Is securing your material handling systems important? If you say no, you’re in the majority. And that’s a problem.
Only about one-third of U.S. warehouse and distribution managers think protecting systems and operations against attack or destruction is an important part of their job. Their reasoning: Who could possibly want their SKU data, transportation routes or a hidden route into their Web sites?
Well, here’s an answer: organized hacking syndicates, cyberhooligans, terrorists and those employees who contribute to the growing “skrinkage” problem, to name just a few.
“Terrorists and hijackers want to know when inventory will be shipped or received, by what means, as well as what security precautions will be put in place to protect the cargo,” said Barry Brandman in his report Security Best Practices, Protecting Your Distribution Center. Just this past November, experts were warning Internet users to take threats made by an Islamic cleric about possible cyberattacks as serious.
The above list of “interested” parties can fall into one of three basic groups. One group has political or philosophical agendas. Another group just wants to commit mischief. This group can include your employees, who are enabled by today’s automation agendas. “The push for more productivity and tighter coordination between manufacturing functions has led to tools that give operators access to almost all departments in a company,” says a spokesman at Omron. Thus, it’s easy for employees to gain access to accounting data, for example, and do what they want with that data.
The third group is motivated by greed. “In fact,” continued Brandman, “there are a number of international organized crime groups specializing in cybercrime as well as free-lance hi-tech “guns for hire” who will attempt to penetrate a corporation’s network for the right price. Unauthorized entries into corporate servers and networks can result in fraud, the theft of proprietary information and misappropriation of company funds and sabotage ... Cyberterrorists who gain access to confidential information can duplicate or destroy that information as well as plant viruses or worms that can crash networks and e-commerce Web sites.”
Why anyone wants your data is not the question to ask. The key issue is downtime. Material handling managers need to ask and answer how much will downtime cost and can they afford that financial loss. Cybercrime, be it mischief-makers or organized crime, inevitably compromises your ability to continue operations.
While downtime will cost you, don’t underestimate the importance of loss or corruption of data, either. Data integrity plays a crucial role in any company’s ability to continue operation. What would you do if you lost all your customer records, or if all of them were corrupted? How would you begin to re-establish who ordered what? When did they want it shipped? Where is it to go? Who has paid? Who still owes money?
In the hundreds of stories after 9/11, the common element for too many businesses was how they lost all their data and had to go back to customers to retrieve it. Many of these companies had backup systems, which did them little good because they were stored on site at the World Trade Center. Today, these companies have cut staff while trying to rebuild their databases, and it’s not an easy task. Insurance and government rescues do not provide enough money to cover the losses. According to the Council of Logistics Management, studies show that about 43 percent of businesses that suffer a disaster (like fire, flood and so on) never reopen for business.
On the front line
If that information is not enough to spur you to action, think about this. You’ve been conscripted to defend U.S. capitalism from those with mischievous or malicious intent. You are on the front lines of national defense because you use computers, networks and the Internet in your operations. Therefore, security is an issue.
This is an unprecedented situation. Most companies have not been involved in defense actions since WWII. But the government is calling on U.S. businesses to set up systems that share information on security. You will be called upon to track and report activities so that data can be sifted and searched for clues to the if, when and how of possible attacks. At the least, such a system will require integration on an unparalleled level. This situation will be just one of the challenges material handlers face in efforts to install and ensure security. Here are other challenges:
• It won’t happen to me. This attitude may be the largest obstacle we face. A recent survey conducted by the National Association of Manufacturers, the Internet Security Alliance and RedSiren Technologies Inc. found that:
— 30 percent of respondents said their firms do not have adequate plans for dealing with information security and cyberterrorism issues. This number is down from 39 percent last year.
— 33 percent said securing information is not a visible priority at the executive or board level of their organizations.
— 39 percent said information security plans are not regularly communicated to or reviewed by top corporate executives. The good news is that more companies (88 percent) recognize that information security is an important issue and that it affects their survivability.
According to the ISAlliance, when the Computer Security Institute (CSI) and the FBI polled computer security practitioners in large corporations and U.S. government agencies, they found that 90 percent of respondents detected security breaches within the last 12 months. Eighty percent acknowledged financial losses due to these breaches. Worldwide, these losses amounted to billions of dollars associated with clean-up, loss of data liability, and loss of customer confidence. So much for the “it won’t happen to me” belief.
• CEO complacency. The above figures tell that management has not placed a high priority on security. The reasons vary, says a study on supply chains released by the Council of Logistics Management. Prepared by Omar Keith Helferich, Ph.D., and Robert L. Cook, Ph.D., the study lists these reasons: competing business issues, managers not recognizing their level of vulnerability, and assuming that the government will bail them out.
• Market measurements. Tied in with complacency is the fact that no one tackles tasks they aren’t measured on. The market does not reward spending on security. So it’s easy to install superficial safeguards. “But that accomplishes nothing other than providing ourselves with a false sense of security and the complacency that inevitably accompanies it,” said Brandman.
Another obstacle is that security is not a one-time activity. It’s a continuous, risk-management process. The best installations operate on one principle — the survival of information. It requires highly trained people. Management should not assign just anyone to the position and hope that he learns on the job. That leaves your company open and vulnerable. Security is an investment. Not hearing about any problems is a good sign, not a sign for executives to cut the budget.
• Poor planning. Most business plans for natural or man-made disasters are fragmented and reactive at best. The terrorist attack of 9/11 pointed out many weaknesses in business plans. Unfortunately, little headway has been made by the majority of companies to improve such plans.
There is also a strategic flaw regarding planning in many researchers,’ surveyors’ and managerial thinking. That flaw says that we need software-planning tools — of which there are few — to adequately and properly form plans. And, without those automation aids, we can’t do much of anything.
• Defining the threat. Another problem is: Whom should you defend against? The choice affects both the type of systems you install and the total costs.
Terrorists are still a rare threat. Cyberhooligans, on the other hand, are more common. Attacks from hooligans take the form of denial of service, defacement of Web sites, worms and viruses, data corruption and so on.
At the least, don’t make it easy for the hooligans. Even the most inexperienced hacker can get into your systems if you don’t configure your site properly and continually update software to plug loopholes. Hackers get in most often through known vulnerabilities that are two years old or older.
Some hacks are subtle. Perpetrators will alter data on a Web site and put the corrupted data in the original spot. Users of information on that site won’t be able to make good decisions. And you won’t detect this if you don’t update your systems frequently.
Internal security is perhaps more important than external. Your own employees can be a problem, either benignly or maliciously. The FBI and CSI report that more than 60 percent of attacks come from inside. Losses average $300,000 and have been as high as $1.5 million.
Malicious threats are one thing, but executives can do a lot to mitigate the benign problems. The key is training. Employees need to understand procedures, correct use of passwords, and the costs of not understanding what’s needed. “We make our employees sign an agreement upon hire, says Paul O’Connell, president, Operations Concepts Inc. “It says the employee will pay back the company whatever damages occur or they’ll be sued. This is a good way for small businesses to keep employees from doing their own thing when they get on the Internet. If they are on the Internet and allow a virus in, or open an e-mail that’s not good, then they pay the company back. This technique ensures that everyone realizes it’s up to him to play his part. It becomes an incentive for the company.”
• The Internet. Talk about a security nightmare. The Internet is inherently an insecure system. Every year, Internet and computer watchdog organizations (like the SANS Institute) come out with a list of vulnerabilities. Two main reasons account for Internet vulnerabilities: it was not built for business purposes and the overabundance of known errors and bugs in software programs.
It’s hard to remember, but back in the recent past, scientists and engineers built the Internet for their information-sharing needs. Security was not an issue then. Now that corporations have expropriated it for revenue-generating purposes, we expect this technology to deliver more. The minimal security efforts used when a company sent information to locations primarily within its walls are inadequate for the growing needs of sending information outside corporate networks. Meeting this new expectation will require continual effort, because the threats themselves continue to evolve.
A denial-of-service attack last October showed just how sophisticated hackers have become. It focused on the entire infrastructure of the Internet, not just on a few key servers or Web sites. Experts are warning that criminals and mischief-makers are targeting bigger game.
Another issue to consider with the Internet is the ready availability of free software that tells hackers how to break various encryption codes and trespass into various programs and hardware. Like finding instructions on how to build nuclear weapons, “how to hack” information is easy to find on the Internet. Some programs even take the drudge work out of hacking, by automatically unscrambling encryption keys. Such a program already exists for the Wired Equivalent Privacy (WEP) protocol, which forms the basic security layer of 802.11b used in wireless network systems. Further, hackers are now working on automating all types of Internet attacks.
Then there’s ignorance of the Internet. For example, it’s not a good idea to store, even temporarily, sensitive or proprietary information on a server connected to the Internet. Employees of Intentia International AB did that late last year and regretted it. They put financial data on their Web site that was due for release at a press conference later in the day. News reporters, preparing for the conference, took a guess at a URL, found the information, took advantage of their “scoop” and published the data before the news conference. Executives had to scramble to deal with this situation. For security, remember that anything placed on the Web, or even on a server, is accessible by hackers (or by the clever).
• Wireless networks. Of course, wireless networks are even more vulnerable to attack than the Internet. Anyone intent on getting access to a wireless network just needs $100 worth of Radio Shack equipment and a car. For several wireless networks, security features are optional. It’s literally up to you to turn them on.
“Wireless systems are opening a can of worms,” says Terry Tutt, TNT Logistics, N.A., a business unit of TPG N.V. “New security features in the later systems are coming out that prevent casual hacking. But the technology hasn’t matured yet. With wireless, you’re taking a risk.”
• Outsourcing security. The challenge here is to determine that your Internet Web server outsource partner is and remains vigilant about security. After all, your data are moving through its systems.
“A lot of companies leave it up to their server provider to provide security protection,” says O’Connell. “Server providers are only as good as the software that’s out there.”
• Complexity. The challenge here is that there’s no single solution to security needs. You will need different programs, hardware and systems for all forms of business information: e-mail, documents and Web content. Adding to the complexity is management’s tendency to disperse responsibility and authority for these tasks.
• Who pays? How do you handle the extra costs that may be involved with implementing stronger security measures? It depends. If you’re Con-Way Transportation, moving material across borders, you charge a Homeland Security surcharge. That’s one way to handle that problem, but it won’t work for everyone.
Some costs can be controlled by the amount of service you opt for. For example, if you outsource data backup, you’ll have choices. “From mirrored backup sites that can go online virtually immediately, to moving tapes and reloading systems, which can take 24 to 48 hours, the costs depend on the criticality of the data and the operations,” says Tutt. “Each level of urgency or service as you go up the ladder from 48 hours to almost immediately has an incremental cost. So you have to judge the business value of the system and the data.”
Finding the money will be a challenge.
Despite the challenges, there are steps managers should take. First, forget about finding the best practices for security. Tools and products are changing so fast, any best practice you find will be obsolete in a few months.
IT experts recommend regular security audits. And everyone stresses the need to keep up-to-date on virus and software patches. This is a huge job that is only getting bigger. But laziness is a sure invitation to attack.
“We send out alerts every week,” says O’Connell. “We update once a month — all new search engines and all new data files, both on the server and on every individual PC. We also clean the RAM, clean out the temp files and clean out the cache files. It’s the responsibility of everyone in the company.”
Look for software vendors to offer patch automation services soon. Subscribing to them will practically guarantee that upgrades and patches are made.
Here are other tips:
• A report from ARC Advisory Group advises having programs in place that stymie denial of service attacks. At the least, companies should use separate servers for supply chain tracking and Internet product and ordering functions.
• Firewalls are a given, but now they are just a first step. Today’s hackers bypass these defensive perimeter measures and are moving directly to Web applications. Have your IT team check Ports 80 and 443, which most companies leave open.
• Encrypt your e-mail. “One of the things we have found to be most effective,” continues O’Connell, “is to have one station that’s all inbound and all outbound e-mail.”
Also, install systems that let you uncover e-mails with damaging information being sent from your e-mail systems.
One suggestion is to archive e-mail. Don’t leave large amounts of e-mail on the server or on the receiving box. Back it up on CD. Some viruses have timers on them. They may deploy their destruction weeks or months after you open them. Backing e-mail onto CD may help avoid that problem. If you don’t need the e-mails after a year or so, destroy the CD.
• In case of a disaster, make sure you have secure communication channels between CEOs and management, and with employees, as well as with local and national government agencies including the FBI.
• If you use an Internet or Web service provider, make it prove that it has plenty of firewall protection and internal and external e-mail routing protection. A corollary: Check out whom else the provider has as a customer. “Some customers are notorious for letting bugs through, like telecommunications companies,” adds O’Connell.
• Don’t allow anyone to dial in to any of your servers. That day is gone. Use separate systems for e-commerce and employees. “You create a Web site and have people sign in and log onto that site,” advises O’Connell. “All transmissions that are going to come back to your server are checked through your portal.”
• Use authorization procedures. “Make sure that only the right people have access to the information, and to just the information that’s part of their job,” advises Tutt.
• Manual backup operations. “Do you have the capability to operate a system or procedure manually for a period of time?” asks Tutt. “If so, then that may be a sufficient and far less costly solution than designing a super-secure system.”
• Spread out your resources, both data and people.
• Plan for the impact of the outage, not a particular outage. This perspective will change your focus. What do you need to ensure you stay up and running in the event of an outage? The goal is continuous or continual operation. Security is a part of that goal. Building a structure to operate 24/7 is also an expensive project, but you get disaster recovery almost for free.
• Always, continually back up your data and have copies, which are stored off-site.
• Some software companies are offering cash back if they fail to deliver updates or patches on time. One such company is Trend Micro Inc. Other companies are demanding that software suppliers sign contracts promising to pay part of the damages if their products weren’t up to snuff.
Others are offering security technology to stop data stealing via the Web. Intel is looking into technology and is in the process of developing a product known as LaGrande. It should protect data typed into a keyboard, displayed on a monitor and stored in memory.
• Turn off and unplug equipment connected to networks that do not need to be on all the time. That’s the surest way of stopping intrusions.
The long haul Stronger firewalls, better password protection — these are just the beginning steps needed to boost security. They are surface-level steps. They provide a belief that we’re accomplishing something. But security will always be a moving target. Every successful defense will generate new strategies of attack. MHM
By the end of 2002, the Carnegie Mellon University CERT Coordination Center expects to report that there were more than 110,000 attacks to computers, networks and computer-based systems.
Nimda, the worm that spread so much damage through e-mail shortly after 9/11, is still attacking. More than 35,000 attacks related to this worm hit corporate networks every day. Nimda makes multiple levels of security a must because it creates holes at the administration level for hackers to use in future attacks.
Here’s what’s vulnerable: PCs, digital control systems, supervisory control and data acquisition (SCADA) systems, computers used in energy, chemical and other manufacturing industries, mainframes connected to the Internet and any computer with instant messaging.
Weak Links in the Supply Chain
According to a report from the Council of Logistics Management, supply chains are vulnerable to disruption. Part of the problem is a lack of robustness. A disruption in the operations of one supply-chain partner can affect an entire chain’s performance.
Problems across borders can affect a chain too, as well as disruptions in utilities and transportation flow.
Who’s Ready, Who’s Not
Despite the heads-up warning U.S. businesses received in 2001, many companies have done little to prepare for a next disaster. The Council of Logistics Management found that:
• Only about 61 percent of U.S. firms have disaster recovery plans. Most of these plans cover data centers. Only about 12 percent cover total organization recovery.
• Few plans include steps to keep a supply chain operational.
• Few companies have formed crisis management teams (about 28 percent), and even fewer have teams to address supply chain crises.
• Estimates indicate that 43 percent of businesses that suffer a major fire (or other major damage) never reopen for business after the event.
The $60 Billion Price Tag
That’s what it is costing U.S. companies to use software programs with bugs. This cost includes downtime, repair, upgrades and fixes. To reduce that cost, all companies need to do is demand a better, more stable platform than the PC and better software.
Why You Need To Secure Your Systems
• Executives have a fiduciary responsibility to investors to protect the business, its people, property and information.
• Executives are responsible for business recovery after a disaster.
• According to Gartner, 40 percent of companies that experience a disaster go out of business within five years.
• “Estimates of losses due to crime against U.S. businesses range from $100 billion to $350 billion a year. A large portion of these losses is experienced in the warehousing and distribution industry.” Barry Brandman from his report Security Best Practices, Protecting Your Distribution Center.
The real key to security is people. Technology can only do so much.
For better innovation, security needs to become cool and sexy. Then programmers and vendors will develop needed tools.
The Top Ten Security Practices
The Internet Security Alliance (ISAlliance) was created in April 2001 to provide a forum for information sharing and thought leadership on information security issues. It represents industry’s interest before legislators and regulators, and aims to identify and standardize best practices in Internet security and information survivability. The alliance is a collaborative effort among Carnegie Melon University’s Software Engineering Institute, its CERT Coordination Center, the Electronic Industries Alliance, a federation of trade associations; and private and public member corporations.
The Best Practices Working Group (BPWG) arm of this organization identified 10 of the highest priority and most frequently recommended security practices as a place to start for today’s operational systems.
1. General Management. Managers consider information security a normal part of their responsibility and the responsibility of every employee. They create, enforce, and regularly review security policy.
2. Policy. Managers develop, deploy, review and enforce security policies that satisfy business objectives.
3. Risk Management. Managers periodically conduct information security risk evaluations that identify critical information assets, threats to those assets, as well as asset vulnerabilities and risks.
4. Security Architecture and Design. Managers generate, implement and maintain an enterprise or site-wide security architecture that is based on satisfying business objectives and protecting the most critical information assets. Techniques often include use of a layered approach, diversity and redundancy solutions.
5. User Issues. Managers establish accountability for user actions, train for accountability and enforce it. They ensure that there is adequate in-house expertise or explicitly outsourced expertise for all supported technologies.
6. Systems Network Management. Managers establish a range of security controls to protect assets on systems and networks. They implement access controls at network, system, file and application levels as required. They use data encryption and virtual private network technologies as required, as well as perimeter and internal security applications (including firewalls) that implement security policy. Best practices companies use removable storage media for critical data so that it can be physically secured. And they deploy a system that erases all data from disks and memory prior to disposal.
For software integrity, systems are installed that regularly verify the integrity of installed software and regularly check for and eradicate all viruses, worms, Trojan horses, other malicious software and unauthorized software.
Best practices companies also provide procedures and mechanisms to ensure the secure configuration of all deployed assets throughout their life cycle of installation, operation, maintenance and retirement.
Managers also mandate a regular schedule of backups for software programs and data. Steps include validating software and data before and after backup. They also verify the ability to restore systems from backups.
7. Authentication & Authorization. Managers implement and maintain appropriate mechanisms for user authentication and authorization when users access the network from inside and outside the organization. For remote and third parties, systems are put in place to protect critical assets.
8. Monitor and Audit. Managers use appropriate monitoring, auditing and inspection facilities and assign responsibility for reporting, evaluating and responding to system and network events and conditions.
9. Physical Security. Procedures are put in place to control physical access to information assets and IT services and resources.
10. Continuity Planning and Disaster Recovery. Managers develop business continuity and disaster recovery plans for critical assets and ensure that they are periodically tested and found effective.
The Main Trouble Spots on the Internet
As of October 2002, if your company uses any of the following programs, your systems are vulnerable to attack. These programs usually have programming errors that, if left unfixed, hackers and saboteurs exploit when they wish to cause havoc on the Internet.
For Windows systems:
Internet Information Services (IIS)
Microsoft Data Access Components
Microsoft SQL Server
LAN Manager Authentication
General Windows Authentication
Remote Registry Access
Windows scripting host.
For Unix Systems:
Remote Procedure Calls
Apache Web Server
Simple Network Management Protocol
File Transfer Protocol
Line Printer Daemon
General Unix Authentication
For detailed descriptions of the problems and solutions, go to the Web site: www.sans.org/top20/#index.
Tips on Securing Your Systems
• Plan for the effect of the outage, not the particular outage.
• Back up your data.
• Spread out your resources, including backup data and people.
• Set up a communication system that can reach employees and executives in any emergency.
For more information ...
... on the material discussed in this article, use the following contacts:
Authentica Inc., authentica.com
Con-Way Transportation, con-way.com
Council of Logistics Management, clm1.org
Ensure Technologies, ensuretech.com
Internet Security Alliance, eia.org
National Association of Manufacturers, nam.org
Operations Concepts Inc., operationsconcepts.com
RedSiren Technologies Inc., redsiren.com
TNT Logistics, N.A., a business unit of TPG N.V., tntlogistics.com