Blast Back at Your Bugs

Feb. 1, 2004
When it comes to security, it's not terrorism that's the big threat. It's bugs, such as the Blaster worm. In 2004, the three most critical steps to protect your systems are patch, patch and patch.

The Blaster virus was the bug that roared. It helped businesses lose millions of dollars in sales because customers could not access the Internet. The one good thing Blaster did was dramatically display the need for secure computer systems and processes. Executives' awareness of the importance of security had been growing; Blaster just put an exclamation point on the issue. "Whatever the cost of implementing security," says Gary Cash, vice president of Controls Engineering, FKI Logistex Automation Division, "it's better than having a bug like Blaster take down your network."

"Security has become a core asset value of modern business," says Scott Palmquist, vice president, CipherOptics. "Businesses have always had security, but it was on paper. Now, we're in the electronic business, and security procedures need to catch up to the fact that businesses are increasingly electronic."

Shortly after Blaster, government officials began calling for regulations that would force businesses to prove that they were taking appropriate steps to ensure the security of their processes and systems. Even the SEC was approached. There are currently no official reporting requirements. "However, stockholders may look favorably on the idea," says Palmquist.

Other regulations are highlighting the need for security. "A lot of the security programs we see are being driven by changes in regulations and initiatives from the U.S.," says Earl Agron, director of port and container security, APL Logistics.

Mark Johnson, vice president of marketing, G-Log, concurs. "Regulations are one of the three trends we see affecting our customers regarding security — from government edicts to manuals such as the Orange Book, right down to esoteric locally-defined rules."

"The other trends," Johnson continues, "are globalization, where businesses are required to transport more material over greater distances using more service providers and more modes of transportation, complicating the supply chain; and public opinion, where the pressure for political and environmental control covers an ever-widening range of materials. Ever since regulations began, the underlying philosophy has been to focus on the preparation, packaging, documentation, labeling, handling, stowage, etc. of freight in an optimal way with the least possible risk."

Security is a moving target

There are many steps you can take to establish security in your supply chain processes. However, once done, you're not finished. "Just as you shore up your processes, you have to go through them again, and fine-tune them," says Cash, "because hackers and other 'unfriendlies' continually work to break the barriers you've installed."

"We're seeing an increase in a new position at companies: the security manager," adds Brian Hysell, supervisor of upgrades and modifications, FKI Logistex Automation Division. The security manager is responsible for tracking regulations and requirements issued by various governmental agencies, the latest trends in security management, and supervising the security of all online and data systems. "Material handling managers should work with this person," says Hysell. "Just tell him what you need and he will take care of the 'how' of security implementation."

But you should still be aware of the most likely vulnerabilities of any system.

Windows wide open

One of the major vulnerable areas is any control, computer or system that uses Microsoft software. The virus writers seem to take particular delight in attacking Microsoft products.

To reduce your risk, advises Cash, use programmable controllers or PCs with a special operating system known as QNX. QNX is a real-time operating system that's been around for almost 20 years. It was originally designed as a common operating system for programmable controllers, until Windows came along.

And if your warehouse management system runs on Unix, you're at less risk for viruses or other hacker-inspired mischief.

Untethered and not secure

If you are using wireless technology anywhere in your supply chain system, then you are at risk for security breaches. "It could be a cell phone that one of the supply chain partners is using to connect into the system," says Palmquist. "The boundary is no longer a fixed wall. It's very flexible and movable, so now you have to defend against a moving target. The only way is to have a layered defense strategy where you create 'zones' and apply security to those zones."

"We see a lot of information services groups pulling their hair out," adds Cash, "because wireless creates so many security issues. We usually recommend that our controls are on one network and all wireless access points be on another network. The problem comes in when wireless devices must access data from the control networks. We need to have wireless devices that somehow jump over to the other network, but do so while maintaining security."

Other tips include enabling all security features of the systems you buy. Embedded security features are off unless you turn them on. And don't necessarily use default settings. The systems come with options; use them. Experts will tell you to encrypt all transmissions that could pose a risk to your company if they were breached. Use detection intrusion systems and limit who can access your virtual private network.

One of the biggest dangers experts mention for wireless is rogue access points. These points are typically set up by your employees, who are unaware of the risks they open to the corporate system.

Says Palmquist, "Apply the security that's appropriate. The actual information technology portion is maybe 20 percent of the problem; 80 percent is the process or procedures you're going to use." In the box

Along with securing data and networks, the actual material being moved needs new security procedures and methods. "People are very concerned about container security, seal security," says Chris Corrado, vice president, customer service, APL Logistics. "They are continually exploring opportunities for a really secure container. Customs officials announced that they are working towards a smart container, although no one has developed a container security measure that everyone accepts."

Customs' automated targeting system analyzes manifest data to identify risky containers. "As a byproduct of the 24-hour rules they've implemented," adds Agron, "we have better information earlier in the process so it makes carriers more efficient in terms of planning. We can plan the stowage, reduce the amount of re-handles and plan which containers need to get off first. Finding a place for last-minute containers is a thing of the past. And because we can design a better stowage configuration, our procedures are now more economical and efficient, which translates into savings."

Ideally, Customs would like a sensor that can be put into a container that simply indicates whether the container has been breached after it's been sealed. Many vendors have presented complex solutions that are also costly. For now, manufacturers are still using bolt seals. Most importers are requiring high-security bolt seals.

"However," adds Agron, "vulnerabilities are more efficiently sensed landside versus inside a container. Another concern is retrofits. If you have to retrofit every legacy container on the planet with sensors, the cost and time would be mind-boggling."

As far as tracking containers along their route, GPS may not be the best answer. According to Agron, commercial GPS signals are easy to counterfeit and feed fake signals into the system. "You are also creating a mountain of information, which leads to the questions of how do you manage that data and follow the containers. It, too, boggles the mind."

While Customs is looking at issues inside the container, and tracking it once loaded and before landing, a critical vulnerable time is when the container leaves the factory on its way to the dock. That's a portion of the supply chain that may need security procedures, especially in foreign countries.

In the end, adds Palmquist, "security is all about risk mitigation. You will never be 100 percent secure. But at some point in time, you are good enough." MHM

Three Faulty Assumptions in Network Security

Faulty assumption #1: Leased lines are safe and only you have access to them. Leased lines, even leased fiberoptic lines, are susceptible to data interception. Covert means exist that allow intruders to tap into optic cable without detection.

Faulty assumption #2: Virtual private networks (VPNs) are secure. The term VPN has taken on many meanings, but a "private" network does not guarantee security. A network is truly private only if unauthorized users are not able to interpret your data. While some vendors tout VLAN and MPLS-VPNs as private networking technologies, they are only useful for their network management capabilities. They do nothing to protect data from unauthorized viewing or manipulation.

Faulty assumption #3: A firewall is all the protection you need. Firewalls, as a first line of defense, help prevent attacks from hackers. But firewalls do nothing to protect data once it leaves the enterprise. As soon as data passes a firewall on the way to a customer, supplier or other trusted site, it's on its own — unprotected and unsecured.

The simple answer to these misconceptions is to encrypt everything. CipherOptics offers Security Gateway, a full-duplex gigabit Ethernet network encryption appliance that supports the major encryption protocols at full-duplex gigabit speed. Plug in the Security Gateway, set up your encryption policy with its browser-based control system, and you're ready to encrypt your network traffic in as few as 30 minutes. This system is transparent to your present infrastructure and is compatible with all existing IP networks.

New solutions

The Nexus system, developed jointly by the U.S. and Canada to expedite border crossings by low-risk travelers, relies on a backbone of Intermec Intellitag radio frequency identification (RFID). It allows pre-screened travelers to use special border-crossing lanes. Participants sign up for the program at enrollment centers set up at major border crossings. Successful applicants receive an identification card that is embedded with a computer chip and a tiny RFID antenna. The card allows access to the special lanes. The participant holds up the card to an RFID reader positioned in front of the inspection booth. The reader flashes the participant's photo and information onto a computer screen inside the booth. The inspector verifies that the photo on the screen matches the vehicle occupant and, if all checks out, authorizes the car to proceed. A typical Nexus inspection takes less than 5 seconds to complete, speeding clearance time.

For more information:

FKI Logistex: www.fkilogistex.com

CipherOptics: www.cipheroptics.com

APL Logistics: www.apllogistics.com

G-Log: www.glog.com

Intermec: www.intermec.com