Something was very wrong at Forward Air on December 15, 2020. The company’s website was completely down. No one answered the customer service lines. Customers were waiting — and waiting — and waiting — for scheduled arrivals. And with all systems down, those customers had no way to get any information or track their packages. This incident shows the importance of cybersecurity in the response to this attack.
Forward Air, a ground and air carrier company headquartered in Greenville, Tennessee, was relatively open about communicating the event, first with an official statement referring to a “security incident.” When Forward Air updated the statement with three key words, “called law enforcement,” the trucking and logistics industry quickly jumped to the accurate conclusion that Forward Air was the victim of an attack, likely ransomware.
Hades Ransomware Attack Cost $7.5 Million
Over the past few weeks, the full picture of what happened has started to emerge. It highlights the importance of cybersecurity through interviews and the documents Forward Air has filed with the Security and Exchange Commission.
In brief, the Hades malware gang, which was formed about a week before this attack with the goal of targeting enterprises, attacked them with ransomware.
Initially, Forward Air’s Chairman and CEO Thomas Schmitt reported that the company would be down for two weeks. Surprisingly, Forward Air was back up and running at full speed within two days — a feat Schmitt attributes to the company’s expert team and preparedness. But even with a relatively best-case response, the publicly-traded company reported the ransomware attack cost them $7.5 million in Q4 2020.
The company didn’t release details of the actual sequence of events, which is best practice after such an attack. So, I decided to find out how Forward Air’s reaction to the attack helped or hindered their recovery. What role did security awareness training play in their response? What can other shipping and logistics companies learn from the attack? And, how can the industry protect itself to prevent similar (or worse) attacks in the future?
Why Shipping and Logistics Companies Are Lucrative Targets
My first question was: Why target a shipping and logistics company? I understood why health care organizations are vulnerable — private patient information is valuable and protected by law. Trust between providers and patients is at the core of that work, meaning health care organizations are likely to pay to get patient data back. But at first glance, although I know the importance of cybersecurity in all industries, the seemingly targeted attacks puzzled me. Other companies in the industry have also recently been attacked.
Shipping companies exchange money in much larger amounts than other industries of similar sizes, making them higher-value targets. Or as Mark Murrell, co-owner of online truck driver training provider CarriersEdge, told Specialty Freight Services in a November 2020 article — a high dollar business.
“That means companies have relatively large amounts of cash or credit available, and they’re used to paying pretty big bills,” says Murrell. “If you successfully execute a ransomware attack, you can extract a higher payment than you’d get targeting small and midsize companies in other, lower-dollar industries.”
On top of that, shipping and logistics companies hold the key to getting our world back to some sort of normal with the COVID-19 vaccine. And in the cybersecurity world, the higher the value, the more a company (or government) may be willing to pay to get their data back. With attacks already starting at key parts of the vaccine chain — such as an email phishing scheme targeting the cold chain — shipping and logistics companies are likely to be a lucrative (and popular) target in the months to come.
While digital safety is not an easy (or even close to easy) task in any industry, this industry has some unique challenges. Because the success of a company depends heavily on tracking vehicles and packages at any moment, these industries rely on real-time data. In addition, they must deal with employees, products and vehicles being constantly in motion and connecting to the network from different locations.
Because drivers may need to access the network from rural locations, they often turn to less-secure means. They may access work directly from mobile devices, satellite, Bluetooth or laptops tethered to mobile devices. These connections, as well as multiple endpoints (often employees’ personal devices), can easily introduce risks to the network. Many drivers are self-employed contractors and move throughout the country at any given time, which can make providing employee training on cybersecurity difficult.
Improving Cybersecurity in the Logistics and Trucking Industry
Cybersecurity issues are on the rise in these industries. With an increased focus on the supply chain due to the pandemic, both to hopefully avoid the equipment shortages like the ones last spring and through concern about the vaccine delivery, the industry must focus on protecting its system from attacks.
Here are four keys for trucking and logistics companies looking to improve digital safety.
1. Find Gaps
First, find gaps in your existing cybersecurity plans. Companies without one should begin the process by creating a documented and comprehensive plan. However, having a plan does not guarantee it will work for the next incident. Because threats and tech are constantly changing, plans should be reviewed every quarter, with the goal of looking for new holes. Key points to look for include immediate response, recovering backup data, communication, chain of command and the recovery process. After the attack on Forward Air, Schmitt advised other companies that find themselves in a similar position that more is better when it comes to communicating with customers.
He also says that when the attack happened the team was able to rely on muscle memory from a recent roleplaying exercise as well as detailed plans, which he called a “cybersecurity fence.” He shared that Forward Air had already determined key details, such as how to pay drivers during the attack and continue back-office work. One of the most important parts of the plan was the steps involved in moving existing and new freight without their key systems.
2. Focus on Mobile
Now that you have a plan, focus on mobile security. While mobile use is increasing across all industries, this is a major factor in the trucking and logistics industry. In the past, fleet vehicles had communications and computers hardwired in the vehicles. Today, many drivers use mobile phones and tablets. Even with these growing concerns, 43% of companies surveyed admit they sacrificed security in the name of expediency, convenience or profitability targets, or due to a lack of budget or expertise.
Apps and systems often mix front- and back-office data, such as telemetric and maintenance real-time data. This means mobile breaches can allow threat actors and malware to quickly enter multiple systems. It made sense to me that using so much data for everyday work makes the industry a key target for ransomware attacks
Companies need to move from thinking of the issue as mobile security and instead make mobile security the default — and ‘just security‘. For companies that allow personal devices, also called BYOD, consider using mobile device management platform configuration as well as a BYOD policy that mandates installation of all updates and patches. A written policy of using virtual private networks can also reduce (and hopefully remove completely) the instances of employees linking up over unsafe connections. Companies should also weigh the costs versus the improved security of providing mobile hotspots to employees using vehicles without wireless connections.
3. Awareness Training
Next, provide employees security awareness training and simulations. As the industry continues to rely on contract, seasonal and temporary employees as demand for services goes up and down, companies must focus on teaching their employees safe practices and proper response to attacks. However, the goal shouldn’t be ‘check-the-box’ training, but creating a security culture where best practices and training are woven into all communications and processes.
Many companies are now moving beyond basic awareness training and into simulations of real-world attacks. After reading about how IBM uses business application services platforms for training, I was intrigued by how employees on both sides of the attack learn valuable lessons — while both responding to the attack and playing the role of the attacker.
Six to eight weeks before the Hades gang attacked Forward Air, employees did a role play exercise for a ransomware attack. Schmitt told Freight Waves that because many of the employees at their Atlanta terminal had been with the company for 20 years, they were able to use their muscle memory to divide the space into quadrants and start managing operations using the method employees used many years ago — pen and paper.
4. Check ELD Vendors
Next, ensure electronic logging device (ELD) vendors are validated. Cyber criminals can take advantage of the ELD devices that must be installed on all vehicles. Threat actors can install ransomware on the ELD devices, which shuts down tracking. This means the company has no way to know where their vehicles or packages are. They are running blind. The attackers then tell companies they can only get their ELD devices ‘back’ by paying the ransom.
I did some digging on how to reduce vulnerabilities connected to this evolving threat and found very useful information in the National Transportation Library’s Cybersecurity Best Practices for Integration/Retrofit of Telematics and Aftermarket Electronic Systems Into Heavy Vehicles. The report recommends validating vendors’ security through integration as a key step. Other best practices include having a process for tracking vendor ELD risks and creating an incident response plan for ELD attacks. You should also install all ELD patches in a timely manner.
5. The Importance of Cybersecurity on the Move
As I researched, a quote from Schmitt struck me most. He said their customers were cheering for them to recover. This was a far cry from my original vision of angry customers — of which, I am sure there were still some. During my entire time looking at this I had been focusing on companies being prepared and using tools and training, which of course are important.
But, I had at first missed a key part of cutting down on reputation damage and customer loss — your connection to your customers. Yes, Forward Air’s openness and response to customers were key. But from everything I read, that wasn’t something new that they started doing when their systems went down but an extension of the partnerships they been building with customers over the three decades they’ve been in business. And that’s what you want: customers who stand by you — and even cheer — while you use your plans, processes and tech to get back up and running after an attack.
If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.