Artie Crawford, director of cybersecurity at the National Motor Freight Traffic Association, shared a story about a time when several hundreds of thousands of dollars worth of walnuts were stolen in the state of New York. The carrier transporting the nuts was based in a neighboring state.
When they initially called in the theft, they were told they would need to file a claim at the State of New York trooper barracks, which was a six-hour trip one way.
“A company is not going to drive six hours over to make a report that their walnuts were stolen and drive six hours back because now it becomes unfindable because it's not a serialized item,” Crawford said. “It's not going to show up in a pawn shop, and it's probably already on its way to a country that needs walnuts.”
Jurisdiction is just one of the many difficulties of filing a cargo theft report, and that becomes even more convoluted when its cyber-enabled cargo theft. The NMFTA recently hosted a webinar to discuss best practices for mitigating cyber-enabled cargo theft.
Danny Ramon, director of intelligence and response for logistics visibility platform Overhaul, said prior to the COVID pandemic, straight cargo theft – meaning the tractor and/or trailer were physically stolen from the rightful driver – was the lion’s share of risk.
“What we're seeing now, though, is really the emergence of strategic theft – theft by fraud, theft by deception – which has really changed the game. It has really changed how freight is stolen in this world and how it's liquidated, as well as what can be targeted.”
Strategic theft
Ramon said one of the most prevalent forms of strategic theft is phishing, a cyberattack via fraudulent email that deceives the receiver into divulging sensitive information like passwords.
That could look like a bad actor performing social engineering and phishing attacks to obtain a carrier’s Federal Motor Carrier Safety Administration website password, where they can then change the contact information so that the carrier’s business is rerouted to an unverified carrier under the guise of legitimacy. Or maybe the bad actor scams an employee at a trucking company into revealing their network password, where they then gain access to shipping documents and start changing destinations for certain shipments.
[RELATED: Identity theft leads the way as freight fraud trends upward]
One example Crawford gave was an instance where a stolen load was held for ransom until a Bitcoin payment was made, and a federal agency was called in to arbitrate that Bitcoin back to the carrier so it didn’t go out of business.
Crawford added that smishing (the text version of phising) is another widespread form of cyberattack.
“Everybody, probably, on the planet now has received something from some DOT that you haven't paid your traffic tolls,” he said. “Well, guess what? You're not getting your license suspended. Please don't click the link.”
Response process
Ben Wilkens, principal cybersecurity engineer at NMFTA, said the industry has experienced great challenges when it comes to reporting cargo theft, especially cyber-enabled cargo theft. And there are numerous reasons.
Wilkens said a carrier may be wary of reporting a cargo theft because their business would take a reputational hit for being unsafe with a customer’s freight. Or carriers can be perceived by law enforcement as crying wolf.
“One thing that I've heard from a number of different individuals is that the response is often, ‘Do you know it's stolen, or do you just not know where it is?’ and that really can hamper that initial report from getting put in in a timely manner,” he said.
Ramon said it could also become an issue if the cargo can be considered stolen, or if it should be considered a contract dispute that needs to be settled in front of a judge.
But the biggest issue is the confusion about who to report it to and how because of jurisdictional issues.
“A lot of times, some of these thefts are so convoluted – where they happened, how they happened, who actually stole the cargo from where – and it makes it very difficult to actually get that initial police report filed,” Ramon said. “This is a large country. There are lots of places to steal cargo, whether that's straight theft … or stealing it strategically.”
He said that can lead to another issue: filing an insurance claim.
“That can be a barrier to even getting an insurance claim going,” Ramon added. “Any kind of further action, a lot of times, hinges on that initial theft report and getting the stolen product and the stolen equipment entered into the NCIC (National Crime Information Center), which without an initial theft report, you can't do.”
Another factor that can make that initial response more difficult is lack of visibility into your supply chain, he said.
Ramon said dozens, if not hundreds, of thefts can take place before the first one is ever spotted because of delays in communication that exist within the supply chain.
Prevention measures
Lack of communication across disparate agencies, from federal government entities to local law enforcement, can complicate the response process, Crawford said, but there are some basic ways to mitigate theft in the first place.
Wilkens said there are three areas of security practice that converge: cybersecurity controls, operational security controls and physical security controls.
Locks, security guards, concertina wire on fencing, security cameras, etc. That’s the physical side, which the NMFTA doesn’t dive into, Crawford said.
The NMFTA rolled out its Cybersecurity Cargo Crime Reduction Framework, offering some of the most common ways cyber-enabled cargo theft is perpetrated, along with some basic actions companies can implement to reduce risk.
“Adding just basic cybersecurity hygiene goes so far along the path to help prevent those type of things, because you're not running faster than the bear, you're actually running faster than the slowest person,” Crawford said.
What he means is bad actors are after the low-hanging fruit: the easiest to attack.
“These folks are playing numbers games. They're casting that wide net,” Ramon added. “They’re not trying to work hard, but they're only going to work as hard as we make them work, so whatever low-hanging fruit they're able to obtain with the least amount of work is likely what they're going to be going after.”
Crawford said basic cybersecurity steps include network segmentation inside organizations, access control, training programs, business continuity plans that have solid incident response plans, vetting third parties and their cybersecurity practices, identity access management programs and sometimes just taking the old-fashioned route of picking up the phone and making a call.
Ramon said there are multiple companies that perform carrier vetting services like Highway, Verified Carrier and his company, Overhaul.
“My suggestion is use every single tool you have available to you because these folks are getting smarter every day,” he said.
