John Boles and James Bickley from Navigant Consulting provide Splash readers with a useful heads-up on maritime cyber security.
Today’s vessels and offshore units are constantly becoming more connected, relying on computers and networks to do everything from navigation, power management, and cargo loading to onboard entertainment and communications. With all these interconnected systems and devices reaching out to the internet, ships have essentially become floating computers with all of the associated vulnerabilities. The move toward connected technology has distinct advantages in efficiencies, yet comes with significant risk.
Technology in and of itself is neither good nor bad – it’s put in place to perform a function and often security is not properly considered. However, opportunistic cyber criminals, hacktivists, and even nation-state actors are often the early adopters. That means, while shipowners, builders, crews, and port/terminal services are using new technology to improve their operations, hackers and crooks are looking for ways to exploit that same technology for financial or political gain. For example, the maritime industry relies heavily on Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) for critical operations. SCADA and ICS were put in place years ago to control mechanical operations remotely before cyber security was a concern. Many of these systems are ‘wide open’ and easily discoverable by hackers using online tools like Shodan.io. Often times, these systems are not password protected or updated, protected only by the default password that’s only a Google search away from discovery. Improvements in communications and satellite technology like GPS and AIS have undoubtedly enhanced ship safety and route efficiency; autonomous (self-driving) vessels are no longer science fiction. However, these all also rely on the same interconnected computers and systems, which when left unprotected, are susceptible to all manner of compromise.
In addition to these somewhat industry specific vulnerabilities, ships and other offshore units face the same cyber threats that most businesses and individuals are facing every day. Crew email is a great tool for disseminating information and staying in touch with home while deployed. Email is also the overwhelming primary attack vector used by hackers and fraudsters. Everything from Nigerian fraud to complex viruses, Trojans and ransomware are often passed via email. Almost everyone has a smartphone or tablet to bring onboard. However, each device that connects to the ship’s system brings a risk of malware or infection. The recent Shamoon2, WannaCry, and NotPetya malware attacks show no industry is immune to the ever-evolving global cyber threat. With new questions being asked about the recent collisions in the US Navy’s 7th Fleet and groups from Russia and other adversaries known to take advantage of vulnerabilities in GPS and navigation systems, the threat to both business continuity and human life is very real.
So what is the real risk? Hackers are looking for a toehold anywhere within a network. Once they get in, if proper defences and segmentation are not in place, they can move laterally through the network, eventually reaching the most critical systems. This is an example of when simple phishing email can turn into a serious incident. On one side of the spectrum, a cyber incident could simply involve monetary loss – like the Nigerian fraud scheme or a Business Email Compromise, where the fraudster poses as the CEO and directs a wire transfer to an offshore account. The FBI estimates losses at over $3bn to just that fraud scheme alone. The other side of the spectrum is when a cyber incident allows a hacker to gain access to critical systems, the cyber attack could have very real consequences in the physical world, like ship grounding, systems outage, or power failure. The NotPetya attack on Maersk did not impact ships afloat, but shut down terminals and prevented cargo offloading, directly impacting operations and profitability.
The first step to effective cyber security is awareness – knowing that the risk exists both in the back office and on ships – and having a thorough understanding of what the particular risks are and the likelihood of exploitation. A proper cyber risk assessment should be tailored to the individual organization to ensure that proper focus is applied to actual risks and threats. This allows management to make informed decisions on the true threat and to gauge how much actual risk the organization is willing to tolerate. Additionally, proper training and enforcement is also essential. Crewmembers, employees, and passengers must be able to recognize and avoid risky cyber behavior like clicking on unsolicited email links or using a ‘found’ USB drive. That awareness must also be combined with proper technical security basics like a layered cyber defense on the network coupled with segregated systems and reliable backups. An assessment of organisational and shipboard cyber posture will identify risks and assist in developing an action plan to minimize those risks and mitigate future attacks.
The maritime industry must become much more proactive in addressing these very real risks and begin to limit these vulnerabilities. Applying resources proactively to assess and prevent cyber, or any existential, risk is essential to mitigating the very real possibility of an attack that could ultimately result in monetary losses or much worse.
