The Day a Cyber Attack Brings the World’s Supply Chains to a Halt

“FedEx and UPS have ground to a complete standstill today due to what they say is a virus in their logistics shipping software…blaming the hacking group Anonymous after they declared their intention to punish shipping companies for halting shipments of flu vaccines into China. Representatives of Anonymous deny the attack, saying they only initiated denial-of-service…projecting millions of dollars of lost revenue for this holiday season, driving the economy further into recession.”

So reads a section from CyberStorm, a book by Matthew Mather about “what a full scale cyber attack against present-day New York City might look like from the perspective of one family trying to survive it.” Later in the book, as it’s clear that the United States is under attack, the author writes, “the virus that had shut down FedEx and UPS had moved on to infect the software of almost every other commercial shipping company, and was starting to grind the world’s supply chain to a halt.”

Could this fictional scenario come true someday?

On August 8th, a few days after I started reading this book, Delta Airlines sent out the following alert: “Delta has experienced a computer outage that has affected flights scheduled for this morning.” By mid-afternoon, the airline had operated 2,340 flights, less than half of its daily average of about 6,000. As reported by Wired in an article titled How a Computer Outage Can Take Down a Whole Airline:

If you’re starting to think this kind of thing happens a lot, you’re right. In July, the failure of a single data center router forced Southwest to cancel 2,300 flights across four days, costing the airline well over $10 million. CEO Gary Kelly told The Dallas Morning News the router only partially failed, so it didn’t trigger the backup systems. In May, JetBlue had to check in customers by hand when its computer system went down. American Airlines blamed connectivity issues when it had to suspend flights last September. A year ago, United blamed a glitch for 800 flight delays.

And it happened again this week, this time to British Airways. “British Airways said its flights were gradually returning to normal on Tuesday after a still-unexplained computer problem [emphasis mine] disabled the airline’s self-service check-in kiosks for several hours at a number of international airports, causing significant delays,” reported the New York Times.

Cyber risk and security is getting more attention from the ocean shipping community too. In February 2016, BIMCO and other leading shipping organisations launched a set of guidelines “to help the global shipping industry prevent major safety, environmental and commercial issues that could result from a cyber incident onboard a ship.” Here’s an excerpt from the introduction:

As technology continues to develop, information technology (IT) and operational technology (OT) onboard ships are increasingly being networked together – and more frequently connected to the worldwide web.

This brings the greater risk of unauthorised access or malicious attacks to ships’ systems and networks. Risks may also occur from personnel having access to the systems onboard, for example by introducing malware via removable media.

Relevant personnel should have training in identifying the typical modus operandi of cyber attacks.

The safety, environmental and commercial consequences of not being prepared for a cyber incident may be significant.

And in June 2016, the International Maritime Organization issued its own guidelines on maritime cyber risk management after “having considered the urgent need to raise awareness on cyber risk threats and vulnerabilities.”

There have already been incidents of hackers accessing port systems. In 2013, for example, drug traffickers recruited hackers to breach the IT systems at the port of Antwerp. As reported by the BBC:

Prosecutors say a Dutch-based trafficking group hid cocaine and heroin among legitimate cargoes, including timber and bananas shipped in containers from South America.

The organised crime group allegedly used hackers based in Belgium to infiltrate computer networks in at least two companies operating in the port of Antwerp.

The breach allowed hackers to access secure data giving them the location and security details of containers, meaning the traffickers could send in lorry drivers to steal the cargo before the legitimate owner arrived.

I first wrote about the cyber threat to supply chains two years ago in The Hackers Inside Your Supply Chain. The threat has only intensified since then, and as our supply chain networks and processes become more dependent on software, GPS, and other technologies (see The Internet of Things), the risk for a cyber attack on supply chains will only continue to grow. I’ll just repeat what I said two years ago:

As I’ve written many times before, when it comes to supply chain risk management, many companies are falling short. The sooner companies embed supply chain risk management within their corporate DNA, the sooner they’ll be able to adequately address this growing threat of cyber-terrorism. Mitigating the threat will also require greater collaboration between the IT and supply chain functions, not only within companies, but across all stakeholders in global supply chains. As the examples above illustrate, criminals and terrorists are already on the offensive — and their actions will only intensify in the months and years ahead.

“The Day a Cyber Attack Brings the World’s Supply Chains to a Halt” is a fictional title today, but it may be the headline in tomorrow’s Wall Street Journal.