Shipping is increasingly exposed to risks of cyber-crime. But while the 2017 Maersk attack was widely reported, better communication and regulation may be required to prevent further attacks.
Criminals are beginning to focus on shipping, and specifically ports, as their centralised systems provide fraudsters with a wealth of target information
Maritime operations systems are vulnerable to attack by cyber-criminals.
The maritime sector is unprepared to deal with cyber-security issues, according to a new report from a leading international law firm.
Mishcon de Reya warns that attackers may be deliberately targeting the industry due to the nature of its operations and assets.
“Given the threat landscape, leaders in the maritime industry need to better inform themselves of what the risks are, and what may lie ahead,” the report warns. “They also need to be aware of regulation governing cyber-security management, and take key steps to protect their assets from risks.”
As shipping becomes more digitalised, in tasks spanning navigation to container tracking, as well as myriad business operations, more vulnerabilities have emerged in terms of safety and operations.
While shipping faces the same threats to office-based systems as any other business, it is also exposed to the growing possibility of threats affecting shipborne technology.
A BIMCO survey of 350 people in the maritime sector last year found that over a fifth of respondents had reported experiencing a cyber incident, 72% of which had occurred in their own companies.
While the vast majority of these were related to IT systems rather than operational technologies or navigation systems, there was an overwhelming perception that shipborne systems, particularly navigation systems, were vulnerable to attack, the report says.
Reported risks in maritime are largely focused on financial loss as, despite the concern over the potential impact of a shipboard system attack, these had yet to occur in any measurable way.
Nevertheless, the threats are real. The maritime industry has been subjected to cyber-crime much like other industries, although in most reported incidents the targets were not the industry itself.
In 2017 Maersk experienced a destructive attack using the NotPetya ransomware, not because of the nature of the business but because Maersk used specific Ukrainian accounting software targeted by the attackers.
But one area of physical infrastructure that is at risk is ports and cargo terminals.
Organised crime groups have taken a direct interest in targeting the maritime industry, particularly ports — a nexus point for the illegal smuggling of people and drugs.
“Whether the aim is theft, smuggling, or fraud, the asset-rich and chaotic port environment presents opportunities for illegal profit,” the report says. “Our research shows that criminals often target companies that process a high volume of business-related transactions, and often focus on a particular sector or industry to increase returns on their investment of time and resources; shipping businesses are as likely as any other to be a target.”
Incorporating digital tools into the day-to-day activities of cargo management had not removed the threat of crime, but has simply shifted criminals’ focus to digitally enabled activities.
“We have seen cases of a shipping entity’s systems facilitating a smoother process for high-seas piracy, where technology has created more efficient processes for drug smuggling, and where new communications channels have enabled a more straightforward means of conducting fraud,” says the report. “The crimes have not changed, but the tools that make operations run more smoothly have made crime more efficient.”
While most ports and terminals used the same systems, with the same vulnerabilities, as any other business, an additional weakness was evident in the terminal operating system software used to track cargo from point of entry to point of departure from a port. This maintains a record of loading and unloading cargo, and movements through customs and other inspections, through to collection by a customer or third-party operator.
“This centralisation of information brings smooth and integrated operations, along with a target for criminals wishing to manipulate cargo contents,” the report says. “A shipping company’s marine fleet-management software also provides tracking information that can be a rich source of data for pirates and criminals attempting to track goods between ports.”
In one example of criminal activity at a port, an MDR client was targeted by a simple email fraud as part of the berthing process. A ship had made a port call to discharge a cargo and commercial agents had been appointed. But as the cargo was being discharged, emails that had been created to mimic those of the operations team were used to alter bank account details for the berthing payment, leading to a $100,000 loss.
“Our investigation uncovered a campaign with 25 targets across the shipping sector,” MDR says. “The attackers were well versed in the processes used in shipping; they targeted a variety of agents, fuel providers, and engineering firms with whom shipowners and operators would interact.”
Containerships, with their huge and valuable cargoes, also face risks associated with cargo management systems.
“It has already been proven that criminals can hack into systems to gather intelligence that will support their activities: stealing cargo at sea or tracking cargo to optimise criminal operations once it has arrived at port,” the report says.
“Without effective security measures to prevent and detect unauthorised access and changes to data, systems may be used to facilitate the tracking, theft, or destruction of cargo, depending on the threat actor’s motives.”
Container shipping must focus more attention on ports than vessels, the report adds. Although the security of electronic tags is important for the integrity of the shipping process, port systems hold the core of the data criminals seek to access.
In its recommendations, MDR advises that cyber-security tooling and processes need to be aligned with new standard across the organisation. “As has occurred in many corporate sectors, a common set of security principles can be developed and applied to the vessel and port contexts.”
Standards would increase costs across the supply chain, and would likely need regulation for enforcement, but were essential to securing the supply chain.
The report makes a correlation between cyber-security and safety, a concept that is well understood and regulated within the maritime sector.
“A potential next move to consider is identifying specific cyber-security failure risks as safety hazards; other industries, such as energy, have begun analysing their systems to understand which are critical to certain operational outcomes,” the report says. “This allows cyber-security to be improved for the systems most likely to cause high-impact failures.”
Adding any cyber-security requirements that stem from such analysis to the current Safety of Life at Sea Convention audit process, as well as modifying the regulations for future vessel construction, may help drive a culture of security on board a vessel. It could also establish a minimum baseline of planning and technical controls.
Protection better than cure
In the meantime, shipping companies, port facilities and vessels should identify and understand the “criticality” of their assets based on the potential financial operational, regulatory and reputational impacts that would occur if they were disrupted or destroyed.
“Additionally, there should be close monitoring of the threat landscape, to fully identify risks to the operations of the maritime industry; those who have been delegated security responsibilities should be tracking who may want to target either them specifically, or the industry as a whole, what their motives could be and how they could approach an attack.”
This information should be shared among other, similar organisations, the report says.
“Often the improvement of cyber-security is hampered by a lack of information, which makes building a business case difficulty,” the report says. “Sharing information among industry participants helps deliver a true picture of the risks to each business.”
Once assessed, protection needs to come in the form of investing in both a “security culture” that disseminates the risks, and identifying security gaps.
“It is no longer good enough to simply tick these off a list,” the report says. “Controls should be tested to check they are operating effectively to ensure risk is reduced to an acceptable level.”
Companies should also look at how the handle communication, invoicing and payments to external organisations, as fraudsters have been finding increasingly sophisticated ways to subvert standard payment management processes.
Finally, the report advises that once risks are identified, a crisis management plan be put in place for the time when “a risk becomes an incident”.
“This plan should tie together the shipside activities spelled out in each vessel’s ship management system and the portside actions the back-office IT team needs to manage, ensuring a coherent and complete response to any incidents that arise,” the report says.
“Given the threat landscape, leaders in the maritime industry need to better inform themselves of what the risks are, and what may lie ahead. They also need to be aware of regulation governing cyber-security management, and take key steps to protect their assets from risks.”