Fleets in the Crosshairs of Cyber Criminals

Every day truck fleets carry valuable goods. Dr. Michael Müller, CEO of Magility GmbH, explains why logistics service providers and networked fleets are particularly in the crosshairs of cyber criminals.

Modern logistics service providers can not avoid cyber security. Photo: Fotolia – Redpixel / Shutter81

Dr. Müller, you warn that the networking of trucks or entire logistics chains, for example, also opens up areas of attack for cyber attacks. How great is this threat in your opinion?

Müller: So-called end-to-end solutions such as networked logistics chains offer a large surface area for cyber attacks. The threat grows continuously with the increasing number of networked commercial vehicles. Fleets of vehicles with time-critical or perishable cargoes are a preferred target for criminal organisations.

Are hackers interested in logistics targets at all?

Müller: As the WannaCry malware program showed in 2017, logistics chains are also attractive targets for forcing process owners to pay a ransom – a certain amount in a crypto currency. This cyber attack affected several globally active companies such as the logistics companies FedEx and Schenker. In total, targets in more than a hundred countries were successfully attacked; around 450 computers were infected at Deutsche Bahn alone. In China, customers could only pay in cash at more than 20,000 gas stations. Attacks such as WannaCry could continue to take place against commercial vehicle fleets in the future if complex technical and organisational security measures are not implemented.

But can’t money be made faster and less complicated in other ways – for example by stealing payment data?

Müller: An attacker always selects the niche within which he can most effortlessly penetrate an end-to-end system. It makes no difference whether the attack takes place via the commercial vehicle, the logistics backend or via a mobile application on the smartphone. Which data is then stolen or manipulated depends on the specific target of the hacker’s attack.

Are the communication standards used in industry today sufficiently secure? Where is moreto be added?

Müller: There is basically no 100 percent cyber-security, because hardware and software will always be a bit faulty. These gaps are used by hackers to penetrate systems.
The Federal Office for Information Security (BSI) has published so-called IT-Basic-Protection-Catalogs concerning the numerous and different protocols and communication standards. We strongly recommend the application and implementation of these BSI recommendations.

Dr. Michael Müller is Managing Director of Magility GmbH. Photo: Magility

Do you advise fleet managers and logistics service providers of not networking at all or at least limiting such ambitions in view of the risks?

Müller: “Logistics must continue to be performed efficiently and effectively internationally in the future; the use of IT is indispensable for this. However, in addition to functional security, the issues of cyber security and privacy must also be included from the outset. Every logistics company should introduce a Cyber-Security-Management System (CSMS), with which it can consistently control the used Cyber-Security technologies, the processes, the organization and the qualification of its employees. Magility advises customers in the implementation and design of CSMS.

Who is responsible? Does every company have to take care of itself or are there cross-cutting approaches?

Müller: First of all, of course, a company is directly responsible for all internal cyber security activities. However, the entire value chain of hardware and software as well as the interfaces to the customer systems must also be secured. This requires a holistic approach that must be carefully designed and constantly developed. To this end, risk analyses and penetration tests must be carried out time and again. The current risk situation must also be observed. The already mentioned BSI and the Alliance for Cyber Security provide valuable information on this.

How do logistics service providers best position themselves for the topic of cyber security specifically?

Müller: Cyber security must become an elementary component of a company’s management system. To this end, management must define clear targets for a Cyber Security Management System (CSMS). The first step is to define a clear organizational and procedural landscape. In a second step, a risk assessment for the end-to-end solution along the entire value chain must be carried out. In a third step, a cyber security programme with clear responsibilities and sufficient budgets must be established to quickly contain the identified cyber risks. As a fourth step, the company’s employees must be qualified in cyber security, and the topic must be included in regular communication. In the fifth step, the implementation of cyber-security measures must be implemented successively, consistently and even against resistance. Effectiveness monitoring must be installed at regular intervals to check and monitor the implementation of the agreed measures.

Dr. Michael Müller

Dr. Michael Müller studied at the Technical University of Vienna and the University of the Federal Armed Forces in Munich. The proven cyber security expert is Managing Director of Magility GmbH and President EMEA of Argus Cyber Security Ltd. Magility provides operational consulting and support for the implementation of customer-specific CSMS. DEKRA Certification certifies the cyber-security organization and processes according to current legal requirements and guidelines.