Over the weekend, I wrote a long piece on how our logistics and supply chain are prone to a Cyber-attack, and what can be done about it, if anything. I had also mentioned that I wrote a rather substantial article on the state of the current C-TPAT Legislation for a client, and that it should be published soon.
This is a law that has been enacted that has been designed specifically to protect the maritime interests of the United States both here at our borders and abroad.
But, it is important to keep in mind that the logistics/supply chain is not just composed of an importer trying to export their product into the United States. A perfect example of this is the Chinese trying to send over servers here into the US. For example, there will be people involved packing the servers into their respective containers and cargo holds, and once that it is done, there could be multiple numbers of them.
This also means that more than just one vessel will be used to transport these goods with multiple shipping lines being used. It is even quite possible that there could be multiple ports of destination here in the United States as well.
The point I am trying to make is that not just one entity that is involved from shipping a container of servers across one shipping line to just one point of entry into the United States.
There are many parties that are involved in this entire process, and many of them are third party vendors, which carry an entire array of Security risks themselves. This point can be clearly illustrated of the recent breach that was caused by an entity known as Garmin.
Their subsidiary, Navionics, an electronic navigational chart maker (which is used heavily by cargo vessels), had not secured their database even with a single password (which totally befuddles me).
Thus, their “MongoDB” database could be accessed by anybody, even down to the most novice of Cyberattackers. Heck, even you or I could access to it, given the right tools that can be downloaded from the Internet. Apparently, 19 Gigabytes of information and data were at risk, which included the following records:
*Information about the cargo ship which also includes:
Latitude and longitude;
Cargo ship speed;
Other relevant navigational details which are updated in real time.
Once this breach was discovered, Navionics immediately shut down the relevant database servers. After this, the company took the required steps by immediately notifying the relevant law enforcement agencies at all levels (local, state and federal), its customers, and launching a forensics investigation.
The good news is that so far, is that none of the datasets have been tampered with, or even hijacked. I would say that Navionics is extremely lucky in this situation.
This is not the first time that the MongoDB has been exposed to potential Cyber-attacks. Apparently, this database, although it was in theory protected by firewalls and the like never had a secure password. In fact, even the networking devices never passwords either.
Navionics had relied upon using the default password set by the vendor, and this was never done either.
The MongoDB has been a victim of Cyberattacks on multiple occasions, and even have had their datasets totally wiped out. Heck, it was even a victim of a Ransomware attack. What more could go wrong?
My thoughts on this?
When I first read this story, I said to myself, Ok, it is probably the usual headlines we hear about another Cyberattack in which confidential information/data has been hacked into and stolen. But when I got deeper into the story, it totally blew my mind away about the number of cascading failures that occurred.
I mean how could not such a large business entity like Navionics not even password protect their own IT systems. Yes, they are the weakest form of authentication, but come on, it is still better than nothing! This is completely absurd. Then the fact that they completely relied upon vendor supplied passwords that were not set at this level? This is even more ludicrous.
The one thing I will give Navionics credit for is that it looks like they responded quickly, and acted quickly to prevent further damage. So, as you can see, the logistics/supply chain is totally at risk to large scale Cyber-attack. It does not have to be a malicious Insider Attack (such as the Chinese putting in micro cameras into servers), it can even be as stupid as something as not even setting a password.
Thus, this raises the importance for the importer/exporter to thoroughly vet out their third-party vendors that they use, and even require them to be a part of the C-TPAT alliance as well. There has been talk about classifying maritime shipping as a so called “Critical Infrastructure”.
But what good is that going to do, when people, for lack of a better term, simply act stupid don’t properly enable the Security tools that they have been given?
In a worst-case scenario, a Cyberattacker could have easily taken these datasets and made the cargo ships collide with another, or worst yet, make it crash into a port of destination here in the United States, causing even more physical destruction and chaos.
Again, as I have yesterday, it will take yet another 9/11 style attack, but on a Cyber level, in order to wake people up. That is truly a sad statement to make, but it is the reality of today.