The challenges of smart warehousing are highlighted as the fulfilment and delivery operations of many supply chains are now dependent on high degrees of automation and analytics, this has increased the operational risks of cybercrime and hacking.
Successful attacks causing severe financial and reputational damage have been seen and continue to present as a risk. So, companies looking to exploit warehouse automation must balance the demand to implement quickly against the necessity to do it in a controlled and secure manner. The prevailing Covid-19 pandemic and the accelerating transition from declining brick and mortar retail onto commerce platforms, also present challenges for logistics operations.
Despite the explosive growth in devices capable of being connected to IoT networks, there are very few security standards that have been agreed. This is because different manufacturers have developed their own technology platforms and some of these have their origins back when cyber risk was uncommon.
Given the necessity for sensors and other devices in any IoT ecosystem to communicate, open interfaces and ease of connectivity provide an open door for malicious actors. This has now been recognised as a significant risk to operational performance, but the variety and volume of new devices make it very difficult and expensive to retroactively address.
The European Telecommunications Standards Institute (ETSI) and others have identified a list of requirements that can inform any IoT security policy.
- No universal default passwords (passwords must be unique)
- Vulnerability reporting facilities and management
- Regular software updates (and maintenance)
- Secure storage of sensitive security parameters
- Secure communication
- Minimise exposed attack surfaces
- Optimal software integrity
- Personal data security
- Outage resilience
- System telemetry data examination
- Simple user data deletion processes
- Easy device installation and maintenance
- Input data validation
It was only in December 2020 that the US President signed the IoT Cybersecurity Improvement Act into law. This illustrates how slow the world has been in realising what the cybersecurity implications are for the information-based world in which we live.
Fortunately, the increasing use of Cloud-based applications and services have made it easier to consistently enforce good cybersecurity practice at the heart of many operations. But because of the very distributed nature of supply chain operations, the opportunity to exploit insecure gaps in the technological landscape remains quite big. To at least reduce the risk of attack, there must be education and consistent, clear explanations concerning good prevention techniques.
Staff should be aware of the social engineering methods used by attackers to gain information about IDs and passwords. Even publicity about the kinds of technology and the preferred vendors used within a warehouse automation project should be avoided – despite the marketing department wishing to publicise how advanced their operations might be.
Any device connected to the network, no matter how seemingly trivial its function might be, is a possible attack vector for a bad actor (as we say in the jargon). Simple Bluetooth connected sensors for temperature in a cold chain network have the potential to deliver malicious code into the network. Once inside the network, all bets are off. This is because even the simplest devices now have sufficient memory to accept and transfer the very small programmes hackers use.
Resilience and Business Continuity
As warehousing facilities are increasingly automated, they are reconfigured around the most efficient layouts for operations. The deployment of robots, narrow aisle bays, automated vehicle pathways etc., change the nature of such locations into areas where humans are confined to small sections.
This becomes a serious issue in the event of prolonged power failure or system outage. In more traditional layouts, humans can continue to move around the entire facility and have the room to maintain operations at a slower speed. But within facilities where movement and access are restricted to the dimensions of machines, it is impossible to run a manual operation.
This is yet another example of the necessity of planning to ensure continuity of power and communications links in the event of severe disruption. Diesel generators for backup power can only operate for as long as the fuel supply lasts. The same applies to battery storage. Outages lasting weeks (e.g. weather-related or cyberattack) are quite likely over the next few years, so any business continuity strategy must have a broad scope of reference.
Source: Foundation for Future Supply Chain, September 7, 2021
Author: Foundation for Future Supply Chain