Logistics and Shipping IT Security: Protecting Intermodal Operations

Back to Blog

In February 2022, a cyberattack against Expeditors International — one of the world's largest freight forwarders — forced the company to shut down the majority of its operating systems globally. For nearly three weeks, Expeditors couldn't process shipments, generate invoices, or access its own freight management systems. The company later disclosed that the incident cost it approximately $60 million in lost business and recovery expenses.

Expeditors is a publicly traded, multi-billion-dollar enterprise with a global IT organization. If a company of that size and resource depth can be taken offline for three weeks, you should take a hard look at what would happen to your operation if the same thing happened to you — and how long you could absorb it.

Logistics and intermodal shipping companies occupy a unique position in the threat landscape. You handle sensitive data across a wide surface: shipping manifests, bills of lading, customs declarations, customer financial records, carrier contracts, and hazardous materials documentation — often all simultaneously, often in real time, often shared across dozens of trading partners via electronic data interchange. You operate around the clock because freight doesn't pause at 5:00 PM. And you are embedded in a supply chain that is, by design, interconnected — which means a compromise at one point in the chain affects everyone downstream.

We've worked with Intermodal Shippers on their IT and security infrastructure long enough to understand what the threat landscape looks like from inside a logistics operation. This post is an honest account of the specific risks your industry faces and what protecting against them actually requires.

Why Logistics Companies Are High-Value Targets

The freight and logistics sector consistently ranks among the top targeted industries in cybersecurity threat reports, and the reasons aren't difficult to understand once you look at the data your operation handles.

Consider what a threat actor gains from a successful breach of a logistics company. Shipping manifests identify what is being moved, in what quantities, from where, and to where — intelligence that has commercial value to competitors and, in some cargo categories, criminal value to theft rings. Customs documentation contains detailed product descriptions, declared values, and importer/exporter relationships — data that enables customs fraud schemes that cost the U.S. government hundreds of millions of dollars annually. Customer shipment records contain the business relationships, pricing, and volume data that constitute some of your most commercially sensitive information. And financial records — rate confirmations, invoices, payment histories — provide everything needed to execute sophisticated business email compromise (BEC) schemes targeting your clients or your carriers.

Beyond data theft, logistics companies are targets for operational disruption. Ransomware attackers understand that a company whose business model depends on continuous system availability is more likely to pay a ransom quickly than a company that can afford to take its time. When your TMS (Transportation Management System) is encrypted and containers are sitting at the port waiting for release instructions, the pressure to pay is immediate and severe.

The Specific Threats Logistics Companies Face

Ransomware on Dispatch and TMS Systems

Your Transportation Management System is the most critical single piece of software in your operation. It holds your load data, your carrier relationships, your customer commitments, and your financial records. It is also the most catastrophic single point of failure — and ransomware actors know it.

Modern ransomware attacks against logistics companies follow a predictable but devastating pattern. The initial intrusion typically happens weeks before the actual encryption event — through a phishing email, a compromised vendor credential, or an unpatched VPN vulnerability. The attackers spend that time moving laterally through the network, identifying your most critical systems, and exfiltrating data. When they finally trigger the encryption, they've already copied everything that matters. The ransom demand comes with a clock: pay within 72 hours or the stolen data gets published, and the decryption key price doubles.

For a logistics company, "72 hours of system unavailability" is not an abstract risk. It means containers sitting at terminals accumulating detention fees, loads that can't be tendered or tracked, customers who can't get status updates, and carriers who stop accepting your freight because they can't get confirmations. The damage compounds hourly.

Customs Fraud and Document Manipulation

Customs fraud is an underappreciated threat in the logistics sector, and it sits squarely at the intersection of IT security and regulatory compliance. The attack typically involves gaining access to your freight forwarding systems or customs brokerage software and altering shipment data — misclassifying goods, undervaluing cargo, or inserting fictitious entries — to facilitate illegal imports or evade duties.

The liability exposure for the innocent logistics company whose systems were used is significant. U.S. Customs and Border Protection holds importers and brokers responsible for the accuracy of customs filings regardless of how the errors were introduced. A breach that enables customs fraud can result in seizures, penalties, and loss of your Customs-Trade Partnership Against Terrorism (C-TPAT) certification — a designation that many major shippers now require of their logistics partners.

Business Email Compromise Targeting Freight Payments

BEC schemes targeting the freight industry have become a major financial threat, and the mechanics are specifically exploited in logistics contexts. The attacker compromises an email account — typically a carrier, broker, or client — and uses it to redirect payments. In freight, this often looks like an email from a familiar carrier informing you that their banking information has changed, with convincing invoice documentation attached. The next payment you make to that carrier goes to the attacker's account.

The freight and logistics industry is particularly vulnerable to this because payment relationships are numerous and constantly changing. You deal with hundreds of carriers, many of whom you interact with infrequently enough that a banking change request doesn't immediately feel suspicious. The average BEC loss in the transportation sector exceeds $100,000 per incident, and recovery rates are low once funds have moved.

Data Theft for Competitive Intelligence and Cargo Theft Facilitation

Not every attack is about encryption or immediate financial gain. Some of the most sophisticated threat actors targeting logistics companies are interested in persistent, long-term access to your operational data. They want to know what high-value cargo is moving, on what routes, under what security arrangements — information that enables organized cargo theft rings to target specific shipments with foreknowledge of the contents and timing.

The FBI's cargo theft task forces have documented cases where theft rings demonstrated knowledge of shipment details that could only have come from a compromise of the logistics company's systems. Electronics, pharmaceuticals, and luxury goods shipments are most commonly targeted, but the intelligence gathering phase of these operations is indistinguishable from corporate espionage. Persistent low-level access that exfiltrates data without triggering alerts is the goal — and it can continue for months before detection.

IT Compliance for Transportation: TSA and C-TPAT

The regulatory compliance landscape for logistics and intermodal shipping is more demanding than most operators appreciate — and the IT implications are substantial.

TSA Cybersecurity Directives

Following a series of high-profile attacks on transportation infrastructure, the Transportation Security Administration issued a series of Security Directives beginning in 2021 that impose cybersecurity requirements on surface transportation operators — including rail, pipeline, and certain highway and motor carrier operations. These directives have evolved significantly and now require:

• Designation of a primary and alternate Cybersecurity Coordinator available 24/7
• Reporting of cybersecurity incidents to CISA within 24 hours of identification
• Development and implementation of a Cybersecurity Incident Response Plan
• A Cybersecurity Assessment Program that proactively tests defenses and measures the effectiveness of cybersecurity measures
• Network segmentation policies to ensure operational technology systems can be isolated from IT systems in the event of a cyber incident

The scope of TSA coverage continues to expand. Logistics companies that haven't reviewed their regulatory exposure against current TSA directives may be operating with compliance gaps they're unaware of. Non-compliance with a Security Directive carries civil penalties, and TSA has demonstrated a willingness to enforce.

C-TPAT and IT Security Requirements

Customs-Trade Partnership Against Terrorism certification has become a de facto business requirement for logistics companies working with major U.S. importers and government contracts. C-TPAT's Minimum Security Criteria now explicitly address information technology, requiring certified partners to maintain:

• Written IT security policies that restrict access to company systems to authorized users only
• Password controls requiring complex passwords, regular changes, and unique credentials per user
• Procedures for the immediate deactivation of access for terminated or transferred employees
• Anti-virus and malware protections that are regularly updated
• Regular IT security audits to identify vulnerabilities
• Procedures for reporting and responding to unauthorized access or intrusion

Maintaining C-TPAT certification isn't a one-time project — it requires ongoing compliance that has to be documented and demonstrable to a CBP Supply Chain Security Specialist during validation and revalidation visits. Your managed IT provider needs to understand C-TPAT requirements well enough to help you maintain the audit trail, not just implement the controls.

Securing EDI Systems: The Hidden Attack Surface

Electronic Data Interchange is the backbone of B2B data exchange in logistics. EDI transmissions carry 850s (Purchase Orders), 214s (Transportation Carrier Shipment Status), 210s (Motor Carrier Freight Details and Invoice), 997s (Functional Acknowledgment), and dozens of other transaction sets that move billions of dollars of commerce daily.

EDI security is frequently overlooked because EDI predates modern security thinking. Many EDI implementations still rely on Value-Added Networks (VANs) — third-party intermediaries that route EDI transactions between trading partners — with security assumptions baked in the 1980s. AS2, the more modern direct EDI transmission protocol, is more secure but still requires careful implementation to be actually safe.

The specific security concerns for EDI in logistics include:

• Authentication weaknesses: Many EDI trading partner relationships authenticate through sender/receiver IDs and passwords that haven't been rotated in years, in some cases since the relationship was originally established. A compromised trading partner credential gives an attacker the ability to send fraudulent EDI transactions into your TMS — fake load tenders, altered bill-of-lading data, manipulated invoices — that your system processes automatically without human review.
• Unencrypted transmission: Legacy EDI implementations using FTP or older VAN protocols transmit data without transport-layer encryption. This means transmission data is readable to anyone with access to the network path between endpoints. AS2 mandates encryption and digital signatures, but not every trading partner has migrated.
• Lack of transaction validation: EDI systems that process inbound transactions without validating data against business rules create opportunities for manipulation. A fraudulent 210 invoice that's processed automatically without matching to a confirmed load creates immediate financial exposure.
• Third-party VAN security: Your EDI VAN is a critical intermediary that touches every transaction you process. Its security posture is your security posture for EDI purposes. Most logistics companies have never reviewed their VAN's security certifications or incident response procedures.

Remediating EDI security gaps requires a systematic audit of every trading partner connection — authentication credentials, transmission protocols, encryption status, and validation rules — followed by a migration roadmap for upgrading the weakest links. This is tedious work, but it's the kind of foundational security that prevents the automated fraud that EDI's design can enable.

Backup Strategies for 24/7 Operations

The backup and recovery requirements for a logistics company are fundamentally different from those of a typical business, and most conventional backup approaches fail in ways that only become apparent during an actual recovery event.

The key difference is the recovery time objective (RTO). A professional services firm might tolerate 24–48 hours of system unavailability during a recovery event. A logistics company can measure its losses in hours — detention fees, missed pickup windows, failed deliveries, and customer penalties that accrue from the moment systems go offline. A realistic RTO for a logistics operation is measured in hours, not days, and your backup architecture has to be designed around that requirement.

Several backup principles that are especially critical for logistics operations:

• Immutable offsite backups: Ransomware attackers have become sophisticated enough to identify and encrypt backup systems before triggering the main attack. Immutable backups — stored in a location that cannot be accessed or modified by your production systems — are the only reliable defense against this. Cloud object storage with Object Lock enabled (AWS S3, Azure Blob Storage, or similar) provides immutability at scale without requiring air-gapped tape systems.
• Frequent recovery point objectives: For a TMS that's processing transactions around the clock, a 24-hour backup window means potentially 24 hours of transaction data lost in a worst-case event. Recovery point objectives for logistics TMS should be measured in hours, not days, requiring continuous data protection or near-continuous backup rather than nightly snapshot models.
• Tested recovery, not assumed recovery: Most businesses that have backups have never actually restored from them under realistic conditions. For a logistics company, this means regularly running tabletop recovery exercises and at least annually testing a full TMS restoration to a clean environment to validate that the backup is complete and the process works. The first time you discover your backup restoration process takes 36 hours should not be during an actual ransomware incident.
• Operational continuity playbooks: Even with excellent backups, recovery takes time. Logistics companies need documented procedures for continuing operations in degraded mode — tracking shipments manually, communicating with carriers via phone and email rather than TMS, and managing customer communications — while systems are being restored. These playbooks need to exist and be trained to before they're needed.
• Data tiering by criticality: Not all data has the same recovery priority. Active load data, carrier payment information, and customs documentation need to be recovered before historical reports and analytical data. Your recovery architecture should reflect that priority sequence rather than treating all data as equally urgent.

IT Center's Managed IT Approach for Logistics Companies

When Intermodal Shippers engaged IT Center, the security picture we found was similar to what we see in most logistics companies of comparable size: strong operational competence combined with IT infrastructure that had grown faster than the security controls around it.

EDI trading partner credentials hadn't been audited in years. Backups existed but had never been tested under recovery conditions. C-TPAT documentation requirements were being met manually, without the audit trail that a CBP validation visit would require. Network segmentation between the TMS and back-office systems was inadequate — a compromise of a workstation in one part of the operation had a clear lateral path to the TMS database.

Our remediation followed a risk-prioritized sequence. Network segmentation came first, because it limited the blast radius of any future compromise before we addressed the other vulnerabilities. EDI credential audit and rotation came second, because the exposure there was both significant and relatively straightforward to remediate. Backup architecture redesign came third — we moved from a single nightly backup to a layered model with continuous protection for TMS transaction data, immutable cloud backups with verified retention policies, and a documented recovery playbook tested against a realistic RTO.

The C-TPAT documentation framework we built for Intermodal Shippers isn't a separate compliance project — it's integrated into the managed IT service. Access control changes, security policy updates, patch deployments, and incident documentation all generate the records that C-TPAT compliance requires. When CBP comes for a validation visit, the evidence already exists in structured form rather than being assembled under pressure.

Ongoing, IT Center provides 24/7 monitoring of the systems that can't go offline — the TMS, the EDI translation platform, and the network infrastructure that connects them. Alert thresholds are calibrated around operational context, so a 3:00 AM alert about TMS database connectivity gets immediate response rather than being queued for morning triage. Patch management covers every system in the environment on a documented schedule, with emergency patch deployment capability for critical vulnerabilities.

The security layer includes endpoint detection and response (EDR) across all workstations and servers, email security with advanced anti-phishing and BEC detection, and dark web monitoring for the company's email domain and executive credentials. We've found compromised credentials in criminal marketplaces for logistics clients before they were exploited — that early warning is worth more than any after-the-fact response.

Building a Security-Conscious Culture in a 24/7 Operation

Technology controls alone are insufficient. The human element remains the primary attack vector in logistics as in every other industry, and the 24/7 operational tempo of shipping creates specific cultural challenges for security awareness.

Dispatch coordinators working the overnight shift are operating in a lower-vigilance environment — fatigue is real, supervision is reduced, and the pressure to keep freight moving creates a bias toward taking actions quickly rather than verifying them carefully. BEC attackers know this and time their fraudulent communications to arrive during off-hours when the targets are most susceptible.

Effective security culture in logistics requires training that's calibrated to the operational context — not generic cybersecurity awareness modules that were designed for office workers, but scenario-based training that addresses the specific fraud patterns your team is likely to encounter: fake carrier banking change requests, fraudulent rate confirmations from spoofed email domains, and phishing emails disguised as customs alerts or CBP notifications.

The verification protocol for financial changes is especially critical. Every payment routing change — whether for a carrier, a vendor, or any other payee — should require out-of-band verification via a phone call to a number on file, not a callback to a number provided in the suspicious communication itself. This single control, consistently applied, stops the majority of BEC schemes before they succeed. Documenting and enforcing it is an IT governance responsibility as much as an operational one.

What the Right IT Partnership Looks Like

Logistics and intermodal companies have specific requirements that not every managed IT provider can genuinely meet. When evaluating an IT and security partner for your operation, the questions that matter most are:

• 1
  Do they understand EDI? Not at a surface level — do they actually know the difference between AS2 and VAN-based EDI, understand trading partner credential management, and have experience auditing EDI security configurations? If the answer is vague, they haven't done this before.
• 2
  Can they support your RTO? What is their SLA for response to a TMS-down event at 2:00 AM on a Saturday? "Business hours support with emergency escalation" is not the same as genuine 24/7 operational support. Get the specifics in writing.
• 3
  Do they understand C-TPAT and TSA requirements? Your IT provider should be able to describe how their service helps you maintain C-TPAT compliance and what documentation they generate that supports a CBP validation. If they're learning about C-TPAT from your question, that's a yellow flag.
• 4
  Have they tested a full TMS restoration? Not just for you — in general, with comparable logistics clients. Ask for their recovery testing methodology and what their documented RTO experience looks like for TMS-class systems. Theoretical backup architecture is very different from demonstrated recovery capability.
• 5
  What does their supply chain security posture look like? A managed IT provider that accesses your systems remotely is itself a potential supply chain attack vector. Ask about their own security certifications, their access control policies, and their incident response procedures for scenarios where their own systems are compromised.

The bar for IT and security in logistics is higher than it is for most industries, because the operational stakes are higher, the regulatory environment is more demanding, and the threat landscape is more sophisticated. Meeting that bar requires an IT partner who has done this work before and understands both the technology and the business context it operates in.

IT Center has been working with logistics and transportation companies in Southern California since 2012. At $300 per computer user per month, our managed IT service covers the full stack — 24/7 monitoring and support, cybersecurity, EDI security management, compliance documentation, backup and recovery architecture, and the strategic IT guidance that helps logistics companies scale their operations without scaling their risk. Call us at (888) 221-0098 to talk through what your current exposure looks like and what it would take to close the gaps.