[Watch] How Modern Cyber-security Issues Can Affect Shipping?

1132

At a recently concluded forum Bureau Veritas Singapore’s Mr. Jerome Floury discussed the potential cyber risks of autonomous shipping. The forum being conducted by Saefty4Sea in Singapore gave an overview of the cyberattacks prevalent in the maritime industry and how hackers use them.

The program also highlighted the importance of s proper cyber resilience program and how you can effectively use it to safeguard the interest of seafarers. Here’s more into the topic as published in Safety4Sea.

Types of Cyber Incidents

In qualifying cyber incidents, there are two principal types: The first is a cyber safety incident when systems, software and human interaction – as well lack of competency – combines with poorly managed systems and equipment protection. The second is a cybersecurity incident when an asset is targeted, voluntarily accessed by an unauthorized person with intrusive or criminal intent.

How does Cybersafety Incident happen?

The following is an example of a cyber safety incident. In 2013, in the Gulf of Mexico: an offshore worker, having loaded media files at home on a thumb drive, brought the drive on board a drilling unit (a MODU) and used it, plugging the thumb drive into an onboard computer to download media files. The following day, when resuming work, malware that had been loaded during the download hit the MODU’s network and disabled the signal sent to the DP systems leading the unit to drift off position, causing an emergency shutdown of the well with serious and direct implications for operations.

The subsequent root cause analysis clearly identified a lack of awareness of the staff and, even though the incident happened in 2013, a recent survey still indicates that more than 41% of shipping company personnel place the responsibility of cyber security on the shoulders of the Master when, in fact, it needs to be shared by everyone in the organization.

How does cybersecurity incidents happen?

Meanwhile, the first cyber security incident worth noting is one we have all heard about – the incident in 2017 when Maersk was hit by ransomware. Ship safety was not impacted per se, but all paperwork related to cargo logistics was affected and prevented the release of containers in terminals. Maersk communicated openly about the attack and its impact and, in their estimation, they incurred a US$ 300 million loss as a consequence. They also had to flash more than 4,000 servers and nearly 50,000 computers while 2,500 applications needed to be reinstalled across their systems.

Another cyber security incident was another ransomware attack against COSCO in July 2018. COSCO was quicker to respond than Maersk, probably because they benefited from the experience of the Maersk incident. They were hit by this ransomware in the Port of Long Beach and within two days the ransomware had spread to the UK, Turkey, Panama – and beyond. They had to shut down all their communication systems in all these countries and they had to run their operation using Google and Yahoo accounts.

These two hacks were definitely for profit. Both were ransomware, so the attacker had a financial objective when hitting these two companies. The following two events were not financial.

In 2018, malware targeted Schneider Electric safety instrumented systems. The impact was quite limited but the incident is worth noticing because the objective was not financial. The objective was to cause some damage in a manner related to terrorism.

The last one and most recent is that of the Stena Impero. The ship was detained by Iranian authorities for entering their territorial waters. It was assessed that the vessel had received a spoof GPS signal causing navigational error – the motive was not financial but political.

How widespread are the attacks?

The above is just a preview of a few incidents that are representative of what’s happening. DHL publishes a yearly ‘Resilience360’ report and, in the 2018 edition, they cite the US National Counterintelligence and Security Agency declaring 2017 as a watershed year in terms of cybersecurity incidents, citing an increase of 400% in the number of incidents reported and more than half of all organizations worldwide have, reportedly, been the targets of such attacks. It’s even grimmer than that in Asia where more than 70% of the industrial control systems in Southeast Asia are the targets of cyber-attacks every year.

So, what’s the reality for your ships?

The design life of a ship is 25 years. The average age for vessel today is in the 10 to 15 years range. That puts the average ship and all its operating system in a design which is basically based on Windows NT – the support of which ceased in 2014. Meanwhile they are exposed to connections coming from a 2019 to 2020 environment: software, network connections, systems, platforms and so on.

And, even though everybody is interested in the cyber performance of the systems, with the objective of improving safety, reducing the environmental impact or improving the OPEX and the fleet optimization, the processes that are being used to achieve these are all definitely 2019 technology. Not those of 2014 or before. But they are being applied to ships and operating systems designed and built around 2010. So definitely the cyber performance that we see as a goal, and where the return on investment is expected, strongly relies and depends on cyber safety and cybersecurity. This may be overlooked when cyber security investment decisions are made.

Support in Regulatory Compliance

If there is no immediate return on cybersecurity investment, one can seek support into regulatory compliance. There are regulatory bodies issuing guidelines and recommendations in terms of cybersecurity, but as it was pretty obvious from the panels this morning, cybersecurity is a concern but they have bigger concerns coming. IMO 2020 for example.

What is the motivation for a hacker to penetrate a vessel system?

Cyber-crime has become a real business model. It’s not only about ransomware but it’s also about crypto mining. Crypto mining alone has generated 2.5 billion dollar in revenue for hackers in the first half of 2018. The Iranian situation highlights also political reasons. Eco-terrorism can be also considered at a certain point – and lots of information is manipulated. Shipping does not always have a good role in that, as illustrated by the hoax on how the world’s 15 biggest ships create as much pollution as all the cars in the world that circulates the Internet since 2009 in one form or another.

Recovery Plan

Being able to detect-prevent or avoid intrusion is one thing but the vocabulary which is being used by IACS and by other bodies is now about resilience. It’s not only about being protected; it’s also about having a recovery plan and something in place in case something happens. And that’s a tricky game; the more you put protection in place, the more you become a trophy in the eyes of a potential intruder. So the more you protect the more you become at risk and that’s a new chicken-and-egg problem. So you have to be ready to recover when something happens. Because eventually, something will happen.

Recommendations 

IACS has issued recommendations to help ship owners and ship managers prevent cyber events. These recommendations cover the establishment of software inventory, management of software and system and grade, physical security of the local controls to having a local control when the systems are connected remotely and also having contingency plans onboard available to recover anything happening when the ship is out of reach for remote connections.

How will it help shipowners?

In order to help ship owners and ship operators comply with cyber industry requirements and best practice, BV has developed a set of cyber rules (NR659). By applying the first level of these rules, shipowners and operators qualify for a “Cyber Managed” class notation certifying that an initial cyber risk assessment has been performed; that mitigation measures have been implemented; relevant cybersecurity documentation (repository, policies, etc.) have been developed; and that staff have been trained to establish cyber policies. It’s basically a certification that cyber security and more broadly cyber resilience is properly managed onboard.

Did you subscribe to our daily newsletter?

It’s Free! Click here to Subscribe!

Source: Safety4Sea

error: Content is protected !!