Proactive vs. reactive cyber security strategies in maritime
In September 2020, CMA CGM, the world’s fourth-largest container shipping company, announced that it had experienced a cyber breach. Initially stating that its systems security hadn’t been compromised, a few days later, it had to declare that it was working on a plan to get access back to its systems. A few years ago, this kind of news would have been unheard of, however organisations publicly declaring that they have suffered a cyber breach is becoming almost an everyday occurrence.
Due to the openness and interconnected nature of the Internet, hackers or hacking groups are carrying out untargeted attacks, without any consideration for damage inflicted upon maritime organisations. These attacks can be delivered as phishing attacks, water holing, ransomware, or scanning and are relatively easy for hackers to administer. What’s more, their chances of being apprehended are almost non-existent, meaning the fight against cybercrime is one of a continuous nature.
One of the key areas of cyber-vulnerability in the shipping industry is the ships themselves. Until recently, ships were running legacy systems with relatively small IT networks and a segregated OT (operational technology) network. The ships OT network is closed off from the outside world with limited access to it, usually only physically accessible by the Captain and senior crew. Due to digitalisation in the industry and the convergence of IT and OT, there is now a focus on extracting key data from OT systems, sending it to the cloud, so that data analytics can be carried out in real-time. Such digital developments have created an additional level of risk for shipping companies to consider and have transformed vessels into remote offices more than ever before.
Over the last three years, there has been a staggering 900% increase in cyber-attacks on the operational technology of maritime organisations, in which some of the largest shipping companies in the world have been the victim. We’ve seen a number of reported cyber-incidents this year alone. Carnival Cruise Line, Mediterranean Shipping Company (MSC), and the Toll Group have all been in the limelight for cyber-attacks, inflicting not only operational and economic damage, but also a significant knock to their reputation. While many of these organisations are targeted, it can also simply be a case of being in the wrong place at the wrong time.
Can maritime organisations do anything about randomised cyber-attacks?
The immediate answer is ‘yes’. There are ways to prevent businesses from being breached, particularly as most breaches that occur aren’t designed to target a specific customer.
One solution is to ‘do nothing’; an approach that too many companies take. Preferring to believe ‘It won’t happen to them’, questioning ‘Why would we be targeted?’, and doubting the companies draw ‘We don’t have anything of interest to a hacker’. These are just some of the comments that companies make without really understanding the reality of how the Internet works and how easy it is to target companies. The other factor to consider is the modus operandi of hackers. Stealing corporate data, encrypting systems or generating bitcoin are just some of the motivators. What if the motivation is ‘to cause damage for fun’ or to take systems down for ‘bragging reasons’ on dark web hacking forum sites? Do we really want to take the chance that hackers can do what they want without understanding why they might do it?
So, if we don’t always know why hackers do what they do and the agreed approach that doing nothing isn’t an option, then a great starting point is to carry out some form of risk assessment, using a globally recognised framework such as NIST, ISO 27001, or BIMCO.
By understanding business risk, a company can put a plan in place that focuses on people, process, and technology. By understanding how users behave, the defensive layers that are in place, this will help an organisation to know how a hacker might compromise them and help to determine what additional layers of security are required to minimise a breach in the first place. This might include security awareness training or penetration testing on key systems, to identify any known vulnerabilities that a hacker could compromise using targeted or untargeted techniques.
Fortunately, companies don’t need to do this alone. Recently, the IMO has released requirements on a cyber security resolution which came into effect on 1 January 2021 and encompasses any organisation that owns and/or operates ships. This is something that all shipping companies need to take seriously and could be a great starting point for businesses that don’t understand the basics or have a plan in place to protect themselves. It will be enforced through flag states via class societies and through ISM audits. IMO 2021 isn’t a silver bullet solution that will solve all cyber issues; however, it will provide maritime organisations with a much clearer understanding of risk and how to manage it. If shipowners and operators can quantify the risk, then a plan can be put in place to mitigate it.
The reality is that all of the breaches that have taken place in maritime recently have all compromised the head office infrastructure, as opposed to the ships themselves. Most vessels have a relatively small external IP infrastructure, likely to be one IP address and if the OT network is truly segregated from IT then the risk to those vessels is small. It doesn’t mean that an organisation shouldn’t think about the risks to vessels, however, if most of the data, booking systems, IT infrastructure, and people with access to key systems are in the office, then that is the area that is most likely to be affected by a cyber breach.
So, is doing nothing an option when it comes to cyber security?
The answer is no. Having a cyber strategy is fundamental to protecting customer data, minimising operational downtime, and reducing the negative impact on share price. No guarantee exists when it comes to avoiding a cyber breach altogether, however, by adopting a cyber strategy will help prevent a breach. Whereas, the risk of doing nothing could cost millions of dollars, meaning now is the time to do something about it.
Source: Lloyd’s Register, (by Tim Percival, Vice President of Cyber, Nettitude.)