All Hands on Deck: Preparing for a Maritime Cyberattack
It has been almost three years since Informa Connect Maritime produced one of the very first articles in the maritime sector to address cybersecurity, and a great deal has happened since then. That April 2017 article was a portent of things to come – as the biggest disruption to ever hit Global shipping occurred just three months later with the disastrous Maersk cyberattack. Wired magazine described the malware used in the attack, Notpetya, as: “the most devastating cyberattack since the invention of the internet.” Andy Greenburg of Wired explains why the cyberattack was so brutal: “it rippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure costs.” Author Vishnu Rajamanickam posed a provocative question about the attack in Freightwaves: “What makes this worrisome is the fact that Maersk was not a target, but an accidental victim to an attack targeted at the Ukrainian government. This begs the question – had Maersk been targeted, how much bigger would have been the impact?”
Since Maersk, the floodgates have opened. In 2018 COSCO Shipping had their global operations affected by cyberattacks; in 2019 UK-based marine services provider James Fisher and Sons (JFS) and the Kuwait shipping industry both were victims of cybercrime. Early this year both the US Coast Guard and UK marine engineering consultancy London Offshore Consultants (LOC) Group announced they had been the victims of a cyberattack. Iran has announced it will retaliate against the US for its killing of Iranian General Qassem Soleimani – experts agree that cyberattack is high on the list of ways it will do so; gCaptain’s editor Mike Schuler warns: ”While no specific threat from Iran has been identified, the maritime industry should be prepared”. Indeed ports have proven to be particularly vulnerable, with a recent cyberattack in Antwerp port, and ransomware attacks at Port of Barcelona and San Diego.
Transportation has gone from the 5th most cyber-attacked industry in 2015 to the 2nd most targeted sector, after financial services, according to IBM. The Wall Street Journal reports that: “Cybersecurity was ranked as the second-highest risk for shipping in 2019, behind natural disasters, according to a survey of over 2,500 risk managers conducted by Allianz.” Shipping and maritime have responded in kind with new maritime cybersecurity initiatives and regulations to combat hackers. The ISM Code, the IMO resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS) which every ship globally must abide by, now includes cyber safety and requires that “all vessels need to have cyber risks addressed by the end of 2023 at the latest”. SOLAS, or International Convention for the Safety of Life at Sea, is also putting in cybersecurity requirements beginning next year. Late last year The University of Plymouth in the UK created a research facility dedicated to cybersecurity in the shipping industry; and many shipping companies now have created cyber security roles on their information technology teams. The conversation has certainly moved from “Should we be concerned about cybersecurity in maritime?” to “How can you control a cyberattack?”; so we asked several Global cybersecurity and maritime experts just that.
Nick Chubb, Founder, Thetius @NAChubb
“It is vitally important to have plans and procedures in place for emergencies onboard a ship. From firefighting to persons overboard, to abandoning ship. Not only is it vital to have plans in place, but it is vital that seafarers are trained in them and that regular drills are carried out so that when an emergency strikes, the crew is ready.
The same is true of cybersecurity. The best way to control a cyber attack is to develop plans and procedures and conduct regular drills to test them and train staff members. Just like an emergency onboard a ship, it is not a case of if, but when, your organisation will face a cyber attack. The only way to control it is to be prepared for it.”
Knut Ørbeck-Nilssen, CEO, DNV GL Maritime @DNVGL_Maritime
“In assessing vessels, DNV GL’s experts look for evidence of processes adopted to raise awareness of cyber risks and to change unsafe behaviour – not only among the shipping company’s own staff but also in dealing with third parties including vendors. Network architecture is inspected, and penetration tests are conducted to check whether the documented version matches the reality on board. The inspection also covers safeguards for safety critical systems as well as mitigations implemented for older equipment connected to the network that was built before cyber security was the serious concern it is today. Whether physical or cyber, risks are fact of life. They can never be entirely eliminated. However, by taking a methodical approach to assessing potential scenarios that might arise, we can take steps to prevent the more obvious dangers and be ready to act to minimize the fallout from unexpected ones.”
Melvin Mathews, Director New Businesses, Wärtsilä @MelvinSMathews
“Along the data trail there are quite a few areas that have been identified where security breaches can happen. Risk management in maritime operations is key, and the human factor plays a big part. The best way to prevent physical tampering of sensors and on-board networks is to restrict entry to only authorized personnel on board. Restricted areas on-board should be identified and access strictly controlled for visitors, contractors, etc. IT systems on ships need to follow industry standards and best practices on security including a solid architecture design and proper firewalls. Transfer of data is typically highly compressed and encrypted. Security during data transfer is ensured by industry best practice of ‘public key infrastructure’ which is what is used in e-commerce and internet banking. Internet security is ensured of by standard industry best practice of IP -verification or physical token with username and password i.e. ‘2-factor authentication’." Read Mathews full length blog on this here.
Melvin Mathews will be speaking at our Shipping Transformation Summit happening in Copenhagen March 11 and 12.
Paul Ferrillo, Partner, McDermott Will & Emery LLP, @PaulFerrillo
“With the plethora of attacks hitting all industry sectors, and with the rise of cyber attacks against the maritime sector, the best way to control a cyberattack is to ask yourself, ‘Am I a target? Will I be hacked? Have I been hacked already?’ The answer to these questions is, ‘yes, yes and probably.’
Given that you probably will face an attack, the best way to proceed is to do all you can do to prevent one! During a port call, update your network, patch what you need to patch and most of all, back up what you can back up so if you suffer an attack, you can recover before saving lives and property become a real issue. Attackers prey on vulnerabilities. If you have them, an attacker will find them. Use antivirus solutions as well to prevent catastrophe. Have a strong password policy for onboard computers (including your IoT devices). Require multi-factor authentically for accessing the network by using tokens. Most of all, have a plan in place. The hardest time to deal with a ransomware attack is in the middle of one when chaos reigns. Prepare for the worst. Practice your incident response plan. And hope for the best.”
Peter Broadhurst, Senior Vice President, Inmarsat, @InmarsatGlobal
“Inmarsat’s unified threat management solution Fleet Secure encompasses security measures to protect the user and systems on shore and onboard by inspecting, detecting and responding to any malicious activity. To address a key vulnerability of ships at sea, it includes Fleet Secure Endpoint, which has been developed with ESET (Essential Security against Evolving Threats) to detect and isolate threats, reporting any ‘rogue node’ that could be a potential attacker, malware or simply a new crew device being plugged into the network with no security installed.
As well as isolating the threat until it is dealt with, Fleet Secure Endpoint’s record-keeping tool documents efforts made, in accordance with guidelines developed by BIMCO, the International Chamber of Shipping and Intermanager. Ultimately, this capability will also support ship owners in their efforts to comply with International Safety Management (ISM) code revisions due in force from 1 January 2021. In practice, ISM code revisions will require ships to demonstrate what assets, personnel and procedures are in place onboard and ashore to deal with cyber risks, what happens if systems are compromised and who has control. Compliance depends on having the right risk management, infrastructure and procedures in place.”
Ioannis Filippopoulos, PhD, MBA, MSc in IT, Assistant Professor, Director of Informatics and Engineering, Hellenic American College, Athens, Greece
"I will approach the issue from senior management perspective. The first thing is to understand that any organization needs an (interim or not) Information Security Manager who will handle the information security issues in general and more specifically, the cyber-attacks. Any organization needs to control cyber-attack as any other information system attack, and in this perspective, information security governance is a must. Senior Management and other key roles such as Chief Information Security Officer, Chief Information Officer, Chief Risk Officer or even better the existence of an Information Security Steering Committee, should seek the design, development and management of an information security program that will secure information systems regardless of the realm and will balance between the protection of the confidentiality, integrity and availability of data/information while maintaining an effective implementation of policies and procedures so as not to affect the productivity of the organization."
Ioannis Filippopoulos will be speaking at our Shipping Transformation Summit happening March 11 and 12 in Copenhagen, Denmark.
Jens Monrad, Head of FireEye Threat Intelligence EMEA, FireEye, @JensMonrad
“To better understand who might be targeting organisations, it’s vital to have answers to the following questions: Is it a targeted campaign against our organisation? What is their motivation? What can we learn from previous incidents attributed to the same threat? How well are we defending against the adversaries?
Organisations who constantly study their adversaries can more naturally apply metrics which can assist them to identify the optimal way of denying access or detecting the threat. By mapping how quickly they are defending against a threat, organisations can make weighted adjustments to their processes or security controls. And better align resources or investments to address their threat landscape. The end result will be better control of the outcome of a cyberattack.”
Makiko Tani, Chief specialist, Cyber Security Project Team, ClassNK
“’Know yourself.’ It is fundamental to start from understanding your assets and how they work, like a health check to identify their risk landscape.
The same is true to how we can control a cyberattack against seagoing vessels. Today, ships’ critical devices on an Operational Technology (OT) network (often called ‘ship control LAN’) are connected not only to each other to transmit data but also to the computers on Information Technology (IT) or Internet facing networks (often called ‘business LAN’) or even to shore based facilities for further analysis and elaboration. For this reason, again, understanding the onboard network design - how the systems onboard are connected, is crucial.
However, until recently, the maritime industry has embraced the robustness of ships’ OT systems and networks for being as closed as and as self-standing as possible because of the solitary environment of the sea. This unique background has moved the industry’s attention away from onboard networks and still makes vessels’ OT networks and IT networks designed and integrated separately at a different stage of construction. Therefore, this is a call for collaboration between all stakeholders involved to design and integrate shipboard systems that allow you to see what you are protecting. Lastly, the ability to properly design vessels’ system networks will be a demanding skill in the next decade for the maritime industry to control cyberattacks.”
Carole Plessy, Head of Commercial Product Development, OneWeb, @OneWeb
“The IMO’s Guideline on Maritime Cyber Risk starts: ‘Cybertechnologies have become essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment.’ This statement reveals how the maritime industry’s approach to cybersecurity is evolving, driven by the push for digital transformation and increased sustainability. All three require the same catalyst – ubiquitous connectivity – and are essential for the efficient operations of a business. Sustainability entails doing business in such a way that your current work does not preclude your future work, and operating securely is the only way to keep your company viable in an increasingly hyperconnected world. This is because, if proper measures are not put in place, a connected system can also be a vulnerable one. At OneWeb, we are able to sub-type connectivity, separating the different connectivity types – such as crew internet from vital operational services – to increase security.
There are two important principles of cyber security that highlight the importance of a fast, reliable connection, and demonstrate why connectivity and security need to be intrinsically linked. First, updating software as quickly as possible is imperative. Old software packages are frequently susceptible to damaging ‘zero-day’ cyberattacks, as they do not benefit from ad-hoc security patches, and frequently store sensitive data. Connectivity plays a vital role: 41% of all software updates at sea are received by satellite, while only 4% are installed by onshore IT staff. Second, round-the-clock threat monitoring is a core principle of cyber security: it allows you to catch attacks before they actually cause damage. Gaps in connectivity are a blind spot that can be exploited by cyber criminals. Improved, secure connectivity means these protections will help spread digital transformation and ease sustainable operations, benefitting your business as whole.”
Carole Plessy will be speaking at our Shipping Transformation Summit happening March 11 and 12 in Copenhagen, Denmark.
Anders Wendel, head of the Non-profit Industrial Consortium founded by Kongsberg, SAAB & Wärtsilä, Navelink
Ulf Siwe, STM Communications Officer, Swedish Maritime Administration. Navelink
“How can you control a cyberattack? You can’t. Controlling a cyberattack would be equivalent with trying to control a war, a wild fire or chaos. So, instead of focusing on controlling a cyber-attack itself we need to focus on preventing the cyber-attack and in parallel having the right instruments to minimize the effect caused by a cyber-attack. Preventing a cyber-attack is not done by limiting all citizens rights to a computer, instead it is done by making the result not worth the effort needed by an attacker or the risk for an attacker of being compromised to high while trying.
In parallel, the right instruments need to be in place in order to minimize the effect by a cyber-attack by working with security awareness, security routines, security controls and continued exercises. First, you need to work with security awareness, which means not only increased knowledge for the personnel, from top to bottom, about the threat and dangers but also to implement the right mindset and acceptance for security measures including reporting of incident even caused by oneself. The awareness needs to be complemented by security routines, meaning processes, continuity plans including back-ups etc. The routines need to be complemented by security controls, meaning access handling to different systems, penetration tests, fire walls etc.
The most important is continued exercising in order for the IT-specialists to handle the unknown. It does not matter how good or high awareness, routines or controls you have as the attackers will try to find your weaknesses and explore it. The remaining security than remains on your IT-personnel being capable and used to handle those types of situations, easiest trained by exercises and continued education. This is the way we are trying to fulfill our mission of building a trustworthy and reliable maritime communication platform based on the Martime Connectivity Platform. So no, we are not focusing on controlling the cyberattack, we are focusing on reducing the risk for an attack and if attacked anyway, minimizing the effect or damage caused to our customers and us.”
Ulf Siwe will be speaking at our Shipping Transformation Summit happening March 11 and 12 in Copenhagen, Denmark.
Kristian Volohhonski, Chief Operations Officer, eTEU, @eTEUTechnology
“A cyberattack in regards to shipping would mean getting access to confidential data, such as trade documents and personal details of parties involved. In order to prevent an attack, various prevention mechanisms should be installed. Distributed ledger technology (DLT) has taken cybersecurity measures available to a new level. Previously the information would be stored on cloud or private servers, however now an innovative approach of decentralisation has been reached, which allows the companies to protect their data by securely distributing it across an entire network. Since DLT incorporates public key infrastructure (PKI) in its core, stored data is strictly accessible by parties who have the appropriate cryptographic keys. This approach of cybersecurity is a revolutionary way to prevent and control cyberattacks, both on SMEs as well as big and established players in the industry.”
The CEO of eTEU, Eduard Oboimov will speak at our Shipping Transformation Summit happening March 11 and 12 in Copenhagen, Denmark.
Rachael Bardoe, Operations Director and Cyber Centre of Excellence, Digital Container Shipping Association, DCSA LinkedIn
“Cybercrime is rising, and shipping is a top target in 2020. An attack at sea is different from one ashore due to limited cyber skillsets, legacy systems and satcom bandwidth constraints. During an incident, systems must fail not just securely, but safely. Controlling an attack requires the following:
Preparation to minimise the impact. Having a Configuration Management Database detailing assets, their criticality and location is key to prioritising protection strategies and identifying vulnerabilities. Ensure that patches and anti-virus signatures are up-to-date, security train the crew. Network segmentation is paramount for vessel safety - Maritime systems, OT, IT and crew welfare systems should sit on separate networks, separated by gateways, to contain the attack at network boundaries.
Rapid response to quarantine affected systems. Crew members must follow a Security Incident Response plan to remove affected systems from the network and replace them with spares. Maintaining the chain of custody of impacted systems will facilitate a forensics investigation. Review network ports on boundary devices, ensure that vulnerable ingress and egress points are secured.
Forensics. Once at port, the crew must provide the infected asset to cybersecurity experts for investigation. Maintaining the chain of custody from the point of quarantine ensures any findings will be permissible in court, which may protect the company from serious reputational and financial damage.”
The CEO of DCSA, Thomas Bagge, will speak at Global Liner Shipping happening this May 11-13 in Hamburg, Germany.
Norma Krayem, VP and Chair Cybersecurity, Data Privacy and Digital Innovation, Van Scoyoc Associates; former Deputy Chief of Staff at the U.S. Department of Transportation
“The maritime sector has a multi-faceted cybersecurity challenge—it has a multitude of players; all are interconnected and yet cybersecurity has not been made a systemic priority. No sector can ‘control’ a cybersecurity attack, rather it must understand and immediately takes steps to address the risk. First, the sector must ensure that any push to digitization of systems, cargo, vessels, autonomous ships all must have cybersecurity protections imbedded it in at the beginning, not as an afterthought. Second, it must map out its risk and understand its cross-sector reliance on all of its stakeholders, ranging from shippers, rail, communications, PNT, GPS etc. Third, global cybersecurity best practices and tools must be implemented to ensure global interoperability of systems. Fourth, focusing on workforce development is key—the traditional IT and law enforcement functions in the sector have to be augmented with cybersecurity expertise. Fifth, all players must understand and have in place a cybersecurity incident preparedness plan that is tested and used constantly. To assist in critical response and recovery functions, relationships with federal, state and local officials must be built in advance, not in the middle of a crisis. The maritime sector is critical to the global functioning of the economy and is one of the few critical sectors without any cybersecurity mandates or regulations unlike other Critical Infrastructure sectors. As the world saw after the impacts of the global cybersecurity attacks on Maersk, global impacts can be counted in the billions if the sector is not sufficiently prepared."
Learn more on digitalising and securing your marine assets at the Shipping Transformation Summit.