Andrea Goretzki: Hello. Welcome to a new episode of Logistics People Talk, the official Rhenus podcast for everyone who also thinks that logistics is the most exciting of all industries. A warm welcome from your hosts:
Gwen Dünner: Gwen Dünner
Andrea Goretzki: and Andrea Goretzki.
Gwen Dünner: Deutsche Leasing, the Bilstein Group, Hamburg Airport and Rheinmetall. Among numerous others, these companies have been victims of cyberattacks in 2023. These attacks are taking place across all industries and have been increasing steadily, especially since the outbreak of the Ukraine war. The consequences of the attacks are often severe. Various services are unavailable, there is a threat of production downtime or sensitive data is stolen. These disruptions, in turn, lead to lost sales, high costs for data recovery and damage to the company’s reputation. Companies must therefore prepare themselves accordingly. Today, our guest Stefan Klopocki, Division Manager for Information Security and Quality Management at Rhenus Corporate IT, tells us what options are available and what companies, especially in the logistics sector, can do to protect themselves against attacks. Welcome, Stefan, to Logistics People Talk. It’s good to have you here.
Stefan Klopocki: Yes, thank you. I’m glad to be with you.
Andrea Goretzki: Nice that you are here, Stefan. We want to dive straight in. The media are currently full of reports on topics such as IT security, ransomware attacks and cyberwarfare. Can you give us an overview of the current threat scenarios and how they have developed in the recent past, also in view of the war in Ukraine?
Stefan Klopocki: Yes, of course. In general, it can be said that the cybersecurity situation has continuously worsened over the last few years. This means that more and more attacks from a wide variety of sources have been raining down on companies. The Ukraine war has contributed to this insofar as various actors are of course acting in this war. Russian, state-organised groups are primarily attacking Ukrainian organisations and, conversely, Ukrainian IT security specialists are trying to damage the infrastructure in Russia. In general, one can distinguish between various groups of actors. There are traditional cybercriminals, whose objective is extortion and money-making. There are so-called hacktivists, who attack companies or even governments according to special motives that do not match their political ideology or agenda. Of course, there are also state actors; these are an interesting topic especially in state conflicts. The objective of state actors is usually to acquire information by spying or to attack systems and put them out of action or delete them. This is not about the scenarios of blackmail and money-making, but quite clearly about gaining the upper hand and thereby gaining an advantage, as is always the case in armed conflicts. You can generally say that our industry, the logistics industry, is not targeted more or is not more specifically targeted than other industries are. We are often hit by traditional attacks, especially by cybercriminals. Targeted attacks occur particularly wherever you maintain important logistics chains. These so-called supply chain attacks are attempts to disrupt supply chains in a strategic way. This is actually the only area in which transport logistics are also massively in the sights. Otherwise, targets are more likely to be companies, think tanks, government agencies and any other kind of commercially successful business, from which ransoms can be extorted. But traditionally, if it’s not a matter of ransomware, the real target is in the direction of state organisations, information extraction and data leakage. Because even conventional espionage is realised via IT these days.
Gwen Dünner: So that means that not only the frequency of the attacks has changed, but ultimately also what the attackers want to achieve?
Stefan Klopocki: In principle, you can say that the traditional targets of attacks in the past were mainly blackmail and the collection of ransoms. The attack methods were simpler, in part very generic and not highly complex. This has changed massively in recent years because, like the rest of the IT landscape, the opportunities attackers have are also becoming much better. This means that attacks are technically highly complex and very well made. This means that they can hardly be distinguished from traditional, legitimate communication. You can say, for example, that in the past there were a lot of spelling mistakes in phishing emails. Nowadays, this is no longer the case thanks to modern translation programmes and spell-checkers, which of course these attackers also use. This means that they are usually flawlessly written in the language of a given country and are difficult for the end user to recognise. Plus, when the attackers have carried out a successful attack, they naturally look around. This means they use the login information on the systems they have successfully attacked, and read information from programmes and from emails. They even reply to the original email communication from the recipient’s mailbox, thereby generating a certain legitimacy. Thus, the victim on the other side thinks that it is a legitimate email because it relates to a topic from some former communication; consequently, the victim is more willing to open attachments or click on classic links. What might also be said on this topic is that we are a far cry from such mere blackmail and encryption, which is basically simple. The typical approach was for the attacker to enter the network, encrypt data and then demand money for decrypting the data. Nowadays, due to fast internet connections, the attacker usually also exfiltrates data. This means that they upload data to the cloud because most companies now have a very good backup system. This means that encrypted data is no longer so interesting because it can be restored from the backup. But exfiltrated data can of course be published. Data that contains special, confidential information is particularly interesting here. This means that when they are on the net, they don’t look for just any information and take just any Word document, but instead look for information from HR, Finance, Sales and possibly Mergers & Acquisitions. It is particularly interesting for them to obtain confidential information of the company or production sketches and schematics of the manufacturing division. In the mobile phone sector, for example, it is very popular to blackmail not only the company holding the data, but possibly also the client. These are the various attack methods that occur. This means that you, as a company, pay for the deletion of the exfiltrated data. But the attackers also try to blackmail the clients of that company who have stored their data there, just like clients have done at our company, for example, by saying: ‘We have gained access to your data at company XY. Please pay up or we will publish it.’ Or in some cases, they enter into even more scenarios where they say that they are also trying to put the companies out of action by means of high network loads; which means that even when such an attack has been successful, they have further demands or apply further repression, comparatively, in order to simply force them to pay the extortion money more quickly.
Gwen Dünner: Andrea, how nervous have you already got?
Andrea Goretzki: Quite nervous. That really sounds like a very broad spectrum of scenarios that you have to prepare for in IT security so that you can react to them in the interest of the company. But how is it, Stefan? Do all these things truly apply to private individuals as well? Because all of us who have to do with IT in some form in the company or use the programmes are also online as private individuals. Are these things that can be applied equally in both cases? I’m asking for a friend.
Stefan Klopocki: Yes. In general, one can really say that a whole part applies to both. For private individuals, there are of course similar attack scenarios. There are the classic phishing emails or the grandchild trick that everyone knows, with WhatsApp messages like: ‘Mum, I have a new mobile phone.’ That’s the standard message that is sent. This means that, in the private sector too, attempts are being made to make profits using the same methods because that’s what cybercriminals are all about. They want to make money with it. Because there is no big money to be made in the private sector, it’s necessary to target the masses. Here we are talking about a ‘few’ euro, in inverted commas, that can be extorted from people. Whereas with companies, you very quickly end up with extortion demands in the hundreds of thousands and millions. That’s why companies in particular are naturally interesting for attackers. When it comes to hackers, we are no longer talking about some classic IT nerd sitting in a basement somewhere, attacking companies as an individual. These are highly professionally organised companies that also act like companies. They have an HR department and source their employees, just like we do, through job advertisements, even in the respective countries. Because there are definitely countries where this is not prosecuted. They also have team structures with team leadership and a support structure. This also means that for every attack, there is a support hotline or a support address that you can contact, where you can really get help. Because the attacker’s goal is, of course, not to end up in the press with statements like: ‘We paid, but we didn’t get the data back.’ Instead, they put a lot of effort into returning the data afterwards or having it deleted. Otherwise, of course, it is not very lucrative for their business if it becomes clear that group XY will publish the data even though the money was paid. So it can be applied equally in both cases. What also often happens is that the attackers do not distinguish between private individuals and professionals. This means that when they realise that employee John Doe exists and that he has high-level IT access rights in the company, they also look for private contact opportunities. This is why some attacks in the past have compromised private systems and, in part, extracted professional information from private systems. In some cases, the same passwords are used in the private sphere as in the professional sphere. That is also very nice for the attacker to be able to simply continue using it. In principle, these are the things where you can say that this classic boundary between private and purely business is becoming blurred. Therefore, everything you learn in the context of security awareness can usually be applied in equal measure to the private sphere.
Andrea Goretzki: Yes.
Gwen Dünner: We’re already talking about the security training. I still have to do that too.
Andrea Goretzki: These are relatively new structures, or it’s relatively new that the attackers have become so professional in this regard. In your view, Stefan, is that also the reason why they are so dangerous? Or is there something else besides that?
Stefan Klopocki: Definitely. You can say that the attacks are also keeping up with the current state of technology. It’s like conventional crime, it’s also developing, an entirely normal sector. Especially when you go into the area of government actors, they are usually even ahead of the normal technology when it comes to accessing information through espionage. But conventional attackers also use modern technologies. This means that a very big current trend is the use of generative artificial intelligence, for example, to generate certain information. You can have malicious codes generated by generative AI if you’re clever, even though these systems don’t actually allow that very easily. But you can also have it write emails for you. For example, I can say, ‘As a local bank, write an email to my customer to verify his account information.’ Then this AI, similar to how it can generate normal text, writes text that can be used very nicely to do phishing, for example. Attackers also use this to quickly optimise their attacks and quickly switch attack scenarios. Because once they have carried out the same attack for a certain amount of time, it becomes recognised and prevented by protective systems. But usually when a completely new attack method comes on the scene or a new vulnerability is announced, the first attacks can be carried out successfully for a certain period of time. What comes next is a race. Because as soon as the information is released to the public, the race is on. Can the company update the system faster or is the attacker faster in exploiting the vulnerability? As a rule, as soon as a vulnerability is made public, the scans on the internet begin a short time later, looking for this vulnerability and seeking to exploit it.
Gwen Dünner: Okay, now this is creeping me out too. Although people already know this. But when you think about all the places you divulge your data.
Andrea Goretzki: Yes, you always repress this a bit.
Gwen Dünner: Yes.
Andrea Goretzki: That’s the way it is.
Gwen Dünner: You know, especially because you don’t use it online.
Andrea Goretzki: Not at all, you can’t say that now. I think that’s a rumour.
Gwen Dünner: So wherever you have to.
Andrea Goretzki: But I am cautious, for precisely the reasons I mentioned, and because I’ve already talked to Stefan about the topic several times.
Gwen Dünner: But let’s get back to the Rhenus Group. Now, we aren’t completely helpless in the face of these threats from the internet. What is Rhenus doing in real terms to protect itself from these attacks? Have we ever been targeted by these attackers? That’s a trick question because I know that it has happened in the past.
Stefan Klopocki: Yes, I believe that every company is in the sights of the attackers. I have already said that lucrative companies are particularly interesting to attackers because there is the prospect of obtaining corresponding ransoms. We, at Rhenus, have recognised the risk for some years now and have focused on it. We have really been focusing on it massively since 2018. Before that, we worked with resources is a definitely distributed way. Starting in 2018, we said that we wanted to build up centralised resources. Or we implemented various measures of a technical and organisational nature to try to ward off the attacks. Technically, these are mostly multilevel security systems that analyse emails, analyse links in emails to see whether a potentially dangerous system is being called up when they are clicked, and block it if necessary. These are the usual measures that every company has implemented in some form or another, but which always lag somewhat behind current trends. This means that there is a certain time delay. This normally means that the new attacks usually get through in the first few hours. That is also the next track. Organisationally, here is a very important sub-area that is often forgotten. From a purely technical point of view, you can certainly avoid some of the attacks, especially if they are known. Organisationally, you get better support afterwards, and that is through the end user who is activated. That is actually a main aspect, creating awareness here and sensitising people there. Because the attacks don’t have to be carried out in the conventional way, i.e. only via IT. Attacks can also be carried out via the telephone when messages are accessed. We even had paper documents that were manipulated. Invoices that appeared to be legitimate to trigger cash payments and transfers. So it doesn’t always have to be purely IT-based. Conventional attacks that take place outside of IT, however, are very difficult to prevent by means of technical measures. That’s why we regularly carry out awareness training with our employees. So that they can, we hope, recognise and report harmful emails, enabling us to analyse them, block them and initiate countermeasures. These are actually the main aspects that we are trying to implement there. In addition, at Rhenus, we have started to set up a company-wide information security management system, which is a standard term in this area, so that we have a company-wide organisational structure we can communicate with in emergencies and have contact persons. For example, if something happens at our site in the US, we know who we can contact and who we can take action with there. This organisation also meets regularly and discusses the new guidelines we issue in the company. For example, how should a server be configured securely and what should be considered? Because without guidelines, of course, everyone will just say: ‘Well this is how I do it.’ That’s why this committee exists, to really have these objectively formulated guidelines. This way, everyone knows: ‘I have to configure this and that on my system in order for things to be up to date and secure.’
Andrea Goretzki: Another question just popped into my head. We are really globally active and represented worldwide. Have you noticed that attacks are more frequent in certain regions and at certain times? Or is it really the case that they are evenly distributed in terms of time?
Stefan Klopocki: In general, you can say that it is distributed. Of course, there are also focal points for some attack campaigns, where it is said that Germany in particular is being focused on with a special scam. But, actually, we always have similar attack patterns worldwide, which proceed via phishing emails and target specific positions, for example. We once had a scenario where five higher positions in the finance unit were specifically targeted. But only these five people and their email addresses. With the typical note: ‘Are you available for a confidential transaction?’ That’s always the classic introduction that an attacker uses to find out if the victim will respond. So it can happen. As a rule, we are currently talking about between 3 and 400 attacks per month that we see on the end device alone and detect with our security measures. However, this does not include all attacks on our external infrastructure because then this would be significantly more. Because scans for security vulnerabilities happen in principle again and again, within seconds. We have also run through it once. If, for example, you put a system on the internet and you enable remote logon, within a few minutes, you’ll see that there are massive attempts to log on and get into these systems using guessed passwords.
Andrea Goretzki: That really is a lot. Can you confirm from your experience that our numbers mirror the numbers that we are currently reading in the media. Are we affected similarly in the accumulation of queries over the last months and years?
Stefan Klopocki: Yes, definitely. I think it’s true that some sectors or state authorities are even more in the spotlight. But the general trend is also clearly visible here in our company. We are definitely seeing more attacks, more professional attacks and more modern factors. We have introduced multifactor authentication across the board so that not only the loss of user name and password is sufficient. Because it happens again and again that a user does not recognise some phishing email and enters their user name and password somewhere. That’s why we have other security levels with an additional factor to secure the whole thing. You can also see that these are trends that are happening at a higher level and that the attackers are now naturally trying to undermine this second security level in order to continue to obtain information. This race is always clearly evident. A new security barrier is implemented or new attacks occur. It’s the chicken-and-egg principle. Which comes first? The other side then reacts and naturally tries to take countermeasures or take measures to undermine these security systems.
Andrea Goretzki: With this rapid development, Stefan, how do you see the future? Is it going to get worse and worse now?
Stefan Klopocki: Since it is still an extremely lucrative market, the development will therefore continue. You have to be aware that hackers or companies that hack make really big money off of it and are expanding massively. It’s similar to the question regarding conventional crime. Will conventional crime ever disappear? As long as people make money off of it, and make good money at that, I don’t think it will change massively. Most importantly, you still have a very low inhibition threshold in this case. You can carry out these attacks from any country in the world and you don’t have to be close by. With conventional theft, I usually have to be close to my victim. Or if I want to rob a financial institution, I usually have to first get into that financial institution. But in the case of a cyberattack, I can do it from anywhere in the world, and have a relatively small one-time investment, I would say. I need a bit of IT equipment and know-how, but I can also purchase this. In this case as well, there are models for purchasing malware. There are also providers who officially distribute it in a franchise system and then get shares of the successfully extorted ransoms. So it is a completely separate branch of business. So I don’t see it coming to a halt in any way. What partly contributes to bringing it to a halt somewhat are legal attempts to stop or regulate some aspects. In the USA, for example, there are initiatives to criminalise the payment of ransoms, i.e. extortion money, in the hope that companies will not pay. These are initiatives are an attempt to regulate this. We’ll have to see how successful they are. Because, during a cyberattack, when work is not possible, it is of course in the interest of the company in question to be able to return to normal working operations as quickly as possible, even if this costs money and needs to be paid for.
Gwen Dünner: Incredible. So it’s the same development as with all those illegal streaming services in the past, and you ultimately also prosecute users in order to pull the rug out from under these platforms.
Stefan Klopocki: Yes, it’s comparable in principle. There are of course lots of similar issues there too. Netflix always takes action when it comes to the multiple use of accounts.
Gwen Dünner: Yes.
Stefan Klopocki: Of course, these are similar issues where one tries to create regulations or to prevent them by technical means. But it’s very difficult. Especially when you consider that there is not only cybercrime, but also information gathering. Of course, there is still traditional espionage. But a lot of espionage now takes place via IT. This means that people are attacked, malware is installed on their phones in the background in order to access information from politicians, from people who are active in research. People who are of course the special interest of mostly government groups, in order to gain information about what a state is currently planning, what a company is currently planning, or perhaps even to gain access to the patents of companies.
Gwen Dünner: That’s not a very rosy outlook when you think about it. That’s definitely not how we want to end this podcast. Fortunately, companies are not alone in this fight against cyberattacks. Reinforcement is also coming from the European Union, for example, which is reacting to the sharp increase in attacks that threaten institutions or organisations which are of particular social relevance. The NIS-2 directive, which went into effect at the beginning of the year, stipulates that companies in sectors such as health, the provision of energy and water, information technology and telecommunications, in addition to the transportation of people and things, must ensure implementation of certain cybersecurity obligations. What are these and are we already on track?
Stefan Klopocki: Yes, of course there are various state initiatives. This is one of the latest initiatives, based on the European Union. There, a directive was issued on the subject of how to strengthen the topic of cybersecurity or how to bring a uniform level to the topic of cybersecurity. The whole thing still has to be implemented into national law, which is often the case with EU regulations in general. This means that, by October 2024, each country must transpose it into national law. In Germany, there are now initial draft bills on the subject, which were published in April. This is a 240-page document that the German Federal Government is planning here. Which laws does it want to change and what does it want to update? Because Germany already had laws on the subject of information security in the past. For example, there is a German Federal Office for Information Security (BSI) law. As a result of this NIS-2 initiative, amendments will be made to this law. The general idea is to classify enterprises. It is said that there are critical enterprises, particularly important enterprises and important enterprises. So there are different scales of magnitude. But this therefore also means that almost every enterprise will probably fall into one of these categories. Unless we are talking about very small companies with a handful of employees, which this might not apply to. But all larger enterprises, including those in the transport sector, will fall into a category and will then have to deal with measures that are required as per this document. It is mainly about the issue of risk assessment and taking measures to counter risks. There are ten categories mentioned specifically. For example, having a concept for risk analysis, having a defined procedure for security incidents and having clear ideas on how to maintain your operations. How do I make backups? As well as how do I secure my supply chain? These conventional supply chain attacks are not necessarily aimed at me as a person, but in part also at products I use and also at procurement processes as such. This means that even in the case of procuring some random software, I have to consider how the issue of security looks early on. Has this software provider implemented the appropriate security in its products? How does it react to vulnerabilities? How quickly does it fix vulnerabilities? It’s also an issue that when it gets a vulnerability, it doesn’t say, ‘Yes well, I have that now and in a few months I’ll update my software.’ These are requirements. There is also a requirement in connection with staff training. One very clear requirement mentioned there is that there must be awareness measures and training in the area of cybersecurity. Then, of course, there are classic topics such as cryptography and encryption, which have been in the spotlight for years, and additional protection via multifactor. I think, in summary, we can say that we have ISO 27001 certification. This has been a certification for information security since 2011. This means that since then we have also dealt with the security issues, which are often classic issues that are also required for certification. This means that we are already very well underway in many areas and have implemented measures and also complied with the new law, I believe. Now, when it is passed in detail, we will have to see where we might still have to make adjustments. That will certainly be a challenge. There are shorter reporting deadlines, which means that security incidents have to be reported within 24 hours of their occurrence. That is definitely a challenge in some situations. The changes are supposed to go into effect at the beginning of October 2024. Then we will have to see what is stated in the details of the law or the amendment, which category we fall into as Rhenus and which additional measures we might have to take.
Andrea Goretzki: It sounds reassuring that we are on the right track, but also that the whole thing is put on appropriate legal grounds. If everyone simply implements these measures across the board and everything is set up accordingly, then it will probably also be more difficult for attackers to find appropriate openings. That is at least to be hoped for. Stefan, in your job, you are always occupied with how dangerous it can be to be on the net. May I ask you a personal question?
Stefan Klopocki: Yes, of course.
Andrea Goretzki: In view of all these dangers, are you ever online in your private life? Or have you become more of a digital abstainer as a result?
Stefan Klopocki: Privately, I use a lot of online services. I think there’s no getting around it these days. To say I live completely offline is unrealistic. Here, again, the comparison to companies, that the company is a non-connected system will not work in actual practice. I see it the same way in private everyday life. This means, of course, that people use streaming services, online banking and shopping platforms. I think it is also important to be aware of what I use and what I don’t use for companies. On some funny looking websites, I might not necessarily enter my credit card information, but I do look at who I give my data to, where I store my data and what information I also share in the media. Because, of course, that kind of thing can also be used against you. Do I share dates of birth, names of pets and family members? That may also help the attacker to guess passwords because many people tend to build passwords from such. But these are things that I keep in the back of my mind. But I use everything online in the normal way, just like everyone else. I think it’s important not to be too paranoid, especially in this area. Yes, there may be a risk anywhere, any time. In any device, I can assume that someone has manipulated or installed something. But if I were to go through everyday life like that, I don’t think I would really enjoy it any more. I don’t think it’s necessarily that realistic to say that there’s something suspicious everywhere. So I think we can look positively to the future. I can only encourage everyone and say that, with the right awareness, you can use everything that is there.
Gwen Dünner: Thank God, we managed to make a positive turn in the end after all. I was thinking, ‘Oh, no.’ But it’s true, just keep your eyes open on the net, I think that’s always the best motto, or anywhere for that matter. Then things don’t look so bleak, and you can perhaps continue to be active and navigate your way online.
Andrea Goretzki: I’ll definitely act on Stefan’s tip: ‘Be alert, not paranoid.’
Gwen Dünner: Exactly, Andrea. Dear Stefan, thank you so much for being at Logistics People Talk today. It really was very informative and I think, not only in terms of logistics, but also for every listener, a very exciting talk. Thank you again for that.
Stefan Klopocki: Yes, thank you very much for the chance to present my topics here. Because I think it is of course an important and major topic. That’s why I’m pleased. I’d be happy to do it again.
Gwen Dünner: Security check passed, Andrea.
Andrea Goretzki: Yes, exactly. Thank you very much from my side as well. We would also like to thank our listeners, and we say: ‘Keep vigilant, not only on the net.’ As always, please rate, share and comment on Logistics People Talk on Spotify, Google and Apple Podcasts as well as on our expert blog Logistics People Community. We hope you will join us again next time. All the best from
Gwen Dünner: Gwen Dünner
Andrea Goretzki: and Andrea Goretzki.