As the maritime industry’s reliance on computer-based systems increases, so do the cyber-attacks. From the almost-accidental NotPetya ransomware attack on Maersk, to the hacks of the ports of Barcelona and San Diego, cybercriminals are increasingly targeting the maritime industry.
Nanyang Technological University’s Cyber Risk Management (CyRiM) Project estimates a single cyber attack on major Asia-Pacific ports could cost $110 billion. That’s roughly equivalent to half of all losses from natural catastrophes globally in 2018. Of this, insurance would only cover about 8%.
Critical safety and security systems that rely on computers are an invitation and a challenge to cybercriminals. Old systems, out-of-date software, operating systems and firmware, and increased connectivity for remote monitoring present tempting targets for attackers.
What is a cyberattack?
Before you can secure your area or defend against an attack, you need to understand the situation and the enemy’s resources.
Like physical attacks, cyberattackers have a variety of motivations and methods. For a script kiddie or amateur hacker, hacking may be a puzzle game or competition, while black-hat hackers and organised attackers aim for financial gain, cyber espionage, or ideological goals.
Cyber attacks are constantly evolving. Broadly speaking, they can attack either information technology (data on computer systems) or operational technology (computer-controlled physical systems) for one of four objectives:
- copy data;
- modify data;
- deny access to systems or data; or
- take control of systems.
Data theft or alteration are hard to spot. Would you notice if criminals sell – or change – your data? Are pirates interested in your route planning data or your crew list? Would you notice any unauthorised additions to your cargo manifest?
Ransomware, like the NotPetya attack on Maersk, is a growing problem. It encrypts the data on a computer, denying you access unless you pay a ransom. Denial-of-service attacks deny access to the data on a site by overloading the servers with requests.
These are a problem, but attacks on operational technology (OT) can cause greater physical damage. A hacker who controls a ship’s ballast system or loading computer could capsize the ship. Introducing errors in the hull stress monitoring system could break the ship in half. Do your crew plug mobile phones or USB devices into your critical systems?
What is cybersecurity?
In the US principles of war, security results from the measures taken by a commander to protect their forces. Cybersecurity is the same. To protect your people, systems and organisation, you need to know and understand the threats and plan adequate security measures to counter them. Under Resolution MSC.428(98), the IMO encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems by the end of 2021.
In MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management, the IMO advocates a five-step risk-based approach to cybersecurity:
- identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations;
- implement measures to protect against a cyber-event;
- develop and implement measures to detect a cyber-event in a timely manner;
- develop plans to respond to a cyber-event; and
- identify measures to back-up and restore necessary systems after a cyber-event.
1. Identify your critical and vulnerable systems
Whether you’re a ship, a port, or a shipping company, your industrial control systems (ICS), human machine interfaces (HMI) and databases are tempting targets. According to Pen Test Partners, the main shipboard targets are physical security, communications, industrial control systems, loading and stability systems, ship and crew networks, navigation systems, and updating and remote administration systems.
The ENISA Port Cybersecurity Report lists common port target systems as vessel berthing, loading and discharge, temporary storage, distribution and transfer, support, security and safety, and authorities. To complicate matters, port systems are usually operated by different companies, so they need to interface with other companies’ systems.
Even if we disregard databases, modern ports constantly add new ICS to their networks. Computer systems manage port security and access, RFID and optical recognition of containers, and many cranes. Many of these systems are online; even those that aren’t are vulnerable to malware from an infected portable device.
Several governments, organisations and classification societies, including the UK Government (ships, ports), DNV-GL, ClassNK, and a consortium including BIMCO, OCIMF and the ICS have issued guidelines for cyber security in maritime. These provide an excellent starting point to assess the threat landscape and identify measures to protect your systems.
2. Protect your systems
Even among the less technically inclined, basic cyber hygiene practices such as strong passwords, up-to-date anti-virus and firewall software, regular scans, software updates, and appropriate user privileges are becoming common knowledge. But it’s not enough just to protect the network. Network segmentation helps, but if an attacker gets into the network every individual system needs its own defence to slow or prevent the attack from spreading.
Your employees are your primary weakness – and your first line of defence. They’re the ones who will click a link in a phishing email, or plug an infected USB device into the network. They’re also the ones who will detect early warning signs of a cyber attack, or notice an unusual device plugged into the back of a computer. Training your crew and employees is critical, and the regular Phish and Ships newsletter is an effective way to get started.
3. Detect a cyber attack
The basic steps to detect a cyberattack are:
- be aware of all devices connected to the ship systems and networks;
- establish procedures to detect unusual activity on the ship or port systems; and
- constantly scan the network for problems, including signs of physical tampering with network-connected devices.
Non-technical folk can check the company website for odd changes, monitor alerts, and use automated threat detection software. Professionals can monitor and review logs for suspicious activity, or set up honeypots to trap attackers.
Again, it’s not all up to the cybersecurity professionals – although they’re definitely important! Train your crew and employees to detect early signs of attack, and take their reports seriously. They use the systems regularly, so they’ll often be the first to notice changes.
4. Respond to the attack
Detecting a cyberattack isn’t enough – you have to know how to respond. Cybersecurity professionals can help you develop and implement a comprehensive response plan. Your response plan should identify the scale of the attack, assess the impact and limit the damage.
5. Recover from the attack
Backups are critical in recovering from a cyber attack. Data backups, system images and backup systems help to restore critical services. When creating your backup strategy, it’s important to ensure you isolate your backups, preferably off-site. This helps to prevent malware from corrupting your backups, or a fire in one location from destroying them completely.
Recovering from a cyber attack isn’t only about getting your systems up and running. If you don’t find out what happened and learn from it, it will happen again. Review your cyber risk assessment. Find out how the attacker gained access to your systems, and amend your risk mitigation strategies and procedures to prevent it from recurring.
How can cybersecurity companies help?
No-one can be an expert in every aspect of running ships, ports and shipping companies. Cybersecurity professionals have a better understanding of the complex and ever-changing cyberthreat landscape than the rest of us. From monitoring networks for an attack to network audits and penetration testing, they know what they’re doing. The maritime industry poses unique challenges, but a few companies actually specialise in maritime cybersecurity.
Cyberprism Maritime’s team of experts offers a full range of cyber-attack protection solutions, including a risk assessment framework, on-board surveys, a cybersecurity platform to protect your network, response, investigation, and training.
As well as covering compliance, regulations and best-practices, their online or in-person training can include simulated attacks on ship systems. This can teach employees to identify and respond to an attack in progress.
Pen Test Partners
Penetration testing, also known as pen testing or ethical hacking, involves employing hackers to break into your systems. In the process, they can identify any weaknesses in your systems and recommend ways to fix them.
Pen Test Partners can carry out a tactical security audit of your vessel and help create a security strategy in line with current guidelines. With ex-seafarers on the team, they have an intimate understanding of ship security.
Cyberowl’s uses machine learning to detect anomalous activity and known cyberattack techniques. This helps identify suspicious or insecure behaviour, unauthorised workarounds to security controls, and non-adherence to usage policies.
The system is designed for distributed networks on operational assets with intermittent connectivity and limited bandwidth, making it perfect for shipping. The evidence it provides makes it easier to demonstrate compliance with Class and IMO cyber guidelines, taking the stress out of inspections.
Cydome’s team includes cybersecurity, data protection, disaster recovery, and OT experts, as well as former naval officers. Their cyber solution for the maritime and naval internet-of-things (IoT) ecosystem includes guidance, sensor, control, command, and communication systems, and provides end-to-end protection and automatic threat detection.
Naval Dome’s stand-alone cyber defence solution for mission-critical onboard systems blocks internal and external attacks, integrates with existing systems and software. Their HQ Dashboard provides head office with cyber alerts and an overview of the fleet.
Computers in maritime aren’t going away, so we need to take the risks seriously. The isolation of ships, the critical nature of the shipping industry in international trade, and the high monetary value of cargoes make shipping an easy, high-value target for hackers.
Between February and June 2020, Naval Dome’s CEO Itai Sela noted a 400% increase in attempted maritime hacks. He explained, “… we are seeing ship and offshore rig staff connecting their OT systems to shoreside networks, at the behest of OEMs [original equipment manufacturers] … to carry out diagnostics and upload software updates and patches themselves… Some of these are legacy systems which have no security update patches and are even more susceptible to cyber attack. The increase in OEM personnel working remotely on home networks and personal PCs, which are not well protected, adds to the problem.”
Cybersecurity in maritime isn’t a problem we can leave for tomorrow – tomorrow might be too late.