To some it’s considered a non-issue but cyber attacks are starting to hit the shipping industry and the concerns are beginning to mount.
In a digital age, any individual or organisation that makes use of the latest technology is a potential victim to cybercrime. For a great many players in shipping, the issue has been seen as something that happens to others, especially those with large bank balances. However, this attitude ignores the fact that cyber attacks are not always connected with criminal gain.
Sadly, in a world which relies on modern technology there are always what might be termed digital vandals who have the ability to attack systems for no reason than to enjoy the wanton destruction and anxiety that they can cause to others. With some of these problems, the perpetrators have no idea of the hazards they can cause but in other cases they know full well what the results might be but persist regardless.
There has been much debate in the shipping industry over the last few years about the potential threat of cyber attack but until last June, no organisation had come forward to publicly admit to having been a victim of cybercrime. It was then that Maersk revealed that it had suffered in the global outbreak of the NotPetya ransomware.
Initially the attacks that affected several business and governmental computer networks was suspected as being a blackmail attempt as after the attacks, computers flashed messages demanding $300 in Bitcoin. However, while such a trivial sum would not have been a major loss for any of the victims, it soon became clear that this was not the point of the attack, but mindless vandalism was.
Regardless of the reason, Maersk’s business definitely suffered as a consequence of the attack. Container bookings and terminal management was disrupted for at least two weeks and a $300m loss in revenue. Maersk put some of the blame for the problems it encountered down to vulnerabilities in its Microsoft Windows operating system saying, “This cyber-attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and antivirus were not an effective protection in this case".
Severe consequences should be wake-up call
In January this year at the World Economic Forum in Davos, AP Møller-Maersk Chairman, Jim Hagemann Snabe revealed that as a consequence of the June attack, the company was forced to completely rebuild its IT infrastructure over a period of just ten days. The rebuild involved the replacement of a staggering 4,000 servers and 45,000 computers as well as 2,500 applications.
AP Møller-Maersk is significantly larger than most shipowning and operating companies and of course its business includes aspects such as terminals that others are not involved in. Even so, the extent of the actions necessary for a smaller operator to recover from a similar attack could be something that might result in financial failure.
Maersk is most definitely not the only shipping business that has suffered a cyberattack. At the end of November last year, Clarksons the shipbroking and research specialist issued an announcement saying that it had suffered a cybersecurity incident which involved unauthorised access to the company’s computer systems.
The announcement was made after Clarksons had taken remedial action and comments by Andi Case, CEO of Clarksons suggested that a ransom attempt may have been involved. In the announcement the company warned clients that some confidential information may be released by the hackers. Initial investigations showed the unauthorised access was gained via a single and isolated user account and Clarksons said it had put in place additional security measures to prevent a similar incident happening in the future.
In January this year, the Danish shipowners’ organisation, Danish Shipping reported the results of a survey it had undertaken. The survey from Danish Shipping CEO panel, in which 26 senior executives participated, shows that cybercrime has become more important on the shipping companies' agenda.
According to the survey, 42%. of the senior executives indicate that they are very worried or extremely worried that their company will be attacked or that their data will be lost in the coming 12 months. The concern is based on a concrete threat as approximately 69%. of the companies have been subject to cybercrime over the last year according to the responses to the panel. Whether the same companies are involved or not was not made clear but apparently 69% of the companies have increased their IT security budgets over the past year.
Danish Shipping’s Executive Director, Maria Skipper Schwenn elaborated on the target of the cyberattacks saying that those reported were against shipping companies’ land-based systems and not against ships at sea. “Therefore, it is not the ships and the safety of the crew that is of the greatest concern but attacks on land-based systems and the consequences of these", said Skipper Schwenn.
"Consequently, we encourage all our members to take the threat seriously and we will work closely with the authorities to ensure that our members are better equipped to fight the threat. Therefore, it is also good to see that shipping companies prioritise larger budgets for IT security", she said.
Support from several quarters
Just as with the introduction of safety management and security systems, the cyber threat has resulted in a growing number of specialist consultancy services. A good many of these may prove to be expensive mistakes but unlike the ISM and ISPS codes, the subject is one that shipowners may have very little practical experience of.
Class societies have been quick to come up with advice and initiatives often with the assistance of third parties. An aspect that class is most concerned with is the increasing connectivity of ships; something that they – along with many other organisations – have actively encouraged in recent years. In advocating the benefits of connectivity, it is quite likely that the threat of cyberattack was not something that was high on the agenda in the early days.
Ensuring that systems on board ships are less vulnerable to cyberattack is now filtering through to class and equipment makers as evidenced by an announcement last year of the type approval by DNV GL of a Kongsberg Control system. The two had worked together in developing a new type approval process. Bent Erik Bjørkli, VP Digital Performance at Kongsberg Maritime explained that a factor in the project was the increasing focus from customers in the cyber security of the connected systems on their vessels. “This was why we were so interested to work together with DNV GL on the development of the new type approval. With the new type approval, we can now demonstrate the security of our systems through an independent verification process,” he said.
DNV GL and Kongsberg had spent a year developing a new type approval programme for the cyber security assessment of control system components: “Security Assessment of Control System Components, DNVGL-CP-0231”. The pilot system has been K-IMS, a core component in Kongsberg’s digital ecosystem Kognifai. Designed in accordance with the principles in IEC 62443-4-2 and IEC 61162-460, the type approval programme focuses on verifying both the technical reliability and cyber security of control systems.
Odd Magne Nesvåg, Head of Control Systems at DNV GL – Maritime. Said that the new type approval programme demonstrates the cyber security capability of onboard systems. “By choosing this new voluntary type approval for their systems, maritime vendors now have a way to show their customers they meet a set of independently developed and verified quality standards in an area that is becoming ever more important in today’s connected maritime industry,” he said.
Around the same time, ABS Chairman, President and CEO Christopher J Wiernicki was calling on class and insurance to work together when addressing the American Institute of Marine Underwriters (AIMU). “Building on our safety and risk control focus, class and insurance are in a unique position to lead in several areas – specifically, simplifying and establishing common terminology as well as delivering exceptional products and solutions like cyber programs and notations,” Wiernicki said.
“Maritime safety depends increasingly on cyber-enabled physical systems and integrated information technology and operational technology efforts, so safety-related standards and services, including class and insurance, must recognise and address this as the safety system that no one sees,” he added.
This January, French classification society Bureau Veritas signed an agreement with offshore operator Bourbon to develop and deploy automation and real-time monitoring fleet applications. One of the first will involve the DP operations of Bourbon’s vessels. Bureau Veritas will provide classification of the connectivity systems, and both partners will work together to address potential cyber security issues.
On the cyber security side, Bureau Veritas has also established a global partnership agreement with APSYS, an Airbus company specialising in product security, which will be leveraged to help identify and mitigate risks linked to data collection and communication between Bourbon’s vessels and shore-based infrastructure.
Based on this risk assessment, which will incorporate best practices from APSYS’s work in the aerospace sector, Bureau Veritas will be able to issue cyber security certification for any products developed, as well as class notations for ships it deems to meet global industry security standards.
Protecting key systems
Another partnership involving class brings together Lloyd's Register and Israel-based cyber security specialist Naval Dome. The two have signed a Memorandum of Understanding (MoU) aimed at establishing standards and guidelines for maritime cyber defence.
As part of the collaboration agreement, LR will carry out a series of pilot tests using the company’s cyber security software onboard a LR-classed vessel. The Naval Dome system is the first multi-layer cyber defence solution developed specifically for maritime applications.
Itai Sela, Chief Executive Officer, Naval Dome, said: “The lack of guidelines and standards for creating a more secure maritime environment is the shipping industry’s Achilles’ heel. With human operator error the cause of a significant number of security breaches, the MoU we have signed with Lloyd’s Register will help create a more effective end-to-end solution for cyber defence.”
Using intelligence agency security technology, Naval Dome’s device blocks internal and external cyber-attacks to provide maximum protection with minimal human intervention. It integrates with existing systems and software, providing real-time cyber alerts and blocks malicious files to prevent unauthorised access to critical systems and data.
Earlier, in the year Naval Dome had highlighted the ease with which ships’ navigation systems could be hijacked and how its products could prevent such attacks. The tests have convinced Israel-based Totem Plus to incorporate the protection into its range of navigation equipment that includes ECDIS, IMAC (Integrated Monitoring, Alarm & Control), VDR and BAM (Bridge Alert Management) systems.
Capt. Azriel Rahav, Chief Executive Officer, Totem Plus, said: “We are proud to be a pioneer of cutting edge maritime systems. Being able to offer the first maritime multi-layer cyber defence solution with our navigation and automation systems provides unrivalled protection to our customers. I don’t think any other ECDIS provider can offer this level of security without impacting performance.”