Defending Logistics After Cyberattack on DP World Australia

DP World Australia took a bit of a drastic step recently in its cybersecurity defense strategy by unplugging from the internet temporarily in the hopes of mitigating possible harm from a cyber “incident” the company reported.

Oftentimes headlines about cyberattacks caution of threats to financial institutions, the power grid, or confidential information. Control of money, electricity, or details that should not be made public surely are important to defend, but attacks on the supply chain could disrupt access to tangible resources.

From Nov. 10 to Nov. 13, logistics company DP World Australia contended with a cyberattack that affected Brisbane, Melbourne, Perth, and Sydney. Concrete details have been limited though other outlets have speculated that DP World Australia was targeted by ransomware -- some claim it stemmed from a CitrixBleed vulnerability that had not been addressed.

No suspects or possible demands have been disclosed by authorities, but the company took the step of disconnecting from the internet as it sought to sort things out.

Bad Actors Want Big Disruptions

“The timing and the scale and the impact of that disruption suggest it was a very targeted attack,” says Craig Austin, associate teaching professor in the department of marketing and logistics at Florida International University’s College of Business. “It occurred on a Friday night when most of the staff was off and so not many people were monitoring.” He says some 30,000 cargo containers were held up at the affected ports in Australia.

Related:Seaports, Backlogged Supply Chain Seek a Digital Response

Austin notes that other types of recent cyberattacks on infrastructure and commerce included disruptions of oil terminals, which affect oil delivery. Shipping and the maritime sector saw a major ransomware attack in January of this year that targeted DNV’s ShipManager software, affecting 1,000 ships and forcing connected servers to be shut down.

Ransomware is obviously more than a pricey nuisance for companies. “The costs are like millions of dollars for each attack,” Austin says. While businesses often acknowledge that supply chain security and data protection are important priorities, there can be challenges acting on those fronts. “The problem is a lot of them suffer from understaffing,” he says. “They don’t have enough people and logistics, and so they’re struggling with that.”

There is a presumption of smooth operations across the supply chain but cyberattacks and other disruptions can deliver wakeup calls. “Prior to the pandemic, a number of companies never realized how important a well-functioning supply chain is, how much they matter,” Austin says. The rise of the pandemic saw cargo getting backed up at various ports around the world, disrupting access and delivery of goods. The cyberattack on DP World Australia was a reminder that intentional targeting by bad actors can also put the supply chain in a chokehold.

Related:What Are the Biggest Lessons from the MGM Ransomware Attack?

It is debatable how disconnecting and then later reconnecting to the internet affected the situation DP World Australia faced. “Honestly it’s not a very effective strategy,” says Douglas Kent, executive vice president of strategy and alliances at the Association for Supply Chain Management. Such action might assist with an immediate event, he says, but a longer-term strategy may be needed. “More focus needs to be not on the firefighting but rather the fire prevention.”

As cyberattacks escalate in number, variety, sophistication, and global reach, the interconnectivity of commerce and other resources is often targeted. “It makes things like ports and banking institutions and complex networks more vulnerable,” Kent says, “because when they have to go offline or do some kind of mediation or corrective action, it’s disruptive.”

Money Not the Only Ransomware Motivation

While monetary demands through ransomware are a common motivation for cyberattacks, bad actors may have other reasons to pursue a target. Disruption might be the actual motivation for the attacks, he says, especially with the rise in geopolitical tensions and hackers backed by nation-states. “Infrastructure remains a target for these criminally based attacks,” Kent says, “regardless of who’s doing it and maybe even what the nation is, but the interconnected nature and the impact of those attacks are attractive for those who are trying to make disruption, you know, a hobby or a job.”

Related:4 of the Biggest Vulnerabilities Talked About During Black Hat 2023

With interconnected devices running on the internet and relying on the cloud, shutting down and then rebooting might be necessary as a short-term response to an immediate attack.

“It’s not a surprise that they would have to go offline because of the nature of the interconnectivity,” he says. “In order to remove the ongoing vulnerability of an attack, you pretty much have to take things offline.” DP World Australia’s temporary shutdown did bring its own headaches because it affected a transportation lane critical to Australia.

Complexity, Connectivity and Cyberattacks

The complexities of the supply chain mean the multitude of players and components want connectivity and visibility into operations, he says. That way operators of ships, the customs department, and rail system managers will know when cargo gets unloaded and is ready to move on to the next destination, including to the last mile of delivery. “The need is there because we expect it,” Kent says. “Even as consumers, we expect it. We want to be able to go online and know that we bought something that it is going to be delivered.”

That interconnectivity also increases the level of vulnerability, he says, because all of the players involved might not have the same level of protective security. “A lot of network players try to gain access to information,” Kent says, “which is critical to the transparency of what’s happening in the movement of goods entering into that connective field with various levels of protection and security.” If there is a cyberattack, a temporary shutdown might be a move to protect other players in the chain, but it might not solve the entire problem for those other parties. “Did they become, by the nature of the attack, also vulnerable themselves?” he asks.

As the cyber cold war persists between bad actors and defenders, complex systems such as the supply will likely need further investment in protection. “The increasing use of firewalling data is important,” Kent says. “So, when I take down something, do I have to take everything down or can I isolate where I believe the incident occurred, and feel comfortable that the firewall protection is there so that no attack would have gone beyond the known area where there was a cyber event occurring?” He also suggests limiting the potential loss of data by using distributed databases so not everything is kept in the same place. “If I keep all of my critical information in a singular data center, that’s just stupid,” Kent says. “If something happens and you know a geo-event, for example, happened in that particular area then you know I’m stuffed.”