SHIPPERS GUIDE
A Guide to Cybersecurity In Maritime
As the maritime industry’s reliance on computer-based systems increases, so do the cyber-attacks. From the almost-accidental NotPetya ransomware attack on Maersk, to the hacks of the ports of Barcelona and San Diego, cybercriminals are increasingly targeting the maritime industry.
Nanyang Technological University’s Cyber Risk Management (CyRiM) Project estimates a single cyber attack on major Asia-Pacific ports could cost $110 billion. That’s roughly equivalent to half of all losses from natural catastrophes globally in 2018. Of this, insurance would only cover about 8%.
Critical safety and security systems that rely on computers are an invitation and a challenge to cybercriminals. Old systems, out-of-date software, operating systems and firmware, and increased connectivity for remote monitoring present tempting targets for attackers.
What is a cyberattack?
Before you can secure your area or defend against an attack, you need to understand the situation and the enemy’s resources.
Like physical attacks, cyberattackers have a variety of motivations and methods. For a script kiddie or amateur hacker, hacking may be a puzzle game or competition, while black-hat hackers and organised attackers aim for financial gain, cyber espionage, or ideological goals.
Cyber attacks are constantly evolving. Broadly speaking, they can attack either information technology (data on computer systems) or operational technology (computer-controlled physical systems) for one of four objectives: copy data; modify data; deny access to systems or data; or take control of systems.
Data theft or alteration are hard to spot. Would you notice if criminals sell or change your data? Are pirates interested in your route planning data or your crew list? Would you notice any unauthorised additions to your cargo manifest?
Ransomware, like the NotPetya attack on Maersk, is a growing problem. It encrypts the data on a computer, denying you access unless you pay a ransom. Denial-of-service attacks deny access to the data on a site by overloading the servers with requests.
These are a problem, but attacks on operational technology (OT) can cause greater physical damage. A hacker who controls a ship’s ballast system or loading computer could capsize the ship. Introducing errors in the hull stress monitoring system could break the ship in half. Do your crew plug mobile phones or USB devices into your critical systems?
What is cybersecurity?
Security results from the measures taken by a commander to protect their forces. Cybersecurity is the same. To protect your people, systems and organisation, you need to know and understand the threats and plan adequate security measures to counter them. Under Resolution MSC.428(98), the IMO encourages Administrations to ensure that cyber risks are appropriately addressed in safety management systems by the end of 2021.
In MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management, the IMO advocates a five-step risk-based approach to cybersecurity: identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations; implement measures to protect against a cyber-event; develop and implement measures to detect a cyber-event in a timely manner; develop plans to respond to a cyber-event; and identify measures to back-up and restore necessary systems after a cyber-event.
1. Identify your critical and vulnerable systems
Whether you’re a ship, a port, or a shipping company, your industrial control systems (ICS), human machine interfaces (HMI) and databases are tempting targets. According to Pen Test Partners, the main shipboard targets are physical security, communications, industrial control systems, loading and stability systems, ship and crew networks, navigation systems, and updating and remote administration systems.
The ENISA Port Cybersecurity Report lists common port target systems as vessel berthing, loading and discharge, temporary storage, distribution and transfer, support, security and safety, and authorities. To complicate matters, port systems are usually operated by different companies, so they need to interface with other companies’ systems.
Even if we disregard databases, modern ports constantly add new ICS to their networks. Computer systems manage port security and access, RFID and optical recognition of containers, and many cranes. Many of these systems are online; even those that are not are vulnerable to malware from an infected portable device.
Several governments, organisations and classification societies, including the UK Government (ships, ports), DNV-GL, ClassNK, and a consortium including BIMCO, OCIMF and the ICS have issued guidelines for cyber security in maritime. These provide an excellent starting point to assess the threat landscape and identify measures to protect your systems.
2. Protect your systems
Even among the less technically inclined, basic cyber hygiene practices such as strong passwords, up-to-date anti-virus and firewall software, regular scans, software updates, and appropriate user privileges are becoming common knowledge. But it’s not enough just to protect the network. Network segmentation helps, but if an attacker gets into the network every individual system needs its own defence to slow or prevent the attack from spreading.
Your employees are your primary weakness – and your first line of defence. They’re the ones who will click a link in a phishing email, or plug an infected USB device into the network. They’re also the ones who will detect early warning signs of a cyber attack, or notice an unusual device plugged into the back of a computer. Training your crew and employees is critical, and the regular Phish and Ships newsletter is an effective way to get started.
3. Detect a cyber attack
The basic steps to detect a cyberattack are: be aware of all devices connected to the ship systems and networks; establish procedures to detect unusual activity on the ship or port systems; and constantly scan the network for problems, including signs of physical tampering with network-connected devices.
Non-technical folk can check the company website for odd changes, monitor alerts, and use automated threat detection software. Professionals can monitor and review logs for suspicious activity, or set up honeypots to trap attackers.
Again, it’s not all up to the cybersecurity professionals – although they’re definitely important! Train your crew and employees to detect early signs of attack, and take their reports seriously. They use the systems regularly, so they’ll often be the first to notice changes.
4. Respond to the attack
Detecting a cyberattack is not enough – you have to know how to respond. Cybersecurity professionals can help you develop and implement a comprehensive response plan. Your response plan should identify the scale of the attack, assess the impact and limit the damage.
5. Recover from the attack
Backups are critical in recovering from a cyber attack. Data backups, system images and backup systems help to restore critical services. When creating your backup strategy, it’s important to ensure you isolate your backups, preferably off-site. This helps to prevent malware from corrupting your backups, or a fire in one location from destroying them completely.
Recovering from a cyber attack is not only about getting your systems up and running. If you don’t find out what happened and learn from it, it will happen again. Review your cyber risk assessment. Find out how the attacker gained access to your systems, and amend your risk mitigation strategies and procedures to prevent it from recurring.
How can cybersecurity companies help?
No-one can be an expert in every aspect of running ships, ports and shipping companies. Cybersecurity professionals have a better understanding of the complex and ever-changing cyberthreat landscape than the rest of us. From monitoring networks for an attack to network audits and penetration testing, they know what they’re doing. The maritime industry poses unique challenges, but a few companies actually specialise in maritime cybersecurity. Examples of cybersecurity companies are Cyberprism Maritime, Pen Test Partners, Cyberowl, Cydome, Naval Dome
Conclusion
Computers in maritime are not going away, so we need to take the risks seriously. The isolation of ships, the critical nature of the shipping industry in international trade, and the high monetary value of cargoes make shipping an easy, high-value target for hackers.