What If a Cyber Attack Takes Down Your Software-as-a-Service TMS?

In my predictions for 2012, I wondered aloud if this was going to be the year when cyber attacks take down supply chains. We were barely into January when Zappos announced that a cyber attack had compromised the accounts of 24 million customers. And just yesterday, news broke that Chinese hackers had access to the corporate computer network of Nortel Networks for almost a decade. According to a Wall Street Journal article:

Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers—who appeared to be working in China—penetrated Nortel’s computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.

These cyber attacks follow many others in recent months and years, which prompted the Securities and Exchange Commission (SEC) back in October 2011 to issue guidance to publicly-traded companies about disclosing these types of attacks.

Politicians are also taking notice and action. Earlier this month, FBI Director Robert Mueller told the U.S. House Permanent Select Committee on Intelligence that he believes “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.” And yesterday, Senator Joseph Lieberman from Connecticut introduced Senate Bill 2105 to “to enhance the security and resiliency of the cyber and communications infrastructure of the United States.” In a prepared statement to colleagues, Senator Lieberman said, “I fear that when it comes to protecting America from cyberattack it is Sept. 10, 2001, and the question is whether we will confront this existential threat before it happens.”

The cyber attack threat ranges from the relatively benign (defacing a website) to the extremely serious and dangerous (disrupting power grids, telecommunications networks, and transportation systems, such as air traffic control systems). Somewhere in between is the threat that a hacker will break into an enterprise software system to steal proprietary information or take it down to disrupt a company’s daily operations. And since many of these enterprise software systems now reside “in the cloud,” software-as-a-service providers share the risk and responsibility in addressing this threat.

I reached out recently to several of our Logistics Viewpoints sponsors that provide software-as-a-service TMS solutions and asked them to provide input on the following question: What should a customer look for in a SaaS TMS provider to make sure they are taking appropriate steps to minimize the risk of hackers stealing their information or shutting the system down?

Below are the responses I received from CH Robinson and LeanLogistics.

I plan to write more on this topic in the weeks and months ahead, but I’ll leave you with two points to consider:

  • The weakest link is just a single person, most likely inside your organization.
  • Focusing on preventing an attack is important, but not enough. You also have to prepare for what to do when an attack actually occurs, and take steps to minimize the scope and duration of the impact.

These points were true more than a decade ago when I was writing about terrorist threats in the aftermath of September 11, and they remain true today as the risk for cyber attacks continues to grow.


Response by Ryan Pettit, Director of Technology Strategy, C.H. Robinson Worldwide

Being confident about security depends on adopting a framework for diligence. Using ISO 17799 or another framework indicates that an organization is taking security seriously. Why? Because frameworks offer a more comprehensive checklist of things to think about and plan for, well beyond the most diligent security work within an organization. Besides adopting a framework (either directly or as a base), look for organizations that write down their specific policies for security policy, security programs and procedures, incident response and communications, and audit and compliance policy. Writing down and vetting these critical items with leaders in the organization tends to subject the approach to even greater scrutiny and refine its quality.

Speaking of audit policies, a SaaS TMS provider should be able to describe the overall effectiveness of their policies through indirect audit (policy review by an auditor) and direct audit (penetration testing by white-hat hackers). There should be multiple external parties working to defeat the security plan, and they should use a variety of methods to complete the audit. Finally, a SaaS TMS vendor that takes this topic seriously will commit to a specific incident response plan that’s tailored to your business needs and the nature of your relationship with the vendor. Requirements around communication audience and source, timing of communications, and safeguards against specific data leakages vary as much as supply chains do.

Response by Andy Bass, Vice President of Technology, LeanLogistics

The practice of delivering applications online has been around for many years. Now, as organizations transition to the SaaS business model, they are right to be concerned with how SaaS vendors are taking the appropriate precautions to mitigate security risk.

At LeanLogistics, we integrate the core tenets of Security, Availability, and Scalability into every aspect of our software, services, and delivery platform. Our customers share a single application and data environment, so we go to great lengths to protect their information, and the access to it.

Given the dynamic nature of technology, all systems (on-premise as well as SaaS) have areas of vulnerability. Therefore, we employ the best-practice approach of maintaining multiple layers of security and resiliency to minimize any risk of data theft or corruption. And, because the greatest security risks lay within an organization, we also protect our customers’ assets just as diligently from internal threats.

We begin by educating both our employees and our channel partners from their first day about the importance of being a trustee of customer information, and how it should be treated. In addition, we use multiple protection technologies like disk encryption, data–loss prevention (DLP) technologies, and web/mail scanning to give our teams the appropriate level of information access to do their jobs.

Our data centers provide the first layer of physical security, as we restrict access to the actual network and processing systems via multiple authenticated means. Only key infrastructure team members are allowed to enter the facilities to interact with our hardware, and all interactions are recorded on video.

We employ multiple, redundant firewall layers and real-time intrusion detection and prevention (IDS/IDP) at our network layer. Only appropriate protocols are allowed into our DMZ for front-end access to our services. Our weekly scans against our network and systems ensure that new vulnerabilities do not impact our ability to service our customers.

We use industry-standard encryption technologies (such as high-bit SSL) to protect data being sent from customer browsers and back-end systems to our service. This includes encryption options for customer data files as well.

All system and database changes are centrally audited and escalated in real-time to provide history and accountability to each modification made in support of our environment.

Our SaaS applications themselves also have many configurable features surrounding the security process: extensive password rules, IP address restrictions, and single sign-on to name a few. These allow the customer to determine how the application fits best into their own security profile.

Finally, we validate our security practices on an annual basis through a SSAE16 SOC audit (formerly SAS70), and we make this report available to both current and prospective customers.

Organizations looking to implement a SaaS application need to understand how their provider is mitigating security risk using these same principles and approaches. As many industry professionals and transportation executives are starting to see, SaaS is a secure business model for the transportation market.


  1. The SaaS model brings many advantages to companies, who can access their TMS securely from all of their locations without having to worry about server space, software upgrades and internal IT support. For UltraShipTMS, data security has always been our top priority, but my biggest hacking concern comes with social engineers—criminals who take advantage of human behavior to illegally access a network or pull off a scam.

    To ensure security of the network and prevent cyber attacks, we have multiple levels of encryption and data redundancy, clearly defined security policies with checklists and regularly run penetration tests and audit our back-end systems. In addition, we closely manage passwords, keep security patches up to date and restrict firewalls, only allowing traffic from expected machines. All of these are a must for any SaaS-based TMS system.

    I encourage any company buying a TMS to conduct a site visit with their IT security team to review site audits, check the network integrity and review penetration tests. It’s essential that the SaaS solution be based on a distributed computing model with automatic failover and quick recoveries. That way if there is a cyber attack, you can quickly restore data and keep moving freight as you’re working to close the breach.

    But no matter how secure the network, a person who shares their password with a stranger or puts it on a Post-It note on their computer can quickly compromise your system. Train employees and partners to protect system access and critical information at any cost—and to be wary of potential Phishing attacks from social engineers trying to access passwords. No matter how buttoned-down your TMS security processes are, they’re only secure if your users are trained not to hand somebody the keys.