Cyber security strategies need to take into account two very different types of target and reasons for attack – deliberate or unintentional. Financial gain is at the root of most cyber-crime so it might be assumed that companies considered wealthy will be targeted as highest priority, but as many will be prepared to testify there is no lower limit and criminals will chase tens or hundreds of dollars just as readily as thousands or tens of thousands.
There has been so much publicity around computer frauds and things such as false invoices and unusual bank transactions that logically astute business people should not be fooled by such practices but that is no guarantee that they will not. Bill of Lading fraud has existed for centuries and still occurs regularly and while the ways in which paper frauds are perpetrated are well understood the potential for new ways of defrauding with digital documents is massive and not well understood at all. This sort of fraud has big implications for shipowners because the value of cargoes usually far outweighs the value of ships.
To the old frauds can be added new methods such as ransom attacks in which a piece of malware takes control of computer systems and the attacker only promises to restore control on payment of a ransom.
Financial fraud has an obvious driving factor but cyberattacks on computer networks can merely be malicious perpetrated by hackers who gain some perverse pleasure from their delinquent activity.
A malicious attack on a ship operator can be very debilitating and prevent cargo bookings, production of cargo documents, payments of ships dues and supply invoices that could lead to an arrest of the ship and so much more. Attacks on shore networks need to be addressed because of the financial loss and disruption to services but attacks to systems and networks on ships are a clear danger to life and property. When it comes to protecting commercial
information and even commercial assets, the onus is clearly upon the shipowner to establish needs and put appropriate measures in place. However, when it is security of ports, nations and safety of navigation that is threatened something more – or perhaps less – is needed.
The concept of e-navigation and the inevitable increase of electronics and software/firmware in systems and instruments pose risks that need to be addressed now before they have the potential to become the cause of a disaster. As previously mentioned, early computer use on ships was limited to the stowage and loading computer and word processors. Neither of these systems was connected to each other or to any other ship systems. However, since then shipping has seen the advent of integrated navigation systems and mandatory carriage of ECDIS, and with VDR data from all of the main systems are fed into one place with the possibility of contamination growing all the time. There is no requirement under any aspect of SOLAS or STCW for crew to have training in IT with regard to anti-virus security or system recovery except under GMDSS where it is an option for ensuring system availability. It is certainly not part of the ship security officer’s role under ISPS or of the safety officer’s under ISM, even if the ISM Code does require essential systems to be available at all times.
Often the operating system of navigation equipment is proprietary and even if a seafarer has been given training in one system there is no guarantee that his expertise would be useful in the case of a different maker’s equipment. System makers have naturally promoted the benefits of their equipment but have been less forthcoming on the potential for systems to be infected by viruses. An ECDIS for example could be updated with electronic notice to mariner data using a memory stick that may last have been used to download something entirely different from an internet site or another personal device that has been infected by a virus or bot.
If a virus or malware can so easily be introduced into a ship’s navigation systems with the result that alarms are not sounded when appropriate or if in a worst case scenario, control of the ship is hijacked by someone on shore it is no use relying on the ship operator having put in place appropriate safeguards. More to the point, ships which are unaffected by a cyber-attack may be put at risk by another that is.