methods used to attack transportation, logistics, and manufacturing industries: ransomware, which involves encrypting sensitive data and systems and holding them hostage until a ransom is paid; distributed-denial-of-service (DDoS) attacks, which overwhelm a system’s resources, rendering it inaccessible to legitimate users; and man-in-the-middle (MitM) attacks, in which hackers intercept communications between two parties, gaining unauthorized access to sensitive data.
The first step in avoiding any of these attacks is to conduct a cyber-risk assessment, which can be done in partnership with IT vendors, a technology consultant, or an insurance provider. Simonson describes this as a process of identifying the critical points in a company’s network so that managers “know what you have and what you need to protect.” This includes identifying where all those access points are within the organization.
Matney agrees, adding that: “If you don’t have that first step, all the other implementations beyond that are pretty useless.”
It’s also important to conduct a third-party risk assessment, as the Gartner survey points out. This means working with vendors and other business partners to make sure they have adequate cybersecurity measures in place and contractual language outlining standards and how they will be enforced.
Taking that first step is becoming increasingly important: Nearly a quarter of companies in the Travelers survey said their company had suffered a cyberattack, with almost half of those occurring in the past 12 months.
BUILD YOUR DEFENSE
The next step on the cybersecurity journey is making sure you have tools in place to protect against an attack—firewalls, antivirus software, encryption technology, and the like—and that all software and systems are up to date, which can help keep cybercriminals from exploiting IT weaknesses.
Physical security and access control are vital considerations as well.
“Whenever you’re dealing with getting into your building, that’s one layer. But past that front door, think about how [people can gain access] to critical information—the server room or the ability to plug into a port in the wall and [get] on the network, for example,” Matney explains. “Those are things folks don’t think about. Access control and physical security are the basics before we get into different technologies [for detecting and responding to potential threats].”
Simonson agrees, emphasizing the importance of making sure those who need access to secure systems have it—and that those who shouldn’t have access don’t. This means developing identity and access management plans as well as password management protocols. Those steps could include multifactor authentication, which adds a layer of protection for accessing vital systems, platforms, or applications; essentially, the process asks users for a third identification factor—an access code to be entered after a user name and password have been provided, for example—before a user can gain access to the system.
Building a defense can also include the installation of solutions such as endpoint detection and response technology, which monitors the physical devices connected to your company’s network to detect suspicious activity and respond to threats.
Companies should factor all of this work into a comprehensive incident response plan.
“This is no different than if you live in a fire-prone area or hurricane-prone area,” Simonson explains. “You build some kind of business resilience plan for that. [A similar plan] needs to be in place for a cyberevent as well.”
Many companies have a long way to go before they reach these goals, however. The Travelers survey showed that at least 25% of businesses have not taken essential steps, such as installing a firewall or virus protection and implementing data backup and password update protocols. A larger percentage say they don’t use endpoint detection and response (64%), don’t conduct cyberassessments for vendors (57%) or customers’ assets (56%), don’t have an incident response plan (50%), or don’t utilize multifactor authentication for remote access (44%).
EDUCATE, AND DON’T LET UP
Employee awareness is an important part of the defense strategy as well, and the good news is that most professionals say they understand the growing risk of cyberthreats in the workplace: 81% of respondents to the Travelers survey said they feel that having proper cybersecurity controls in place is critical to the well-being of their company, up from 78% last year and 69% in 2018.
Companies should capitalize on that awareness with proper training. For instance, enVista advises companies to regularly educate workers about cyberthreats, phishing scams, and best practices for secure online behavior, Matney says, adding that insufficient training and bad habits are all it takes for an attack to slip through the cracks in your defense system.
“A lot of the attacks [in this industry] are through phishing and bad links that have compromised an entire network,” Matney says. “[A lack of] training and awareness are probably the weakest links.”
Simonson adds that it’s important to get the entire organization involved in the cybersecurity mission—and to continually educate, evaluate, update, and adjust your company’s strategy.
“Everyone has a role to play in a holistic approach to cybersecurity,” she says, adding that cyberattacks will only intensify as companies take a defensive position because criminals will step up their efforts to find ways around those defenses. “This isn’t something you can build a strategy for today, put it on a shelf, and it will magically work for the next five years. Companies need a living approach to cyberhygiene and cyberawareness. Fortunately, there are tools and information out there that can help.”
Supply chain planning (SCP) leaders working on transformation efforts are focused on two major high-impact technology trends, including composite AI and supply chain data governance, according to a study from Gartner, Inc.
"SCP leaders are in the process of developing transformation roadmaps that will prioritize delivering on advanced decision intelligence and automated decision making," Eva Dawkins, Director Analyst in Gartner’s Supply Chain practice, said in a release. "Composite AI, which is the combined application of different AI techniques to improve learning efficiency, will drive the optimization and automation of many planning activities at scale, while supply chain data governance is the foundational key for digital transformation.”
Their pursuit of those roadmaps is often complicated by frequent disruptions and the rapid pace of technological innovation. But Gartner says those leaders can accelerate the realized value of technology investments by facilitating a shift from IT-led to business-led digital leadership, with SCP leaders taking ownership of multidisciplinary teams to advance business operations, channels and products.
“A sound data governance strategy supports advanced technologies, such as composite AI, while also facilitating collaboration throughout the supply chain technology ecosystem,” said Dawkins. “Without attention to data governance, SCP leaders will likely struggle to achieve their expected ROI on key technology investments.”
The British logistics robot vendor Dexory this week said it has raised $80 million in venture funding to support an expansion of its artificial intelligence (AI) powered features, grow its global team, and accelerate the deployment of its autonomous robots.
A “significant focus” continues to be on expanding across the U.S. market, where Dexory is live with customers in seven states and last month opened a U.S. headquarters in Nashville. The Series B will also enhance development and production facilities at its UK headquarters, the firm said.
The “series B” funding round was led by DTCP, with participation from Latitude Ventures, Wave-X and Bootstrap Europe, along with existing investors Atomico, Lakestar, Capnamic, and several angels from the logistics industry. With the close of the round, Dexory has now raised $120 million over the past three years.
Dexory says its product, DexoryView, provides real-time visibility across warehouses of any size through its autonomous mobile robots and AI. The rolling bots use sensor and image data and continuous data collection to perform rapid warehouse scans and create digital twins of warehouse spaces, allowing for optimized performance and future scenario simulations.
Originally announced in September, the move will allow Deutsche Bahn to “fully focus on restructuring the rail infrastructure in Germany and providing climate-friendly passenger and freight transport operations in Germany and Europe,” Werner Gatzer, Chairman of the DB Supervisory Board, said in a release.
For its purchase price, DSV gains an organization with around 72,700 employees at over 1,850 locations. The new owner says it plans to investment around one billion euros in coming years to promote additional growth in German operations. Together, DSV and Schenker will have a combined workforce of approximately 147,000 employees in more than 90 countries, earning pro forma revenue of approximately $43.3 billion (based on 2023 numbers), DSV said.
After removing that unit, Deutsche Bahn retains its core business called the “Systemverbund Bahn,” which includes passenger transport activities in Germany, rail freight activities, operational service units, and railroad infrastructure companies. The DB Group, headquartered in Berlin, employs around 340,000 people.
“We have set clear goals to structurally modernize Deutsche Bahn in the areas of infrastructure, operations and profitability and focus on the core business. The proceeds from the sale will significantly reduce DB’s debt and thus make an important contribution to the financial stability of the DB Group. At the same time, DB Schenker will gain a strong strategic owner in DSV,” Deutsche Bahn CEO Richard Lutz said in a release.
Transportation industry veteran Anne Reinke will become president & CEO of trade group the Intermodal Association of North America (IANA) at the end of the year, stepping into the position from her previous post leading third party logistics (3PL) trade group the Transportation Intermediaries Association (TIA), both organizations said today.
Meanwhile, TIA today announced that insider Christopher Burroughs would fill Reinke’s shoes as president & CEO. Burroughs has been with TIA for 13 years, most recently as its vice president of Government Affairs for the past six years, during which time he oversaw all legislative and regulatory efforts before Congress and the federal agencies.
Before her four years leading TIA, Reinke spent two years as Deputy Assistant Secretary with the U.S. Department of Transportation and 16 years with CSX Corporation.
Serious inland flooding and widespread power outages are likely to sweep across Florida and other Southeast states in coming days with the arrival of Hurricane Helene, which is now predicted to make landfall Thursday evening along Florida’s northwest coast as a major hurricane, according to the National Oceanic and Atmospheric Administration (NOAA).
While the most catastrophic landfall impact is expected in the sparsely-population Big Bend area of Florida, it’s not only sea-front cities that are at risk. Since Helene is an “unusually large storm,” its flooding, rainfall, and high winds won’t be limited only to the Gulf Coast, but are expected to travel hundreds of miles inland, the weather service said. Heavy rainfall is expected to begin in the region even before the storm comes ashore, and the wet conditions will continue to move northward into the southern Appalachians region through Friday, dumping storm total rainfall amounts of up to 18 inches. Specifically, the major flood risk includes the urban areas around Tallahassee, metro Atlanta, and western North Carolina.
In addition to its human toll, the storm could exert serious business impacts, according to the supply chain mapping and monitoring firm Resilinc. Those will be largely triggered by significant flooding, which could halt oil operations, force mandatory evacuations, restrict ports, and disrupt air traffic.
While the storm’s track is currently forecast to miss the critical ports of Miami and New Orleans, it could still hurt operations throughout the Southeast agricultural belt, which produces products like soybeans, cotton, peanuts, corn, and tobacco, according to Everstream Analytics.
That widespread footprint could also hinder supply chain and logistics flows along stretches of interstate highways I-10 and I-75 and on regional rail lines operated by Norfolk Southern and CSX. And Hurricane Helene could also likely impact business operations by unleashing power outages, deep flooding, and wind damage in northern Florida portions of Georgia, Everstream Analytics said.
Before the storm had even touched Florida soil, recovery efforts were already being launched by humanitarian aid group the American Logistics Aid Network (ALAN). In a statement on Wednesday, the group said it is urging residents in the storm's path across the Southeast to heed evacuation notices and safety advisories, and reminding members of the logistics community that their post-storm help could be needed soon. The group will continue to update its Disaster Micro-Site with Hurricane Helene resources and with requests for donated logistics assistance, most of which will start arriving within 24 to 72 hours after the storm’s initial landfall, ALAN said.