Cybercrimes are on the rise and gaining world attention as hackers become bolder and more sophisticated. Examples of recent attacks include the Colonial Pipeline ransomware attack that shut down a 5 500-mile gasoline pipeline serving the US East Coast and created a temporary gasoline shortage in many states. Also, the SolarWinds attack infected an update downloaded by 33 000 customers of a technology company that produces security products, giving hackers access to customer networks.
“Cyberattacks are more prevalent than we’ve ever seen, and hackers are no longer just going for the lowest hanging fruit and a quick payday, but are more sophisticated and turning to infrastructure targets, such as the cold storage industry,” says Rachel E. Ehlers, Attorney at Law, Jackson Lewis P.C. “They are able to get more ransom from infrastructure, such as a gasoline pipeline, and with cold storage, they can also affect transport to food processors and from warehouses to grocery stores.”
One of the reasons for the growth in cyberattack is increased connectivity in today’s cold chain, says Ehlers. Not only are cold storage operators more connected to customers, trucking companies, suppliers, employment related vendors such as payroll and third-party IT providers, but the move to remote work means some employers also have risks of employees working on sensitive company information from unsecured networks. The increasing sophistication of cybercriminals suggests that even if a company has protections in place within and outside the facility, there is no guarantee that there won’t be an attack.
Learn from experience
NewCold operates automated temperature-controlled facilities in Europe, Australia, and the United States. The largest site is based in Wakefield, United Kingdom, and was the location of a cyber incident in February 2021. “At the beginning of February, we detected irregular traffic in our network by our monitoring and detection capability,” explains Piet Meijs, Vice President of Business Development for NewCold. “Endpoints were not reachable, which triggered the incident response. With the support of our external security service partner, we were able to react swiftly and contain the systems that were affected with ransomware.” With support of the security service provider, the NewCold IT team started a full forensic investigation, and restored all systems from either a back-up, or built them from scratch. The incident was contained to the United Kingdom region and the temporary disruption lasted for 12 hours.
“We informed impacted customers and with hard work and speed to action, any disruption was minimized,” Meijs says. “Certain impacted customers experienced minor delays to shipments, but overall teams worked closely to restore business continuity.” One of the changes in cybercriminal attacks over recent years is the upfront preparation for the ransom demand, with hackers often spending as much as two or three months “camping” out in the system to review types of data available, protections that are in place, company financials and even if the company has insurance and limits of the insurance, Ehlers says. “The criminals make sure they ask for a ransom amount that the company can pay.”
“The attack to NewCold’s systems was carefully prepared and access was gained through compromised NewCold login credentials,” says Meijs. “As we were able to restore everything from back-ups, no ransom money was paid.” NewCold used their experience and an independent review of what happened and how the company can better protect itself to help customers as well. “All applications and appliances have been evaluated and extra capabilities are implemented,” Meijs says. “Workshops with customers were held to learn from each other’s experiences and to share best practices, and we intensified the user awareness campaign for all their employees worldwide.” The company took one extra step to minimize future risk, Meijs says. “To ensure that cyber security remains a top priority, we hired a global information security officer to continuously evaluate and improve our cyber security posture.”
Small companies targeted
Having the ability to backup data without paying the ransom is ideal, but Karen Reese, Vice President of Eskimo Cold Storage, found that backups are not always a guarantee of protection. The single facility, 150-employee company found itself a target in 2020. “It was Saturday, December 26, and we had opened for business because our customers were working,” says Reese. When the supervisor called the general manager to let him know that the computers were not working, the general manager was able to log in from his home on his laptop because it has an automatic logoff feature and was not connected to the facility at the time of the attack. He saw a message that the company’s data was being held for ransom. “They got everything in our warehouse management and billing systems,” Reese says. “We thought we had protected ourselves with an onsite backup and another backup in the cloud, but they got that data as well.” Because customers already had trucks at the dock, the management team told employees that they had to handle everything manually.
“I’ve been in the business a long time – well before technology in the warehouse – so I had to explain the manual processes,” says Reese. After creating inventory sheets on the fly, employees entered pallet counts, bar code dates and numbers, and blast freezer location on the paper forms. “All of our employees are used to scanning bar codes and letting the technology handle the rest. In fact, they did not realize how many pieces of information are needed to track inventory.” Eskimo’s main business is poultry, and tracking the inventory is critical to ensure food safety, says Reese. “Unfortunately, we had some inventory that we were not able to determine if it was ready to ship, was on hold for testing or had to be destroyed, which meant we could not ship any of it.”
This decision did not affect most of their customer orders but did mean they were short a pallet or two for a brief time until they identified the correct pallets. But as Reese points, consumer safety is critical. The timing of the attack could not have been any worse – a weekend immediately after a holiday.
“We called our insurance agent who tried to reach our cyber insurance carrier with no luck.
However, our GM called the WMS company for guidance, and they referred us to another customer who had experienced a ransomware attack,” says Reese. Through this contact, they were able to find a consultant that knew what to do, including finding a negotiator for the ransom. “Because both of our backups were compromised, we had no choice but to pay.” The negotiator told Reese that luckily their hackers were “honest,” and would give back 100% of the data. “Dishonest” hackers only return 90% of the data jeopardizing the safety of inventory for customers. At 7pm on December 27, Eskimo’s data was returned.
“Before you can put everything back into the system, you have to make sure it is clean so you don’t have any other malware, which meant finding another third-party expert to ensure it was safe,” says Reese. At 9pm on Tuesday, December 29, all data was determined to be clean, and the company slowly started up the network. All customers were notified on Monday morning of the incident, but service disruption was minimized, surprisingly, due to the holiday weekend. “The office staff ran our paper picks for both Monday and Tuesday so they could take off the entire holiday weekend, so we were able to accept and load trucks,” says Reese. “If it had not been a holiday weekend, we could only have operated on Monday.”
Even with the speedy return of data, it did take several months for everything to settle, says Reese. The attack was not the result of anything that happened in the company – no one compromised login credentials, no one accessed the system with an unauthorized device and security and other software were updated regularly. “This was not our fault – our third party software provider was hacked, and the criminals got into our system through them,” she says. Although they were unable to reach the cyber insurance provider that weekend, they were initially told by the provider that no costs would be paid because they hired a consultant without the provider’s approval. “Fortunately, the consultant we hired was on their approved list, so they paid.” Even so, she discovered that her cyber insurance – which was purchased six years before – only paid one-fourth the amount needed to cover all costs associated with the crime. Lessons learned from the cyber-attack resulted in Eskimo:
- Backing up data in two different clouds, one onsite backup and one physical backup carried home by the GM or Reese each day.
- Changing email systems to include features that scan incoming emails and attachments before opening and adding extra security by asking employees, “Are you sure?” when they click on links in an email.
- Training employees on password security and other activities to protect the network.
- Routinely having the email provider send phishing emails to employees to evaluate behaviour and produce reports on who might need additional cyber security training.
“No one can ever be 100% protected from cybercriminals,” says Reese. It is critical to take cyber security seriously because an attack affects more than just the one facility. “For our company, 65 to 75% of the product we handle is exported, which means the containers were on their way to our dock. If we don’t load them that day, they don’t make it to the ship, and ships don’t wait,” she points out. “To protect your business and your customer’s business, re-evaluate your cyber security program every six months, no less than annually, to make sure you don’t have any malware, because every login into the system may open a crack that hackers can exploit.”
Source: Global Cold Chain Alliance | By Sheryl Jackson | First published in Coldfacts Magazine