Finding The Weak Link In The Supply Chain: Cyber Lessons From The Aviation And Marine Industries

September 20, 2017

wpengine

Overview

Global supply chains move millions of tons of cargo and allow products to be delivered at ever-faster speeds. In the digital age, however, these same sprawling networks of suppliers and partners offer hackers multiple entry points to attack systems and strangle international commerce. Even if a business has invested in cyber security, it is still only as secure as its most vulnerable vendor.

A perfect example of this challenge is the marine industry, which is sailing into a perfect cyber storm. The industry, which historically hasn’t been as impacted by cyber breaches as other industries, might look to reprioritize based on recent high-profile attacks.

From airports to banks and energy companies, June’s Petya ransomware attack brought operations down for hours, and for some, days. Global shipping giant Moller-Maersk reported losses upwards of $300 million stemming from IT system disruption preventing the firm from shipping goods for days.

The Petya attack is a reminder that no industry is immune to the threat, and possibly even elevated marine as a lucrative target, especially as the industry relies on a multitude of players – ports, logistics firms, intermodal transport companies – to deliver valuable cargo around the world.

While this might have been the most visible of attacks on the marine industry thus far, aviation as a whole, has been battling this threat for years. The world’s aviation systems are subject to an average of 1,000 attacks each month. In addition to the level of personally identifiable information airlines have access to, recent attacks on air control systems, malware and security breaches across the world underscore the severity of cyber risk facing the aviation industry, which ranked it number one in Aon’s recent Global Risk Management Survey.

While the aviation and marine industries differ in their specific vulnerabilities and cyber security readiness, they have a large exposure in common: a robust network of vendors, suppliers and necessary partners that enable their business. In essence, the supply chain that enables these industries to move the world’s people and goods, is only as strong as the weakest link.

To safeguard global operations, marine companies can look to the cyber experiences of aviation companies, anticipate similar losses, and learn from their efforts to increase cyber security. More broadly, other businesses with complex supply chains can benefit from these lessons and navigate their way through this emerging threat.

In Depth

In August 2016, Delta Airlines saw its ticketing system crash, the victim of a power outage. Thousands of flights were canceled, passengers were stranded and, thanks to a social media storm and bad press coverage, the airline’s reputation was damaged. Beyond that, the outage also resulted in $150 million in losses.

Delta’s experience of cancellations and delays caused by system failure is far from unique. A July 2016 computer outage caused Southwest Airlines to cancel or delay some 2,000 flights, costing the airline up to $82 million. In May, a data center outage forced British Airways to cancel more than 400 flights, an event blamed on an outsourced IT function. On top of these incidents, the aviation industry faces a number of other vulnerabilities.

Exposure of consumer information / rewards programs: British Airways reported a 2015 hack that compromised frequent flyer account information, and Vietnam Airlines suffered a 2016 breach that exposed the personal information of 400,000 members of its frequent flyers club.
Operations / booking: In the connected air transportation network, a seemingly small event can have ripple effects across the network, even internationally.
Air traffic control systems: Disruptions to the hub-and-spoke air transport model has the potential to strand passengers and air cargo.

Cyber Insurance Lessons Learned From Aviation

Given the extent of the disruption caused, it’s no surprise that Aon’s most recent Global Risk Management Survey showed the number one risk for the aviation industry – which includes airlines, airports, air traffic control and general aviation companies, including private aircraft fleets – is cyber crime.

“There’s always the instinct to associate cyber risk with airlines alone, given their high profile,” says Gary Moran, Head of Aviation, Asia at Aon Risk Solutions and Vice Chairman at the Asian Business Aviation Association.

“But, and especially when we consider the far-reaching implications of a breach and threats to supply chains, private jet operators and management companies are impacted,” Tracy Toro, Managing Director, US Practice Leader, Aviation at Aon Risk Solutions, adds.

What can we learn from the aviation industry?

#1: Cyber mitigation: The role of security and insurance
“We’re finding that large private jet operators are approaching cyber from a security perspective rather than insurance. They’re aiming to protect themselves by increasing security measures.” However, by focusing only on security measures, airlines and private / commercial jet operators might be leaving themselves exposed after a breach. Toro explains that cyber preparedness can also mean insurance, especially as it relates to breaches compromising client information.

#2: Policies: Understanding how cyber is covered in the event of a breach
As companies purchase specific insurance policies, they must look closely at the actual coverage and how well it fits their needs. For example, in an event such as the Delta disruption, many standard cyber policies wouldn’t cover business interruption due to system failures. Therefore, it’s important to make sure the policy language addresses anticipated risks.

“An off-the-shelf cyber insurance policy may not address particular industry exposures, so it’s important that companies recognize specific threats and put the right wording in place,” says Andrew Mahony, Regional Director, Financial Services and Professions Group at Aon Risk Solutions.

#3: Supply chain audits: Fully understanding all players
Both airlines and private aviation companies also have a common exposure in their supply chains: An extensive array of service providers to keep their aircraft moving. Each of those – the ground handlers, the companies running airport check-in desks, maintenance companies, caterers and others – represents a potential cyber vulnerability.

“For any airline or commercial aviation operation, cyber risk extends to all of the companies providing services to the aircraft,” says Paul Travers, Claims Executive at Aon Risk Solutions. “A failure in any element of the supply chain – from people to providers – could have a significant impact on the airline or the aircraft operator.”

This dynamic puts air carriers in an unenviable position. “The airlines could have the greatest cyber protection possible, but if something goes wrong in their supply chain, everyone is impacted,” says Moran.

The Growing Threat To Marine Global Supply Chain

A striking example of the mounting cyber threat facing the marine industry happened this June, when the Petya ransomware virus attacked computers around the world, including Maersk’s. The attack debilitated the shipping giant’s IT systems, and it was unable to dock and unload containers at some of its 76 ports. It took a full week to get the company’s systems up and running again, a period for which Maersk ultimately pegged its losses at around $300 million.

Beyond the Maersk incident, other recent events speak to the marine industry’s vulnerabilities. In April 2016, South Korea reported that some 280 vessels were forced to return to port after experiencing problems with their navigation systems. In another case, at the Port of Antwerp, hackers working with a drug-smuggling gang repeatedly breached digital tracking systems to locate containers holding large quantities of drugs. The criminals then dispatched their own drivers to retrieve the containers ahead of the scheduled collection time.

For the marine industry, the cyber threat again raises serious supply chain issues. With over 90 percent of the world’s trade carried on marine vessels, cyber attacks represent an enormous potential threat to international trade capabilities. And with all the intermodal touch points involved in shipping, the risk applies to not only the ships themselves, but to all the others involved in the shipping process – the trucking companies, the fueling suppliers, and dock and warehouse keepers, among others. The impact caused by a major disruption to any of those could be huge.

How Companies Are Responding: Becoming More Proactive

Despite the magnitude of threat, the marine industry’s response has been slower than that of aviation. While executives have been focused on a return to profitability, shipping crews generally aren’t aware of the damage a cyber attack could cause. This potentially leaves a ship’s IT and operations systems open to cyber attack.

“Up until now, there has been little evidence of proactive cyber risk management action in the marine industry,” noted Lee Meyrick, CEO of Global Marine Specialty at Aon. But competitive market conditions might be changing that. “Executives are starting to channel more resources toward the cyber threat, because they realize that disruptions to operations can be accompanied by a damaging PR ordeal,” Meyrick said.

It’s such a competitive industry that if a shipping company is seen as vulnerable to a cyber attack, customers might be likely to seek out the competition.

Addressing The Emerging Cyber Risk

To address the increasing threats, the UN’s specialized agency responsible for regulating shipping, the International Maritime Organization (IMO), has collaborated with industry groups to develop guidelines on maritime cyber risk management – high-level recommendations to combat cyber threats the industry faces. Meanwhile, the U.S. Department of Homeland Security (DHS) and U.S. Coast Guard (USCG) have been working for several years to evaluate and work to mitigate risks to the sector.

Still, to fully understand and work to address their exposures, marine industry companies can follow the lead of those in the aviation business that have combated the cyber threat by:

Continuously monitoring and updating cyber security programs
Adopting a holistic view on their supply chain and vetting their partners and suppliers
Creating a culture of cyber security across the organization
Building cyber security into technology applications from inception rather than as an afterthought
Developing business continuity plans to mitigate the damage of cyber attacks
Tapping available public and private resources and cyber security partnership opportunities
Using cyber insurance policies as needed and ensuring that policy wording matches the nature of the company’s exposure

These actions can help marine and aviation companies get their own houses in order. They also apply equally to any industry, from retail to manufacturing, that relies on a global supply chain. By remaining vigilant and ensuring that partners and suppliers are aware of and prepared for emerging cyber risks, executives will be better positioned to proactively protect against cyber threats and, in the event of a breach, mitigate the fallout from any cyber-related business disruptions.

Talking Points

“The conventional ways by which we’ve protected ourselves in cyber may need to change” – Greg Hyslop, Chief Technology Officer, Boeing

“If hackers access the critical systems of a car or plane, disaster could ensue and our public safety could be compromised. We must ensure that as technologies change, our safety and privacy is maintained” – U.S. Sen. Edward J. Markey (D-Mass.)

“The Maersk case should teach us that to avoid technological transformation is to leave an entire sector close to vulnerability” – Iván Tintoré, President, iContainers