Cyber Threat and the Vulnerability of the Maritime Sector

There is no denying the maritime industry’s vulnerability to cyber-attack. Indeed, we have already seen a variety of key marine players under attack by assorted threats such as ransomware.

A key component in any cyber defence for such attacks is having a solid plan for re-installing from back-up, thereby creating a cyber-resilient organisation.

When the term “cyber-attack or risk” is mentioned, it can often invoke a feeling of helplessness at the complexity of the challenges, or a highly technical area upon which the individual has little or no influence, or that this only happens to someone else.

Most people quickly conclude that cyber security is the responsibility of the IT department, and apart from that there is nothing they can really do.

Sure, some aspects of cyber security require a degree of technical knowledge and skill, but they need to be seen in the context of several other non-technical aspects.

That said, most vulnerable attack point related to cyber security is people.

It looks great in movies, but hacking into company systems using only your computer from afar, whilst technically possible, is often quite difficult if the company has good cyber defence systems.

Any criminal would need to clearly know the company’s vulnerable points first.

However, encouraging employees to do stupid things online, or attacking the employees’ smartphones whilst they are at conferences, or getting physical access to an office and installing your own devices into employee computers, are much easier routes for the determined hacker.

Hence a defence strategy pertaining to cyber security can only be effective is it includes careful consideration as to how you want your people to behave, as well as how you get them to comply with any rules you establish.

A well-documented example dates from 2012/13 when the Belgian port of Antwerp was attacked. This operation to hack the port companies took place in many phases, starting with malicious software being emailed to staff, allowing the organised crime group to access data remotely.

When the initial breach was discovered and a firewall installed to prevent further attacks, hackers broke into the premises and fitted key-logging devices onto computers.

This allowed the criminals to gain wireless access to keystrokes typed by staff as well as screen grabs from their monitors.

So why hack shipping companies? What’s the point? Shipping has always been relatively ‘invisible’ to the main stream.

The maritime sector possesses a number of ‘options’ which makes it attractive to cyber attackers, particularly, multiple stakeholders distant from one another and communicating by disreputable networks. For example:

  • A shipment of a container will likely involve data transfer between 5-10 different stakeholders such as the shipping company, port of lading, destination port, shipper, consignee, customs authorities, dispatch company, data portal intermediary and banks.
  • Large monetary transfers take place involving many stakeholders. Typically, these could be payments by shipping lines to bunker companies, shipyards or vessel owning companies as well as freight payments from shippers to shipping lines and vessel
  • Many stakeholders, who are involved in the financial and operational chain, are scattered across multiple different countries and time This means that parties often act across sectors without necessarily having real time conversations. Any duplicity will thus take some time to discover.

Seen from a maritime angle, ransomware is no different from the situation where pirates physically hijack a vessel and holds both it and the crew for ransom.

For any shipping line, such an attack could include the scrambling of customer databases or operational databases, and for a container terminal, it could for example include the encryption of the database keeping tabs of the container locations within the terminal.

Using the comparison with physical piracy and ransom, it is well known the maritime industry tends to pay ransom, and hence it is a ‘viable business model’ for criminal groups.

According to a report issued by the International Criminal Police Organization in the years between 2005 and 2012, 179 ships were hijacked off the coast of Somalia and the Horn of Africa. The average ransom paid was $2.7 million, with ordinary pirates receiving $30,000 to $75,000 each and bonuses paid to those who brought their own weapons or were first to board the ship.  Around an 85% success rate.

Whilst the success rate cannot be generalised to other forms of hijacking, it does indicate a willingness to pay within the industry which is of interest to criminal elements.

Obviously, therefore any cyber strategy needs management to be involved in the decisions relating directly to the level of security a company wants, as increased levels of cyber security comes at the price of having to modify business processes.

However, that’s not as easy as it sounds.

The usual issues are raised:

  • Cyber security is a technical matter largely delegated to the IT manager or the CIO, and is not something materially involving the CEO, DPA, COO, CFO or the HR manager
  • A general unawareness of the actual incidents which have taken place in the maritime sector
  • A belief that the cyber threats are chiefly theoretical in nature, usually linked to a doubt as to whether there is anyone with a genuine motivation to perform cyber-attacks against their own maritime company

The tendency by shipping managers to view cyber security as a technical matter often discourages them from seeking information relating to actual incidents in the industry.

In cases where headlines of an incident have been noticed, there is often limited, or no, follow-up in terms of examining how such incidents would influence the non-technical parts of the company.

In turn this leads to a blind spot in terms of business contingencies, which can be a major liability once a cyber-attack is successfully implemented.

Fortunately, over the past 12-18 months, there has been a gradual change in the mindset of the industry, and the prevailing attitude is now a recognition that cyber security may indeed be a genuine threat.

However, that recognition in many cases still does not translate into the allocation of money and people to properly investigate the company’s current level of cyber security nor the allocation of proper resources related to sustained heightening of cyber readiness.

Whilst the recent incidents are unfortunate for the company, as well as for the many shippers and other supply chain stakeholders which are impacted, it is sadly an incident which has been entirely predictable within the industry, and one which hopefully will act as a catalyst for the maritime industry to further enhance their cyber defences.