Logistics firms warned cyber gangs now operate like businesses

In a stark presentation this week that drew heavily on real-world cyber incidents affecting the sector, CyPro partner and former critical national infrastructure CISO Jonny Pelter said logistics operators are increasingly attractive targets because modern supply chains have “very low tolerance for downtime” and rely on deeply interconnected digital systems.

The warning comes after a series of damaging cyber attacks affecting transport and logistics businesses including Owens Group, KNP, Yusen Logistics and Microlise itself, highlighting how ransomware and operational disruption are becoming growing threats across the sector.

Speaking at Manchester’s Co-op Live arena, Pelter warned that cyber attacks are no longer isolated IT incidents but highly organised criminal operations increasingly designed to disrupt physical operations, apply commercial pressure and exploit supply chain vulnerability.

“They’re now starting to focus specifically on high-value shipments and running separate ransoms for each of those shipments,” he said.

“They can now have multiple ransoms for the same victim, changing delivery locations and holding those high-value assets to ransom.”

Pelter, who previously held senior cyber security roles at Thames Water and has worked closely with GCHQ and the National Cyber Security Centre, said transport operators are becoming more exposed as fleets, telematics, warehousing systems and operational technology become increasingly connected.

“What that means from an attacker’s point of view is you can have a small action that has a huge impact,” he said.

The sector’s reliance on ageing legacy infrastructure following years of mergers and acquisitions is also increasing risk, he warned.

“Many larger organisations are an amalgamation of multiple companies brought together inorganically, and that creates a much larger attack surface with lots of holes in it.”

Pelter described cyber attacks as highly calculated operations rather than random events, warning delegates that 87% of attacks occur during weekends or holidays when staffing levels and response capability are reduced.

“Timing is not accidental,” he said.

He also outlined how attackers increasingly manipulate organisations psychologically during incidents, including deliberately leaving internal communication systems operational in order to monitor negotiations and incident response discussions.

“You may notice your email and Teams messaging still works, but that can be purposeful,” he warned.

“We’ve seen examples where attackers leave those channels open so they can eavesdrop and use that to aid negotiations.”

Pelter described how organisations that pay ransoms can end up placed on so-called “sucker lists” traded between criminal groups on dark web marketplaces.

“They see it as capital investment,” he said. “You’re six or seven times more likely to be attacked again if you’ve paid historically.”

Pelter repeatedly challenged what he described as “security theatre”, where organisations focus on policies, dashboards and expensive tools that create the appearance of cyber preparedness without materially improving resilience.

“This is the incessant wordsmithing of policies nobody reads. The pursuit of shiny new tools. Hundred-page board reports full of metrics where nothing actually happens,” he said. “That’s security theatre.”

Instead, he argued operators need to focus less on trying to prevent every attack and more on resilience, response and recovery.

“Everyone says they won’t pay until it happens,” he said.

“You have to assume incidents are going to happen. The focus has to be on ensuring they never become major incidents.”

Pelter also warned that operational technology, including telematics systems, fleet infrastructure and connected logistics platform, is now becoming more attractive to attackers than traditional IT systems because disruption there creates maximum leverage.

“Historically you could keep operational technology separated from the internet,” he said.

“Now all of those systems are being connected for real-time visibility, and that’s becoming problematic because organisations are making those connections without really looking at the architecture behind them.”

He warned that attackers increasingly want access to operational environments rather than office systems because that is where the greatest disruption can be caused.

“That’s where the real harm is. That’s where they can have the most leverage.”

The session also highlighted the growing role AI could play on both sides of cyber warfare, with Pelter warning that attacks and responses are both now accelerating.

“The effect will probably be net zero because AI is being used by both attackers and defenders,” he said.

“What it really means is that things are going to happen faster.”

Pelter argued many organisations still move too slowly when addressing cyber risk, often spending months building business cases and governance processes before security improvements are deployed.

Reflecting on his time at Thames Water, he described replacing slow-moving approval structures with rapid “sprint” approaches that allowed infrastructure changes to be implemented in two-week cycles rather than over many months.

“The key point is it’s as important how you make improvements as what improvements you actually make,” he said.

He also warned that while systems can often be restored relatively quickly after an incident, the impact on staff can last far longer.

“People recover much slower than the systems,” he said.

“You might restore 80 or 90% of infrastructure within months, but how people feel about that experience can linger for 12 to 18 months.”

The presentation formed part of a wider Microlise Transport Conference agenda focused on AI, cyber resilience, safety and digital transformation across the logistics sector.