2020 has put maritime organisations in the firing line for cyber-attacks, and they can no longer afford to bury their head in the sand and to counter this Lloyd’s Register spoke to Nettitude’s Tim Percival who discusses what actions needs to be taken to stay ahead of this rising tide in this article. Let’s take a look.
Increasing Cyber Attacks
In September 2020, CMA CGM, the world’s fourth-largest container shipping company, announced that it had experienced a cyber breach. Initially stating that its systems security hadn’t been compromised, a few days later, it had to declare that it was working on a plan to get access back to its systems. A few years ago, this kind of news would have been unheard of, however organisations publicly declaring that they have suffered a cyber breach is becoming almost an everyday occurrence.
Why This Sudden Increase?
Due to the openness and interconnected nature of the Internet, hackers or hacking groups are carrying out untargeted attacks, without any consideration for damage inflicted upon maritime organisations. These attacks can be delivered as phishing attacks, water holing, ransomware, or scanning and are relatively easy for hackers to administer. What’s more, their chances of being apprehended are almost non-existent, meaning the fight against cybercrime is one of a continuous nature.
Why the shipping industry is Vulnerable?
One of the key areas of cyber-vulnerability in the shipping industry is the ships themselves. Until recently, ships were running legacy systems with relatively small IT networks and a segregated OT (operational technology) network. The ships OT network is closed off from the outside world with limited access to it, usually only physically accessible by the Captain and senior crew. Due to digitalisation in the industry and the convergence of IT and OT, there is now a focus on extracting key data from OT systems, sending it to the cloud, so that data analytics can be carried out in real-time. Such digital developments have created an additional level of risk for shipping companies to consider and have transformed vessels into remote offices more than ever before.
Over the last three years, there has been a staggering 900% increase in cyber-attacks on the operational technology of maritime organisations, in which some of the largest shipping companies in the world have been the victim. We’ve seen a number of reported cyber-incidents this year alone. Carnival Cruise Line, Mediterranean Shipping Company (MSC), and the Toll Group have all been in the limelight for cyber-attacks, inflicting not only operational and economic damage, but also a significant knock to their reputation. While many of these organisations are targeted, it can also simply be a case of being in the wrong place at the wrong time.
What can maritime organisations do?
The immediate answer is ‘yes’. There are ways to prevent businesses from being breached, particularly as most breaches that occur aren’t designed to target a specific customer.
One solution is to ‘do nothing’; an approach that too many companies take. Preferring to believe ‘It won’t happen to them’, questioning ‘Why would we be targeted?’, and doubting the companies draw ‘We don’t have anything of interest to a hacker’. These are just some of the comments that companies make without really understanding the reality of how the Internet works and how easy it is to target companies. The other factor to consider is the modus operandi of hackers. Stealing corporate data, encrypting systems or generating bitcoin are just some of the motivators. What if the motivation is ‘to cause damage for fun’ or to take systems down for ‘bragging reasons’ on dark web hacking forum sites? Do we really want to take the chance that hackers can do what they want without understanding why they might do it?
So, if we don’t always know why hackers do what they do and the agreed approach that doing nothing isn’t an option, then a great starting point is to carry out some form of risk assessment, using a globally recognised framework such as NIST, ISO 27001, or BIMCO.
By understanding business risk, a company can put a plan in place that focuses on people, process, and technology. By understanding how users behave, the defensive layers that are in place, this will help an organisation to know how a hacker might compromise them and help to determine what additional layers of security are required to minimise a breach in the first place. This might include security awareness training or penetration testing on key systems, to identify any known vulnerabilities that a hacker could compromise using targeted or untargeted techniques.
How IMO Can Help?
Fortunately, companies don’t need to do this alone. Recently, the IMO has released requirements on a cyber security resolution which came into effect on 1 January 2021 and encompasses any organisation that owns and/or operates ships. This is something that all shipping companies need to take seriously and could be a great starting point for businesses that don’t understand the basics or have a plan in place to protect themselves. It will be enforced through flag states via class societies and through ISM audits. IMO 2021 isn’t a silver bullet solution that will solve all cyber issues; however, it will provide maritime organisations with a much clearer understanding of risk and how to manage it. If shipowners and operators can quantify the risk, then a plan can be put in place to mitigate it.
Ship IP Infrastructure Needs To Change
The reality is that all of the breaches that have taken place in maritime recently have all compromised the head office infrastructure, as opposed to the ships themselves. Most vessels have a relatively small external IP infrastructure, likely to be one IP address and if the OT network is truly segregated from IT then the risk to those vessels is small. It doesn’t mean that an organisation shouldn’t think about the risks to vessels, however, if most of the data, booking systems, IT infrastructure, and people with access to key systems are in the office, then that is the area that is most likely to be affected by a cyber breach.
Proper Cyber Strategy Is the Key
The answer is no. Having a cyber strategy is fundamental to protecting customer data, minimising operational downtime, and reducing the negative impact on share price. No guarantee exists when it comes to avoiding a cyber breach altogether, however, by adopting a cyber strategy will help prevent a breach. Whereas, the risk of doing nothing could cost millions of dollars, meaning now is the time to do something about it.
Did you subscribe to our daily newsletter?
It’s Free! Click here to Subscribe!
Source: Lloyd’s Register