It’s hard to beat the many benefits of digitalization in retail and distribution. E-commerce, big data andAI have enabled personalized shopping experiences that win customer loyalty, but it’s the combination of IT, operational technology (OT) and Internet ofThings (IoT) systems that have transformed logistics. Smart shelves mean fewer stockouts. Point-of-sale (POS) devices mean faster checkouts. Integrated just-in-time (JIT) supply chains mean less waste.
As is often the case, however, cybersecurity practices haven’t kept pace with these innovations, leaving retailers exposed to new cyber risks that come with an expanded attack surface. This article will explore how often-vulnerable OT networks and IoT devices permeate every aspect of retail operations, what risks they introduce and how you can manage them.
Customer Data Breaches Aren’t the Only Threat
Earlier this year, a string of attacks by the Scattered Spider cybercriminal group hit top retailers int he U.K. and U.S., using social engineering to ransom customer loyalty program data and sell it on the black market. (To gain access, threat actors impersonated company employees and tricked IT help desk staff into resetting credentials so they could bypass security controls.) Thanks to strong encryption required by the Payment Card Industry Data Security Standard (PCIDSS), financial transaction data is hard to breach and wasn’t in these incidents.Even so, the lucrative customer data can be used for a wide range of fraudulent activities.
Scattered Spider is known for targeting one sector at a time — its 2023 attacks in Las Vegas on MGM Resorts and Caesars Entertainment first put them on the map — and they have since moved on to insurance companies and airlines. Retailers may be breathing a sigh of relief, but the risk of being blindsided elsewhere remains. Cyberattacks on smart shelving, automated warehouse logistics and data centers may not grab headlines like stolen customer data, but as exploitable entry points, they can bring operations to a halt just as quickly, with exponentially longer recovery time.
The Cyber-Connected Retail Chain
Modern retail chains are complex operations that rely on IT, IoT and OT to operate efficiently and keep customers safe and comfortable. Between building management systems (BMS) and retail automation systems, a large retailer may have hundreds or even thousands of devices and systems that could disrupt operations if tampered with. Here are some examples.
Building Management Systems
Retailers rely heavily on BMS to keep stores efficient, safe and profitable. BMS in retail environments is the overall supervisory system that monitors and manages the key infrastructure for all buildings, including HVAC, lighting, power, fire safety, security, elevators and water. A well-managed BMS can impact customer experience and comfort by helping to maintain optimal indoor temperature, lighting and air quality. It also manages energy and operational efficiency, cost control and asset protection.
The increasing criticality of BMSs in retail operations has led to increased connectivity with standard IT infrastructure and cloud systems for energy management and predictive maintenance, as well as advanced smart building integrations and IoT functionality. This convergence comes with significant risks, because OT andIoT networks often lack the cybersecurity features found in IT environments. For example:
- They may use default or hardcoded credentials that are easy to bruteforce.
- Legacy protocols aren’t encrypted and don’t require authentication.
- Patches for vulnerabilities on OT devices (assuming they exist) must often be delayed until the next maintenance window.
- Vendors and OEMs are constantly logging in to manage and maintain equipment, often using their own insecure remote access tools, which introduces third-party risk.
POS Networks
POS networks — checkout and self-checkout stations — are the backbone of retail sales. Today they accept a variety of digital payment methods, with cash increasingly scarce. Traditional POS terminals that require a card swipe are connected to a secure, dedicated pipeline to a payment processor. Newer wireless, low-touch payment methods (one-tap, contactless and smartphone) are less secure. They rely on near-field communication (NFC) of just a few centimeters, and transaction data is transmitted over a radio frequency signal.
Smart Shelves and Roaming Digital Scanners
Smart shelves have revolutionized retailing. They automate everything from pricing to restocking, with each component communicating wirelessly with a central management system that orchestrates actions. Sensors detect when inventory is low on specific items and trigger restocking systems. Electronic shelf labels enable retailers to change individual prices and activate manufacturer promotions in bulk.
If all of your cybersecurity investment has been poured into your IT systems, you don't have the cybersecurity maturity that you think you do. Your IT network is a shrinking subset of your overall attack surface, and the growing part is the part you least understand.
Even with all of this automation, humans aren’t replaceable just yet. On the floor, employees use roaming digital scanners to flag depleted items for restocking, verify prices, and help customers on the fly. In the warehouse, scanners are used to check in new shipments, reconcile purchase orders and log items into inventory.Manufacturers reps come and go with their own scanners to get precise inventory counts on customers’ shelves and track product performance.
The building management and retail automation systems described here all rely on IoT technology. Many of these devices use older, proprietary or non-standard embedded operating systems and lack the advanced cyber features that more modern IT devices have. Often, they’re installed without basic protections like enabling encryption or requiring authentication. This makes them easier to compromise than standard IT devices, and many even have direct access to the internet. Whether wired or wireless, IoT devices communicate using non-standard protocols and require special monitoring that understands them.
Robotics and Drones in the Warehouse
Robotics systems are critical to efficient distribution, for both picking and moving goods. Automated storage and retrieval systems (AS/RS) scale upwards to save floor space and allow for taller and narrower aisles than humans can navigate. Robotic arms are used for precision picking, such as selecting individual items from a bin to fulfill an order. Autonomous guided vehicles (AGVs) follow pre-defined paths to move heavy loads and pallets over consistent routes. More sophisticated autonomous mobile robots (AMRs) use sensors, cameras and AI to navigate dynamic environments while avoiding obstacles. All of these robots rely on programmable logic controllers (PLCs)and other OT to move, lift, pick and pack items safely. IoT sensors work in tandem with OT to collect and relay real-time data about the environment so it can be analyzed to optimize workflows, predict maintenance needs and soon.
While not as insecure as legacyOT devices that were built to last decades without cybersecurity in mind, warehouse robots are still vulnerable to third-party risk. Like HVACs and other BMS, OEM vendors or their authorized contractors need to be involved in their maintenance and operation, requiring remote or physical access. An insecure remote connection provides an entry point that a bad actor can exploit, and a malicious insider (including an authorized contractor) can abuse commands that disrupt operations.
Compared to robots, drones are newcomers in retail warehouses, but they’re quickly becoming ubiquitous because they can go where neither humans nor robots can. Drones can fly through warehouse aisles using cameras and RFID scanner to count inventory on high shelves. Unlike outdoor drones, they’re typically managed by a central warehouse management system (WMS) and communicate via proprietary protocols optimized for that specific environment, so they are less prone to attack than drones flying in open air.
Supply Chain Integration
Supply chain risk is everywhere and can mean many things. For retailers, it often refers to JIT ordering, a critical strategic lever for avoiding waste, especially concerning perishable goods. Connected supply chains include inventory systems that automatically trigger replenishment orders, integrated transportation networks and, per above, seamless pricing adjustments.
A recent cyberattack put the spotlight on JIT supply chain risk involving fresh produce. United NaturalFoods Inc. (UNFI) is the largest publicly traded wholesale food distributor in the U.S., and the primary distributor of Whole Foods Market, which is owned by Amazon. When a cyberattack shut down the wholesaler’s ordering and shipping systems in June, UNFI had to resort to manual distribution and cooperation from other wholesalers to keep supplying its 30,000 retail customers across the U.S. Vendors like UNFI are deeply integrated into customer systems, from inventory forecasting to delivery scheduling.
データセンター
Modern retail operations generate vast amounts of data that must be stored and managed securely, including real-time transaction processing. Major retailers like Walmart, Target and Amazon build their own data centers, and so do many other large chains. Given their business criticality, data centers have become high-value targets for sophisticated cyberattacks. In addition to direct attacks on servers and applications to exfiltrate or ransom intellectual property, the connected smart devices that keep data centers humming can also be targeted to disrupt operations and cause widespread outages. From chillers and power generators to CCTVs and building automation, OT and IoT systems are crucial to ensuring an optimal computing and storage environment inside data centers. All must be secured.
IT Is a Shrinking Subset of The Retailer’sAttack Surface
Across industries, OT and IoT devices are a growing percentage of total digital assets, and retail is no exception. A 2024 survey found that OT, IoT and other specialized systems comprise 42% of enterprise assets — and account for 64% of mid- to high-level enterprise risk. OT and IoT security require different tools from IT approaches, so adoption and maturity often lag, but the landscape has changed.
If all of your cybersecurity investment has been poured into your IT systems, you don't have the cybersecurity maturity that you think you do. Your IT network is a shrinking subset of your overall attack surface, and the growing part is the part you least understand. You need to know what OT and IoT assets are running in your environment, what they do, who they’re talking to and if they’re connected to the internet.
How Nozomi Networks Can Help
With centralized cloud management, analytics and reporting, the Nozomi Networks platform can cover the largest attack surfaces including superstores, regional distribution centers and dispersed locations. It uses a variety of security sensor types including network, endpoint and wireless to monitor your entire environment. Where needed, they use deep packet inspection (DPI) to understand the most common wireless and IoT protocols, for full visibility into device behavior, commands and threats. Most importantly, for more than a decade, we’ve been leveraging AI and machine learning in our platform to power asset discovery and profile enrichment, threat and anomaly detection, risk prioritization and remediation actions.
If you’re ready to own cybersecurity risk across your entire operation and want complete visibility into your retail and warehouse cybersecurity risk, contact us today.
