Logistics organisations are confronted to the challenge of relying on new digital solutions without compromising their security.
Facing a booming market, new technologies have indeed become a real performance lever. But their adoption brings increased cybersecurity risks with them. The concern is now to benefit from the advantages of these tools while protecting their information systems.
This is where a penetration test will help to strengthen the level of security, as it allows to verify the risk set by attackers on a given target. For a logistics company, it will assess the security of web solutions, control software, intelligent sensors, etc. against cyberattacks.
What are the priorities during a penetration test for a company in the logistics sector?
Here is an overview of cybersecurity issues we frequently encounter and that may be specific points of attention.
Ensuring the protection and confidentiality of logistics data
The most essential element is the protection of goods, which is at the heart of the activity. There is a lot of data concerning goods: regarding their content and market value, their location, the associated financial and personal data, etc.
Protecting this data means protecting it throughout the journey of the goods, where multiple data are generated: stock planning, mission scheduling, goods collection, invoicing…
Let us imagine that location data is accessible to attackers. They could then choose the best time to steal the goods, whether by posing as an intermediary during a delivery phase, upstream when they are stored or once they have arrived at the recipient’s premises before use.
Confidentiality of data is also sensitive in the case of competitive markets (which competitor has bought which quantities of raw materials or at what price, for example), in relation to privacy (who bought what), etc.
Attackers use a variety of flaws to gain access to data. They can be vulnerabilities related to rights and access issues, which give access to other data or additional functions than those originally intended for a given user.
They can be configuration problems, which give the possibility to enter the internal network or to intercept sensitive information.
We also encounter injection flaws, which allow interaction with the database through unanticipated requests, or transverse path flaws, which allow a file to be retrieved from a server.
We see many other flaws during penetration tests, but the point is not to list them. Data protection is an essential element for the reliability of the organisation.
Confirming secure IoT implementation with penetration testing
The IoT (Internet of Things) is increasingly present, whether in warehouses or during the delivery process.
These can be intelligent robots, container/truck tracking, temperature control sensors, etc. Connected objects bring real value but represent a cyber security challenge.
While the IoT has indeed reached functional maturity, security is not yet mature. The variety of technologies used and the number of points of attack make them a prime target for attackers. Vulnerabilities can be related to hardware, firmware, integration with the network and other software, web interfaces or mobile applications linked to manage the object or retrieve data, etc.
Depending on your priorities, an IoT penetration test can cover the entire IoT ecosystem or focus on areas of higher risk.
IoT security is essential to guarantee the security of the overall information system, but also to ensure compliance with requirements (cold chain, product traceability, etc.).
Validating the integration of solutions
Another central issue for logistics organisations is the integration of solutions in a secure manner. Generally, several solutions are used: field data collection, charter management, tracking of operations and flows, route optimisation, etc.
The different solutions are often plug and play to facilitate integration and interoperability. They are linked to each other so that they can perform their function and exploit their potential for action, based on APIs. In addition, solutions are sometimes open for partners to provide or track data.
But these interactions can leave flaws: data leaks, elevation of privileges, external takeover…
Integrations must be rigorous to avoid errors that can lead to security breaches. Segmentation and control of rights must also be precise and meticulous to guarantee the security of the systems.
Ensuring service continuity for logistics companies
Another security priority is service continuity. Supply chains cannot stand still, so they are high-risk targets for ransomware attacks. Attackers know that they are more likely to pay the ransom to get their business up and running again as quickly as possible.
The attack on Bakker Logistiek last April, for example, showed that a ransomware attack can bring the entire company to a standstill and have visible consequences for the consumer, for whom a product is no longer available.
Other attacks can affect the continuity of services, such as denial of service attacks. They can target software, online services or the overall information system to make them unavailable. They use vulnerabilities in the software layer or in the infrastructure.
Preventing these risks requires securing these layers for all services exposed on the networks. The security of data centres (internal or external) is also a key factor, as is the effectiveness of the disaster recovery plan. As part of an information system pentest, it is possible to test for denial of service attacks specifically.
The impact of destroyed or corrupted data is disastrous for the company that has been attacked. Having a resilient chain and being able to respond quickly and effectively to disruptions is a crucial issue, especially if the disruptions occur during a strategic period for the company (end of year, Black Friday…).
Preventing the misuse of business logic
Logistics solutions often follow multi-step processes to fulfil their missions. This can provide flaws for attackers to intrude into the process.
In the case of an e-commerce organisation, this could mean forcing a validation during the preparation of an order, in order to get it shipped several times for the same customer.
In other supply chains, bypassing processes could mean issuing shipping labels when the order is not yet confirmed or validating new bank details for payment of an invoice.
Tackling human-factor vulnerabilities through penetration testing
Vulnerabilities related to the human factor are flaws related to behaviour. Attackers try to manipulate staff to obtain strategic information or to make them carry out actions that create security incidents (installation of malicious files, phishing emails, etc.).
It is therefore essential to make teams aware of the risks of attacks based on human behaviour, which can take many forms. While phishing is still very present, other attacks use malicious USB keys or phone calls, for example.
Thanks to a social engineering audit, it is possible to test the reflexes of teams by simulating realistic attacks that use threats specific to the company’s context.
A specific risk in the logistics sector exists when companies implement a policy of using the personal devices of teams for their professional missions (BYOD policy: Bring Your Own Devices). An example of this is the use of personal phones for last mile delivery drivers. The security of these devices cannot be controlled by companies, and they expose themselves to more risks. Indeed, employees may have vulnerable devices (for multiple reasons: device not updated, installation of dubious software, risky internet browsing…).
It is a choice to evaluate whether to have a BYOD policy on or to provide all the necessary equipment.
In conclusion, the increasing attacks on companies in the logistics sector have raised awareness of the importance of cybersecurity. Appropriate protections must be put in place on IT and OT equipment. Different lines of defence, from technology to processes to people in the company, need to be coordinated to ensure cyber resilience.