Cyber Security at Sea: The Real Threats
The maritime cyber security landscape is a confusing place. On the one hand, you have commercial providers suggesting the risks of everything from a hostile attack on ship’s systems which allows the vessel to be remotely controlled by pirates and direct it to a port of their choice, or causing a catastrophic navigation errors, a phishing attack or ransomware on the Master’s PC. While on the other, you have sensible people who point out that this notion is nonsense due to the number of fail safes and manual overrides and controls in place.
Then there are calmer voices still, who point out that the most likely threat is actually to the servers inside your head office, or a man in the middle attack on your company’s bank accounts.
Recognizing the threats
So what are the real, documented, current threats to the shipping industry from cyber criminals? Here, we hope to offer some genuine guidance without scaremongering. We’re not trying to sell you anything. We’re just trying to make sure you know what the risk of simply doing nothing is.
Much has been made of the threat to vessels on the water from hackers. However, there is only limited available credible evidence to support claims of hacks at sea. Rather, the real threats on the water come from a lack of crew training and awareness and a culture which turns a blind eye to crew using their own devices at work (Bring Your Own Device, or BYOD) and plugging them into ship systems to charge them, thereby possibly releasing a malware they may have been inadvertently carrying onto the vessel.
Maritime cyber security survey results
In 2017, I.H.S. Fairplay conducted a maritime cyber security survey, to which 284 people responded. 34 percent of them said that their company had experienced a cyber attack in the previous 12 months. Of those attacks, the majority were ransomware and phishing incidents; exactly the same sort of incidents affecting companies everywhere, and not at all specific to the maritime world.
The good news is that only 30 percent of those responding to the survey had no appointed information security manager or department, meaning that the majority of companies have a resource able to respond and mitigate any attack.
However, the survey did reveal that there are still a lot of employees who have not received cyber awareness training of any kind, which means the shipping industry must try harder, for its own security.
Additionally, only 66 percent of those questioned said that their company had an IT security policy, which is a serious cause for concern; IT security cannot be approached on an ad hoc, incident by incident basis. It’s the security equivalent of plugging holes in a hull with cardboard.
To underline that, 47 percent of those questioned believed that their organization’s biggest cyber vulnerability was the staff. Hardly a glowing endorsement but, if you don’t train your staff to be aware of threats, it’s not surprising.
Mitigating the risk – train your staff
Imagine you’re in charge of a company. You trust your staff to do everything. Except, it seems, ensure your bank accounts aren’t handed over to cyber criminals or that your network is exposed to ransomware or malicious attack.
It would seem to be a rather curious way to run a company.
The key to mitigating cyber crime is training. Yes, you can put posters up; send company memoranda out; promote industry guidelines. But how many of your staff take those in? A robust workplace IT security policy is the first step, but that can only work when also supported by a training course where employees can see the risks through demonstrations, simulations and good teaching.
There are very simple changes that any company can make to ensure better security in the workplace. From enforcing a zero tolerance on BYOD, which is often disliked by the crew, to separating crew and administrative or operational networks, blanking unused USB ports and requiring monitors be turned away from public view to prevent “shoulder surfing” and a rule that all computers go into secure sleep mode when left unattended.
For staff dealing with accounts, additional rules may be required to ensure the risks of phishing and social engineering (whale attack) are reduced.
You don’t think your company is at risk? In November 2016, Europe’s largest manufacturer or wires and electrical cables, Leoni AG, lost £34 million in a whale attack, when cyber criminals tricked finance staff into transferring money to the wrong bank account.
£34 million. Lost… That should be read out to every board of directors.
And similar attacks take place every week.
In the last six months, the shipping industry has seen several incidents in the sector, ranging from a data breach at Clarksons through to the damage done to Maersk by the WannaCry NotPetya variant sabotage/ransomware incident, which the company believes cost it as much as $300 million.
These are some of the reasons for the creation of the Maritime Cyber Alliance, a project created by CSO Alliance in partnership with Airbus Defence & Space. The aim is simple: connect maritime and oil and gas chief information security officers via a secure, private platform, allow verified cyber intrusions to be reported anonymously and provide members with threat alerts and tools to analyze malware and prevent attacks as well as offering workshops to promote best practice in the industry and listen to concerns.
February saw the Alliance participate in four workshops across the U.K., in Aberdeen for the offshore industry; Edinburgh for the ports community and Glasgow for ship management. Guest speakers included Kewal Rai, Policy Adviser for Cyber Security with the Department of Transport, Sergeant David Sanderson from Hampshire Police, Vic Start, Thomas de Menthiere and Jean Baptsiste Lopez of Airbus, among others.
Among the concerns raised by attendees were questions on mitigation of attacks, the impact of E.U.’s General Data Protection Regulation (GDPR) on the U.K. and how Airbus was delivering its solutions to users of the site.
The Alliance is already gathering detailed cyber crime incident reports from industry. We’ve seen an examples from shipowners who lost two days’ hire due to malware contamination via a USB stick, invoice fraud in the port, superyacht and ship broker sectors. The latter saw a ship broker’s systems compromised by criminals who altered payment details to steal £500,000.
Luckily, in that case, the company’s quick reaction, a court order and a rapid forensic investigation ensured they recovered the missing funds. We are starting to see multiple attempts of invoice fraud using privileged information, which means a vendor’s company accounts have been compromised. The timely sharing and analysis of information will grow with the increased cyber crime report data flow via the Cyber Alliance’s crime reporting servers, based in Iceland in order to ensure anonymity. The solution, of course, is to ensure your company requires multiple sign-offs for any payments over a certain amount and pick up the phone to verify and vendor bank account changes. The risk of getting it wrong could bankrupt you.
There’s clearly a need for industry to take the lead on protection and, hopefully, the Maritime Cyber Alliance will enable that. Further workshops, which are all free to attend, are planned for the coming months.
The next major hurdle facing companies around the globe comes in the shape of the GDPR, which comes in to force in May 2018. It will affect companies in every sector, but the maritime industry in particular, given its global reach.
In essence, the GDPR is the first data protection measure to affect the entire world. If your company holds or processes the personal data of E.U. citizens, people working for E.U. entities or trading with the E.U., then you’re affected and will need to ensure that you’re compliant with the new regulations. Failure to do so will result in huge fines. GDPR’s definition of “personal data” is far broader than previous regulations, meaning that any information which can be used to identify an individual falls under it.
The new regulation introduces Privacy Impact Assessments (PIAs), which means that companies will be required to conducts PIAs wherever privacy breach risks are high in order to minimize risk to data subjects. Many companies may have to hire data protection officers in order to ensure compliance, while those companies dealing with EU crews will also want to take note of their liabilities in this regard.
The good news is that GDPR will also bring in common data breach protection notification requirements, so companies will be forced to report any breach of their systems within 72 hours, thus ensuring industry awareness and a better response time to potential vulnerabilities. This, in itself, may require staff training and is yet another aspect of GDPR companies need to be aware of.
For companies doing business in the E.U., which covers a vast swathe of the maritime industry, the NIS Directive covering network and information security also comes in to force in May 2018. In the U.K., the government has announced that organizations working in critical services like energy, transport, water and health can be fined up to £17 million as a “last resort” if they fail to demonstrate that their cyber security systems are equipped against attacks.
The NIS Directive requires organizations to have the right staff in place and the proper software to mitigate cyber attack and intrusion. Private and public companies in each sector will be evaluated by regulators who will vet everything from infrastructure and issue fines for firms who fail.
“Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible,” said Ciaran Martin, U.K. National Cyber Security Centre CEO, in a statement.
Ultimately, the new regulations will be of benefit to everyone, but ensuring your company meets the right standards will be crucial. The days where maritime cyber security amounted to just making sure you turned the office PC off are long gone. Today, cyber security demands board room level attention as well as vigilance from all employees, be they in head office or out on the water.
David Rider is Spokesman for CSO Alliance.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.