Supply Chain Matters calls reader attention to a very sobering detailed account of the June 2017 NotPetya global cyberattack that threatened many companies including the largest global shipping line. We believe that this report should be mandatory reading for Chief Supply Chain (CSCO) and Chief Information Officers (CIO) supporting global supply chain operations.
Readers, particularly logistics, transportation and procurement focused readers may well recall the June 27, 2017 global cyberattack that impacted many companies and nearly crippled the operations of shipping conglomerate giant Maersk.
Last week, IT publication Wired published a very detailed and lengthy account of this incident: The Untold Story of NotPetya, the Most Devastating Cyberattack in History. The story is one of where a highly suspected global-state actor was able to successfully leverage the servers of a Ukraine based tax software firm, the equivalent of TurboTax or Quicken, for: “the most devastating cyberattack since the invention of the internet- an attack that began, at least, as an assault on one nation by another.”
From our lens, the report that is sobering and concerning to state the very least. In particular, it tells the story of how Maersk’s operations were suddenly crippled by this cyberattack. Other major corporations and countless other manufacturing and service businesses were affected, including global pharmaceutical manufacturer Merck, consumer goods producers Mondelez and Reckitt Benckiser, French-based construction company Saint-Gobain, and European based TNT Express, now a division of FedEx. Author Andy Greenberg, who penned this report as an excerpt for his forthcoming book, provides a detailed account under extraordinary challenges, namely that many sources are obviously reluctant to speak about a cyberattack and its subsequent impact on business operations.
Among the sobering passages in this report was how Maersk administrative control operations were literally crippled in a matter of a few hours, including the central booking web site. As the virus spread across Maersk’s corporate network, 17 of Maersk’s 76 operated terminals were impacted.
Major terminals such as the APM Terminal in Elizabeth New Jersey, just outside Newark, became crippled. This terminal which typically processes 3000 truck container movements per day, had no systems for control: “That gate, a choke point to Maersk’s entire New Jersey terminal operation, was dead. The gate’s clerks had gone silent.” Any calls to Maersk’s operations and customer support teams were unanswered because the corporate digital phone system was brought down. Terminal operations had no option but to close down operations, and local police had to inform long lines of queued tractor-trailers to turn around and leave the port terminal. In the coming days Maersk staffers resorted to any tool available including paper documents, personal Gmail accounts and use of WhatApp as a means of control.
Thankfully, ship navigation and sailing operations were spared.
The report provides a detailed account of how Maersk’s outsourced IT support center located in the UK, and staffed by Deloitte, was provided a literally blank check to resolve the crisis. It was discovered that one critical component of the company’s network, a series of files that that map the entire network and user access rules, was destroyed by the virus. By sheer luck and chance, one sole surviving domain controller located in a remote office in the country of Ghana, had been offline during the attack because of a local power failure that occurred earlier. That one server’s data recovery of key network control data helped to bring back Maersk’s entire corporate network. However, it took 10 days for the shipping giant to rebuild its entire IT infrastructure, while the central UK IT support center worked day and night for upwards of two months to rebuild software applications.
Sobering Impacts and Takeaway
In the end, the report indicates that, according to a White House assessment, this one cyberattack amounted to more than $10 billion in total damages,. As in the majority of these cases, the cost is likely far higher since many corporations and business are reluctant to fully quantify such numbers for obvious reasons.
In the specific case of Maersk, the WIRED report points to various vulnerabilities indicated by former IT staffers including: “less than perfect software patching, outdated operating systems, and above-all insufficient network segmentation.
Maersk has reportedly since provided a green light to investing in new cyber-security measures. More importantly, and perhaps a key takeaway for our readership are statements that senior Maersk IT staffers apparently never had cyber security measures as a declared key performance indicator (KPI) for bonus achievement.
From our Supply Chain Matters lens, the same could be stated for the KPI measures of senior supply chain leadership.  Supply and demand network risk mitigation has to include determining areas of cyberattack vulnerabilities in both internal and partner systems including suppliers and trading partners. While such a KPI may seem too broad or unachievable for management bonus considerations, the overall cost to the business and to supporting customers, as provided in this sobering report, is far more significant. If not a bonus KPI, then at-least a major business-wide effort with leadership from most appropriate senior executives including the CIO, with the joint support of the CSCO or senior-most leader of operations.
Consider one of the last and most profound statements in the WIRED report:
Almost everyone who has studied NotPetya, however, agrees on one point: that it could happen again or even reoccur on a larger scale. Global corporations are simply too interconnected, information security too complex, attack surfaces too broad to protect against state-trained hackers bent on releasing the next world-shaking worm”
The above alone would indicate that every business and every supply chain team must address cyberattack vulnerabilities and mitigation as one of their most prominent initiatives. That includes all systems, internal, external and in the new evolving dimensions of Internet-of-Things (IoT) enabled physical devices, Edge systems as-well.
A global-wide supply or customer fulfillment network will always be vulnerable to its weakest links. Insure that your networks are constantly monitored, assessed and actively measured for threat points and mitigation measures.
Bob Ferrari
© Copyright 2018. The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.