Patrik Wheater from Seaborne Communications reflects on last week’s massive ransomware attack and how shipping is in urgent need of a culture change.
As Kongsberg and Yara announced the first autonomous containership will be in full remotely-controlled operation by 2020, news last week that hospitals, multinational corporations and government offices across more than 100 countries were hit by the world’s biggest ransomware cyber attack, underlines the devastating impact such an attack could have on an unmanned shipping fleet.
We are all becoming increasingly aware of the potential socio-political impact computer hacks can have on the status quo, with claims of election interference, so it is inevitable that the nefarious will at some point correlate seaborne trade with global economies and energy security and hold us all to ransom. So far, shipping industry conservatism and a lack of wider public understanding have, perhaps, inadvertently kept the hackers at bay, but the industry cannot remain complacent.
Imagine. You’re sitting at a state-of-the-art consel contolling the movement of, say, a fleet of LNG carriers, keeping cargo tanks at their optimum temperatures and pressures, remotely keeping watch on the engineroom machinery, checking weather patterns, shipping lanes and manifests, when up pops: “Oops, all your files have been encypted, please pay 1,000 bitcoins to remove the encyption.” What then?
Andreas Kuehlmann, general manager at Synopsys believes the WannaCry ransomware outbreak is a wake-up call for the world. “It highlights not only our inter-connectedness and deep-seated dependence on technology, but the massive challenge we face in securing the ecosystem of software and systems we rely on. Software is not just eating the world—it is the world we live in today.
Motivated attackers—whether they are criminals, activists, or nation states—continue to find ways to exploit vulnerabilities in software to serve their own agendas. That is why the security and quality of software is so important in the current operating landscape. Forward-thinking organisations know that they must be able to account for the integrity of every piece of software that is exposed to the Internet.
“Patches for the underlying vulnerabilities exploited by WannaCry have been available for nearly two months, yet numerous organisations have fallen victim to these attacks because they failed to apply the patches in a timely manner or were using legacy systems that could not be patched. Cyber security is not just a matter of technology; it is an organisational challenge that needs to be addressed holistically. It requires a fundamental shift in the way we design, develop and deploy technology throughout its entire lifecycle and how we understand and manage risk throughout the software supply chain.”
One frightening aspect of the WannaCry incident is the rapid speed at which infection spread. Some reports suggest that victims received a phishing email that included an attachment or link that then downloaded ransomware and impacted the Windows operating system. The UK’s NHS was hit particularly badly due to the scale of and wide access to the network: hospital staff, general practitioners, suppliers, administrative staff all had access to the same network and with so many individuals logging on, it only takes one to mistakenly open a spurious email for a virus to enter an organisation’s bloodstream.
Smart, autonomous, unmanned ships will continue to develop apace and they will be a major feature of our seascape in the next decade, but this development must go hand-in-hand with development in software systems and security along with changes to the way in which we operate these systems.
A cultural change is required and companies must invest in the computer literacy of each and everyone of the their employees if the transport infrastructure is to remain safe, secure and operationally effective.
I think the intent of the article’s point is well taken in the general sense that the maritime industry in general should be as cognizant of IT system malware as any shore side enterprise. I would point out that that it’s unlikely that autonomous ship system designers would opt to use off-the-shelf software, i.e. Microsoft Windows, that is more apt to be the target of hacking or has vulnerabilities that could be leveraged in open network environments. System software developed with this thought in mind will be more tamper resistant, particularly if the entire ship operational eco-system is designed from the ground up with good security principles in the framework. Bottom line, I couldn’t invest in or risk my business on an autonomous ship that’s connected to the Internet and runs Windows based systems at the core.
I would also hope that good IT system maintenance is a part of the basic operational procedures, just as engine/hull/navigation system maintenance is now for well run vessels.
Anyway, good article. Keep them coming!