Petya Attack Shows the Need for Cybersecurity Rules

For the last several years, the International Maritime Organization has been discussing the possible implications of cyber-attacks to the global commerce. Last June, the IMO published its Interim Guidelines on Maritime Cyber Risk Management with the intent to provide a risk management framework and prevent large-scale cyber-attacks. These threats manifested themselves on Tuesday when A.P. Moller-Maersk was hit by the global “Petya” cyberattack.

The Petya ransomware exploited the same Microsoft Windows vulnerability (dubbed EternalBlue) from the WannaCry ransomware program, which infected thousands of computers in May. That ransomware spread through a patched vulnerability that was unavailable for unsupported versions of Windows. Petya had a similar effect on the Danish shipping company, forcing them to shut down systems to contain the attack. Though Maersk’s ships were able to safely maneuver, Maersk’s APM Terminals unit was unable to handle cargo at select sites around the globe. Multiple ports were affected, including the Port of Los Angeles, Port of Rotterdam and Jawaharlal Nehru Port Trust. 

The attack came just days after the IMO Maritime Safety Committee (MSC) 98 meeting, where a new paper proposed making cyber risk management onboard ships mandatory. Previous International Union of Marine Insurance guidelines made these requirements voluntary. These risk assessments were developed by shipowners associations and classification societies, like BIMCO, the International Chamber of Shipping (ICS), Intertanko, Intercargo and Cruise Lines International Association (CLIA).

MSC 98’s cyber risk management proposal arrives as the shipping industry is leaning heavily towards digitization and automation. In May 2017, Maersk published a statement announcing that they were partnering with IBM to digitize their administrative processes and transactions with blockchain technology. Other partnerships with companies like Microsoft promise to streamline supply-chain management and lower operational costs through data science. Additionally, several shipping companies are beginning to test autonomous operations onboard ships.

While the industry is developing in a direction that will likely increase efficiency and decrease costs, the necessary safeguards to protect these automated systems are not fully realized. The Petya ransomware illustrated the potential effects of a cyberattack on a major shipping company and port terminals. The attack could have been far more severe, affecting navigation or engineering systems on merchant ships, with possible threat to human life or to the environment.

If shipowners begin to take accountability for cyber security, the industry is likely to progress towards a less vulnerable state. Initiatives to harden their digital infrastructure will take considerable time and resources. These actions will require significant threat modeling, including penetration testing, table-top exercises and periodic audits. The progressive move towards an automated and digitized shipping infrastructure increases the urgency of these corrective actions, as existing vulnerabilities could be exploited by attackers for financial gain or strategic objectives.

The proposal from MSC 98 called for ships to identify cyber risks and implement safeguards. The meeting also recommended that these safeguards take effect under the International Safety Management (ISM) Code, with a deadline of January 1, 2021. Owners could risk having their ships detained if they fail to meet the ISM standards for cyber risk.

While there have been previous incidents of cyber-attacks on merchant shipping, the Petya ransomware illustrates the potential effects of well-executed hacking. 2021 is a practical deadline for ship owners to implement cyber risk management frameworks, but it is unclear if existing cyber practices can meet the rapid pace of new technology onboard ships. The shipping industry will have an upstream battle to implement safeguards and identify methods to assess vulnerabilities. The consequences of failure to meet these standards could affect not only the ship owner, but global commerce as a whole.

Ian Gray is a cyber intelligence analyst for cybersecurity firm Flashpoint. He is a Navy veteran and a former naval science instructor at Kings Point. 

Any views expressed within this report are solely the author’s and are not necessarily reflective of any organization with which he is associated.