Our interconnectedness is a problem when all redundancy has been wrung out of the system. See this story that highlights a number of issues being faced right now by the supply chain:
“How a truck driver shortage in Europe could hit your wallet in the US”
Then, not in the above story is this summary of what is happening to paying truck drivers in Britain, as well as some commentary on how real-world issues can be exacerbated by cyber attacks with a minimum of effort (the below was shared by Jeff Steuart):
“In response to Sky News reports that Fuel lorry drivers are left unpaid after cyber attack hitting Giant Pay. The current national gas shortage has been driven in large part by recent tax rule changes that have forced many drivers to either turn to other lines of work or enroll in payment platforms such as UK contractor GiantPay. An attack on GiantPay has disrupted these payroll disbursements, further increasing pressure on drivers. Giant Pay officials confirmed that past-due payments remained outstanding and said: ‘We appreciate that not everyone would have received their expected payment and for that we are sincerely sorry. We are aiming to be able to process your payroll and pay you by Friday.’ In response, experts with Gurucul, SecurityGate and YouAttest offer comment.
“Saryu Nayyar, CEO, Gurucul (she/her):
“‘Pay me or trade me’ has taken on an entirely new meaning for gasoline truck drivers in Britain, who had to switch to a payment system such as Giant Pay for their income as supply chain shortages disrupt gasoline supplies. Payment processor Giant Pay has been attacked by hackers, and all payments to drivers have been blocked.
“‘It’s not clear what the hackers’ motivation for this attack is, but it is worsening the shortages by making it impossible for drivers to continue delivering gasoline. While Giant Pay has promised payment by the end of the week, it’s not clear that they can deliver on that promise. Combined with the existing shortages, it’s clear that Britain may be facing extreme short term gas shortages thanks to this hack. While the exact nature of the attack isn’t clear, attackers have demonstrated the ability to disrupt critical sections of the supply chain through companies that have not adequately protected themselves.’
“Bill Lawrence, CISO, SecurityGate:
“‘This is an excellent example of cascading societal events made worse through a cyber-attack which carries into the physical world. Tax changes in the UK made many contractors shift to become employees of ‘umbrella’ payment companies, like Giant Group Ltd., which was reportedly hit by a ransomware attack on September 24 that took down the payment systems for the contractors as well as email and phones at the company. The groups of contractors who aren’t getting paid include heavy goods vehicle drivers that in turn don’t deliver food to restaurants and – even more directly impactful to the general population – fuel to the gas stations, resulting in long lines and runs on the fuel supply, despite attempted reassurances there was plenty in storage elsewhere.
“‘Not saying it happened here, but it is almost certain that advanced persistent threat actors are studying the real-world effects that ‘routine’ ransomware attacks like this might have so they can avoid the scrutiny that would come from direct cyber-attacks on critical infrastructure yet get similar results. Reportedly, malware attacks on electric utilities tick upwards during large storms, so expect bad actors to take advantage of whatever else is going on in the world. Organizations that implement thorough risk assessments and regular business continuity exercises can help stave off real world impacts.’
“Garret Grajek, CEO, YouAttest:
“‘The American Colonial Pipeline showed the world how economies are vulnerable to attack in any aspect of the infrastructure supply chain. Attacking the pay of lorry drivers is another way to shut down the system and extort payment. The principles of cyber best practice and identity security need to be implemented in all aspects of the supply chain. The American impetus of cyber security for DOD providers, the Cybersecurity Maturity Model Certification (CMMC), may just be the model for all infrastructure and critical component suppliers for western nations.’”
