Cyber security is shipping’s newest weakness
There was a time not that long ago when attacks against ships could only have involved a physical threat such as pirates, terrorists, criminals or hostile military action but as electronics and communications become ever more a part of the industry the focus has turned to cybercrime.
Whether individuals or companies we are all aware of the malicious phishing attacks that anyone with an email address is subjected to and while many do fall for them, most of us are now a little bit wiser and careful about opening suspicious messages or clicking on unknown links. E-mails are not the only means of compromising computer networks as any USB stick, or card can be a vector and so too can devices such as printers and other peripherals that are set to update their internal firmware at regular intervals.
In the early days of cyberattacks the motivation was mostly digital vandalism and although highly disrupting with records corrupted or destroyed the overall impact was quite small. Today a cyberattack is likely to be more problematical and have a more malicious intent involving theft or extortion. The shipping industry has been quite silent in publicising attacks at least until the summer of 2017 when AP Møller Maersk was the victim of a major cyberattack that made headlines around the world.
After recovering from the computer issues triggered by the NotPetya cyberattack, Maersk revealed that the problems would cost the company as much as $300m in lost revenue but has since revised the figure upward and has admitted that every PC in the organisation including those in all offices, terminals and on ships was changed.
More recently another leading liner operator revealed that taking into account all malicious activity including random phishing e-mails and more targeted hacking events, the number of attacks it undergoes on a daily basis exceeds 1,200 individual events. The rate at which the problem is growing is highlighted by comparing that figure with one quoted by DNV GL CEO Tor Svensen at CMA in 2015 when he said that over the course of 2014 only around 50 cyber threats were detected in the Norwegian energy and oil and gas sectors. It is of course possible that there were many more attempts, but they were not recognised as such or perhaps low-level threats such as phishing e-mails were not counted in the statistics.
There is no shortage of advice in the shipping industry on tackling cyber security: the IMO, BIMCO, Class societies, P&I clubs and others have all produced documents dealing with the issue. In Be Cyber Aware at Sea there is even an association that brings together all stakeholders in a forum where information and advice including on training can be accessed. In addition, the IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management which provide high-level recommendations on cyber risk management and include functional elements that support effective cyber risk management.
The guidelines also call on flag states to ensure that cyber security is addressed in company SMS although it is probably fair to say that governments have no more experience in combatting the problem than commercial organisations do. In fact, the problem of cyber attacks is one that even organisations which should be most secure minded seem unable to contain. The number of security breaches at banks, social networks, universities and government departments in many countries merely underlines that defence is not a simple matter.
When it comes to the shipping industry there are special factors that need to be considered. Attacks on commercial organisations aimed at theft or ransom can affect shipping companies just as any other type of business. However, not many commercial organisations have assets that operate independently long distances away from any shore office or facility.
Essential systems at risk
A decade or so ago, the prospect of a cyber attack against a ship would have been considered not only unlikely but also hardly possible. More importantly it would have had almost no real impact because those systems that were computerised on board a ship were isolated and standalone systems. There was however a fear of an incident involving jamming of GPS signals which might have caused a serious incident involving a ship. Today that might be considered akin to a cyber threat, but the term has never been applied to such a threat.
There is though a greater potential to affect the navigational equipment on board a ship now that most systems are networked through the VDR and mandatory ECDIS equipment. An ECDIS requires regular updates of navigational information and this can be done by way of broadcast data updates, CDs or USB sticks. Any of these – but particularly the last two are capable of introducing virus and malicious software into an integrated navigation system. So too are upgrades and repairs to many instruments carried out by service engineers.
Another development has been the growing use of a ship’s communication system by crew for welfare and entertainment purposes. While some owners have sought to limit this, the view that crew should have access to internet and email services has garnered support from many quarters and an owner that resists is branded heartless and reactionary. More progressive owners have moved on from only allowing telephone contact using prepaid crew calling cards and have permitted access to the communication systems for crew using their own smart phones and tablets.
Addressing the use of removable media and crew’s own equipment is something that shipowners need to put high on the list of preventative measures. Developing procedures in the fleet safety management systems is a step forward but is not one that can be depended on to protect fully against attacks.
As well as being disciplined and using removable media only for one system so as to avoid contamination, one strategy that might be given some consideration is to consider isolating essential systems from the ship’s network. In an era of connectivity this may be considered a backward step but unless there is reliable protection from the threat of cyberattack it could mean the difference between safe operation and a major incident.
Some classification societies have introduced new voluntary notations for ships where systems are protected in some way. Unlike most class notations, in many cases these reflect at least much on the management and operation of the ship as on the equipment and systems on board. Therefore, although the notation is assigned to the ship it may not carry forward to a new owner or manager.
Considering the very different problems that cybercrimes present, it is very likely that specialist assistance will be needed by some owners to prepare a strategy against it. While there are undoubtedly some consultants with the specialist skills needed, for some owners there is a very strong possibility that just as with preparing for the ISM and ISPS Codes the cost of consultancy may well exceed the potential risks.•