Building Resilience

A recent story in Wired, a popular technology magazine, makes for uncomfortable reading for any employee at AP Møller Maersk, the Danish shipping conglomerate. The article lays bare, and in detail, the impact the ransomware attack had on the company last year. But the story should also act as a wake-up call for many other actors in the maritime industry, a sector that experts are almost yelling at it to make itself more cyber-resilient.

According to a recent report backed by IBM, the average cost of a data breach is now $3.86 million, up 6.4 percent from last year. The same report, the result of a study by the Ponemon Institute, a U.S.-based business consultancy, found that the likelihood of a company that had been the victim of an attack suffering a second hack is 30 percent.

The report covered all industry sectors – transportation and, in particular, the shipping industry, were not singled out – but experts such as Max Bobys, Vice President of HudsonCyber, point out that shipping really does need to “up its game.” It’s up to all companies to really begin to gain more awareness of cyber risks, something that is increasingly called cyber resilience or cyber hygiene.

What should also be alarming about the study, which was based on a range of industries that – unlike shipping – have been reacting to cyber threats for years, is the finding that it takes more than half a year on average to identify or notice a breach or incident, and then an additional 69 days to contain it.

Threat Vectors

A data breach is one type of cyber threat and so is ransomware, where a company’s systems are shut down by a virus until a ransom is paid. The latter is what happened to Maersk and COSCO. These attacks on two of the biggest shipowners in the container industry were perceived and often reported as hacks, but they were not. To some extent and according to the experts, they were accidental.

“They were actually collateral damage from nation-state attacks,” says Ken Munro of Pen Test Partners in the U.K., adding that in this respect they were accidents. “I believe the aggressors in the Maersk case did not fully consider that the companies they were attacking were, in many cases, international companies with links across the world.”

Munro is an ethical or “white hat” hacker. The bad guys are the “black hats” and those in the middle, like kids who hack into company websites just to see if they can but do not try and take anything, are “grey hats.”

Munro has been in the cyber business for about 25 years. You name it, he can likely get into it. He worked through the dotcom boom when financial institutions saw the potential, and risks, of unprotected data platforms. He enjoys demonstrating the ease with which he can gain access to a ship’s satcom system if shipowners and communications firms have failed to set up suitable safeguards.

So if the incidents with Maersk and COSCO were accidental, the question becomes: What happens when attacks are deliberate? According to Munro, shipping is now a clear target for criminals who can easily pay hackers enough to cause disruption.

Code of Silence

Munro points out that the maritime industry is hampered by a continued reluctance to talk about any breaches. Nearly all his company’s clients have had some sort of incident or other, he says, and some think cyber security is all about just fitting a new firewall or new detection system.

It’s more than that. Cyber resilience is all about having the right attitude and awareness and – given the huge financial implications like the business loss for Maersk and the stock price impact on Sony, which suffered multiple breaches – the issue needs to be addressed from the board level down and not just from the IT department.

A hacker can be very sophisticated and gain access in many different ways. Once inside, he can find ways to move around a business, either by phishing or using connected systems. This also means accessing shipboard systems after gaining entry through a vulnerability elsewhere in an enterprise.

Munro points to other vulnerabilities and says owners need to make sure that any system suppliers, even satellite communications companies, need to demonstrate cyber securities. He points to the ability to gain the IP address of absolutely any connected device.

A website called Shodan started a few years ago and has grown to become a catalogue of connected devices – the so-called “Internet of Things.” But it’s not only a list of available webcams, refrigerators or other household devices. There are also commercial systems. And as shipping has become connected, satellite systems, AIS services and other maritime connectivity tools are also there to be found.

“The availability of much more affordable satcoms has become a game changer,” says Munro.

And how hard is it for a skilled hacker to gain access? “We have seen examples of kids affecting positioning of ships,” Munro says, “but some of the ways to do this may be technically complex at first to find the vulnerabilities. But once found and documented, anyone can use them.”

Building Resilience

Shipowners and technology firms that cater to them need to build up a cyber-resilient posture, which means doing a number of things across an organization. As HudsonAnalytix founder and CEO Cynthia Hudson points out, change does not come automatically or easily. But other industries have done it, so it’s not impossible.

Change will come slowly and will require a collaborative effort on behalf of shipowners and ports, shippers and manufacturers of systems that are deployed. But all need to talk more openly about the risks and about previous attacks in order to share experiences. Hudson says the general guidance that organizations such as IACS and BIMCO have issued is a good start on the path to building up resiliency, but that there’s a lot more that owners should be doing to reduce risks.

 

Even small and medium-size enterprises need to recount past experiences and be prepared to talk about common standards. Anne-Grete Ellingsen, CEO of a south Norwegian cluster organization called GCE NODE, says companies in the region are advancing technical systems for monitoring, automation and data-sharing in the oil and gas and maritime fields.

One core development has been the creation of a common data carrier standard, known as OPC universal architecture. As long as major OEMs accept these and do not try and build their own information networks, there’s a better chance of building systems that are secure, says Ellingsen. But she also points to the reluctance of companies to be open about their experiences with attempted hacks or other attacks.

CL 380

Another technique in enabling companies to up their game in cyber resilience is to engage more with the insurance industry. A policy clause in business insurance, CL 380, exempts cyberattacks from cover.

Hudson points out that there are some insurance covers for cyber risk, but generally the insurance companies lack an understanding of the risk. Because of ambiguity or a lack of information, they shy away from cover.

There have been some calls for clauses such as CL 380 to be cut from policies as systems are now available to help give a fuller cyber oversight. Naval Dome is one such company. At the recent Cape Town annual conference of the International Union of Marine Insurance, CEO Itai Sela said the insurance industry needs to change what he calls an archaic clause.

While he was of course alluding to his own company’s product as an example of how technology for the maritime sector has advanced, he also pointed to the general advancement of autonomous and machine learning technologies that will change the way ships are operated. New risks will be created that need to have policies and systems in place to help mitigate them.

But while Naval Dome is calling for a change to a clause that is 15 years old and applied long before ships became connected extensions of the office and the transport and logistics chain, there are already some P&I clubs and insurers that are addressing the issue.

The Norwegian Hull Club, for example, says it already has cyber insurance that it believes is the first of its kind with a two-level approach. It has a policy providing both (a) cover for incidents that would otherwise not be recoverable due to the CL 380 exclusion and (b) a loss prevention and operational intelligence service focusing on the BIMCO guidelines, a general recognition by the customer of cyber awareness, and the club’s own cyber loss prevention assistance and cyber response.

So a shipowner or manager can have the cover if they demonstrate a committed approach to cyber resilience. – MarEx

Craig Eason is a maritime journalist based in Stockholm.