Cyber Pirates
"All war presupposes human weakness and seeks to exploit it." – Carl von Clausewitz, On War
(Article originally published in Sept/Oct 2022 edition.)
Swashbuckling pirates and sabotage on the high seas have gone digital. Ransomware has replaced the cutlass. In fact, the entirety of modern conflict has evolved into Fifth Generation Warfare with information and perception as its framework. Often referred to as the "Gray Zone" or "hybrid warfare," the term encompasses cyberattacks, nonviolent economic pressure and disinformation campaigns.
It’s the weaponization of anything.
The threat is massive and echoed by many. Klaus Schwab, Founder & Executive Chairman of the World Economic Forum (WEF) – whose October 2019 pandemic tabletop exercise, “Event 201,” and the “SPARS” scenarios accurately predicted a coronavirus – has issued a new warning. During the 2021 WEF Cyber Polygon exercise, Schwab flagged "paying insufficient attention to the freighting scenario of a comprehensive cyberattack, which would bring to a complete halt to the power supply, transportation, and hospital services…the Covid-19 crisis would be seen, in this respect, as a small disturbance in comparison to a major cyber-attack."
In August, U.S. Coast Guard Cyber Command (CGCYBER) released its 2021 Cyber Trends and Insights in the Marine Environment. The report notes: "Though the number of reported incidents has increased 68% from 2020 (47 cybersecurity incidents in 2021), we believe many other incidents go undetected or unreported. Cyber-criminals are now using focused ransomware attacks in multi-extortion style campaigns with hopes of ensuring a higher, more guaranteed payout with several large-scale incidents affecting multiple organizations at once.”
As maritime executives, it's essential to understand the level of risk, attack surfaces and other considerations. Here are some perspectives from around the industry.
Hackers
Kristian Bischoff, an Intelligence Analyst for Denmark-based Risk Intelligence, says, "Cyber is one of the most effective weapons in the gray zone before a war. It's unattributable, and you don't know from where it comes. You can do many shaping operations, espionage, and plant malware."
Tipping their hat to a love of American movies – while stealing the playbook from the 1995 film Hackers – leaked classified research from Iran's cyber unit revealed secret plans to cyberattack a cargo ship by filling up ballast tanks on one side to capsize.
"Cyber piracy, where a vessel is held for ransom, does exist," Bischoff says, but wonders how damaging that would actually be: "If you really want to perform destructive activities, interested parties still maintain classic methods such as kinetic weapons. On the other hand, if states or terrorists want to inflict real damage, blowing a hole in the side of a vessel will get better pictures and publicity."
He adds that, "The Ukraine conflict has kept us busy, but ransomware is still the primary threat. It's criminals out to make money, and it works for them – particularly targeting companies that can pay, as most shipping companies have that liquidity. Although it might seem sexy to shut down operational technology such as a port's crane, the easiest attack surface is still through the business information technology side – such as someone's banking system, planning software or container schedules, and then cripple what makes the company run. We saw this during the NotPetya cyberattacks."
Unified Requirements (URs)
Ian Bramson, Global Head of Industrial Cyber Security for ABS, reminds us that the Colonial Pipeline incident was "A warning bell for the industry and a dinner bell for bad guys. Even if companies do spend significant resources on cybersecurity, they still need to plan for potentially being shut down and having all the continuity of business in place. The person in charge of cybersecurity in most companies rarely has the technical skills to address the threats properly, so having an expert is quite important."
Complementing "UR E22 On Board Use and Application of Computer based systems," the International Association of Classification Societies’ Joint Working Group on Cyber Systems has adopted two new unified requirements, "UR E26 Cyber resilience of ships" and "UR E27 Cyber resilience of the onboard systems and equipment."
Both are to be implemented on ships contracted for construction on or after 1 January 2024. They’re based on the IMO's Maritime Cyber Risk Management in Safety Management Systems (Resolution MSC.429(98) and Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3). Subgoals include:
- Identify: Develop an organizational understanding to manage cybersecurity risk to onboard systems, people, assets, data and capabilities.
- Protect: Develop and implement appropriate safeguards to protect the ship against cyber incidents and maximize continuity of shipping operations.
- Detect: Develop and implement appropriate measures to detect and identify the occurrence of a cyber incident onboard.
- Respond: Develop and implement appropriate measures and activities to take action regarding a detected cyber incident onboard.
- Recover: Develop and implement appropriate measures and activities to restore any capabilities or services necessary for shipping operations that were impaired due to a cyber incident.
These requirements apply to all Computer Based Systems on board vessels including those not critical to safety (following the categorization in UR E22, as shown in the table below).
Phishing
Max Bobys, Vice President of HudsonCyber, says the most significant threat is phishing, where an attacker sends a fraudulent message to deploy malware or extract sensitive data. Phishing results in the vast majority of cyber breaches that organizations face.
"The growth curve is unbelievable.” Bobys notes. “Phishing attacks continue to evolve and are becoming more sophisticated. While tools are available to defend against this threat, they are not perfect. Ultimately, the best defense is cyber awareness training of staff."
Ransomware is another major challenge – highly lucrative and extremely easy to execute – and maritime organizations should look at cyber risk management within a business and operational context.
“There are a lot of other threats,” Bobys adds, “but it must be noted that the human represents a significant threat – best characterized as the ‘insider threat.’ Verizon's annual threat reports constantly highlight how insider threats cause significant percentages of breaches. Certainly, there always exists the potential for malicious insider actions, but most insider threat actions are through mistakes that are made. Often such mistakes are merely a lack of awareness."
He points to the insurance industry for corroboration: “Insurers have recently been hammered on the issue of ransomware and, as a result, policy language is quickly changing. For example, we now talk extensively with insurers regarding the challenge of aggregated cyber risk at a portfolio level."
Cyber Insurance
Standard Club, a mutual insurance association and member of the International Group of P&I Clubs, in a recent episode on cyber threats for their Alongside podcast, hosted Daniel Ng, CEO of CyberOwl, and Georgie Furness-Smith, Senior Cyber Underwriter and Head of Maritime Cyber at Axis Capital.
U.K.-based CyberOwl recently raised $5.1 million in funding to expand support for maritime. CEO Ng says, "The vast majority of cyber risks on shipping systems are small. I think we build up this view of cyberattacks and shipping systems a little bit like a James Bond scene straight out of that storyline, where you've got the manifesting of attacks on computers that ground ships to a halt and drive them into reefs.”
The reality is much different, he adds: “Most of it comes from bits of ransomware, extortion criminals trying to make a quick buck from a shipping company. And that's what we end up seeing most of the attacks manifest."
When asked why the insurance issue has become more critical, Furness-Smith from Axis Capital responds, "Firstly, owners are far more aware of the rest of their business. And they know they have a gap in their coverage from their hull and machinery policies. So any property damage to their hull policies because of a cyberattack would not be covered. Essentially, they need a separate cyber insurance policy for that. And then, secondly, we've seen the severity and frequency of cyberattacks increasing over the years."
A stark reminder to owners and operators that their policies should be up to date.
Good Cyber Hygiene
Cleanliness is next to Godliness. The saying holds for cyber hygiene as well. With the human factor the most significant risk variable, it's vital that staff and crew are instructed on how to act. As a refresher, think twice before clicking on a link you don't trust.
"There are never any singles in your area." Bischoff jokes. "If you find a thumb drive in your office or parking lot, don't pick it up and plug it into your system. Always keep your security software updated to the latest version. The threat is here now, so don't wait for an incident to occur.”
For more resources, BIMCO's Guidelines on Cyber Security Onboard Ships is required reading for maritime cyber defense.
Alas, ye mariners, beware! For ye Jolly Roger no longer flies on the mast of pirate ships giving forewarning. Instead, the skull and bones now pillage for booty in stealth by way of 0s and 1s. – MarEx
Singapore-based Sean Holt is a frequent contributor to the magazine.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.