Cybercrime the curse of the computer age
When communications were only about voice transmissions and Morse code sound signals, the only danger to a ship’s operation and safety was from a misinterpretation of instructions or a wrong decoding by the radio operator. The improvement of communications due to modern electronic systems has been hailed as a revolution in shipping but while that may be true to some extent, it has also brought new hazards that can have even more drastic consequences than was previously the case.
Cyberattacks can come in a variety of forms from targeted ransomeware to less dangerous malware and viruses. This is not something that has just happened as most operators have experience dating back to the 1990s of virus attacks on PC supplied for stowage and loading purposes and as word processors for preparing various documents. Mostly these were caused by crew members loading pirated computer games on the machines and the consequences were either a need to reload all official software or in the worst cases arrange for a replacement machine. Since the PCs were stand-alone devices, the problem was limited if in some cases quite costly to put right.
Today a cyberattack is likely to be more problematical and have a more malicious intent. Shipping has been quite silent in publicising attacks at least until the summer of 2017 when AP Møller Maersk was the victim of a cyberattack. After recovering from the computer issues triggered by the NotPetya cyberattack, Maersk revealed that the problems would cost the company as much as $300m in lost revenue but has since revised the figure upward and has admitted that every PC in the organisation was changed.
More recently another leading liner operator revealed that taking into account all malicious activity including random phishing e-mails and more targeted hacking events, the number of attacks it undergoes on a daily basis exceeds 1,200 individual events.
There is no shortage of advice in the shipping industry on tackling cyber security: the IMO, BIMCO, Class societies, P&I clubs and others have all produced documents dealing with the issue. The IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime
cyber risk management which provide high-level recommendations on cyber risk management and include functional elements that support effective cyber risk management. The MSC at its 98th session in June 2017, also adopted Resolution MSC.428(98) - Maritime Cyber Risk Management in Safety Management Systems.
The BIMCO Guidelines are the results of input from no less than 16 organisations from shipping companies to communications providers. In the classification society sphere, most leading societies have published their own guidance and some have also devised class notations for vessels where best practices are employed.
For those interested in reading the advice, copies of the various documents can usually be accessed from the issuing party’s website. Free of charge in the case of BIMCO, ABS and LR.
In addition to all of the advice issued by shipping bodies there is a much wider choice of general advice available from other industries and governments around the globe. All of these documents can be studied to gain an understanding of the issues involved, but in many cases much of the advice requires an in-depth knowledge of IT and is sometimes on a level that is too technical for non-experts in the field to understand. The advice suggests systems that can be put in place to guard against cyberattack and areas that need to be identified for further examination. Security measures such as protecting systems with passwords and other means and also limiting access to essential systems to approved personnel only.
Protective systems such as passwords and limited access work in theory but require dedication if they are to continue to remain effective. Passwords are often revealed unintentionally and even shared against company policy if work circumstances are eased by doing so – especially at sea where time pressures and illness make ad hoc arrangements necessary. Then too there is the issue of staff leaving organisations and passwords not being changed immediately so that person can continue to have access. Issues such as that are worsened when password access to elements of a network is also granted to customers and clients. Segregated networks can assist to some degree, but not when media is moved between workstations on different segregated nodes.
Although many consider that the cloud offers security against data loss due to computer failure or theft, this is only true to a certain extent. Cloud storage is often duplicated on different servers to ensure accessibility and survivability of data in case of system failure. What it cannot protect against is the survival of the company providing the service. In the event of a bankruptcy it is likely that equipment will be seized and disposed of in order to raise funds to settle debts. In such circumstances, essential and irreplaceable data could easily be lost. It is possible for the owner of the data to establish their own personal cloud which would overcome this problem but it is the convenience of not having to purchase equipment, maintain facilities and employ IT staff that makes cloud services attractive. One of the least recognised sources of cyberattack is in seemingly innocuous items such as printers. Until recently a printer was an unsophisticated piece of equipment that did not have the capability to be compromised. However, modern versions have firmware which can be updated automatically if the equipment is connected to an internet enabled network. Quite often the factory default setting is for the device to communicate with the manufacturer immediately it is installed and at regular times thereafter. There have been known cases of the firmware updating communications having been maliciously altered to cause problems for the network the device is connected to. A less sophisticated device or else switching off the updating software may be a sensible precaution.
Cyber security strategies need to take into account two very different types of target and reasons for attack – deliberate or unintentional. Financial gain is at the root of most cyber-crime so it might be assumed that companies considered wealthy will be targeted as highest priority, but as many will be prepared to testify there is no lower limit and criminals will chase tens or hundreds of dollars just as readily as thousands or tens of thousands.
There has been so much publicity around computer frauds and things such as false invoices and unusual bank transactions that logically astute business people should not be fooled by such practices but that is no guarantee that they will not. Bill of lading fraud has existed for centuries and still occurs regularly and while the ways in which paper frauds are perpetrated are well understood the potential for new ways of defrauding with digital documents is massive and not well understood at all. This sort of fraud has big implications for shipowners because the value of cargoes usually far outweighs the value of ships.
To the old frauds can be added new methods such as ransom attacks in which a piece of malware takes control of computer systems and the attacker only promises to restore control on payment of a ransom. Financial fraud has an obvious driving factor but cyberattacks on computer networks can merely be malicious perpetrated by hackers who gain some perverse pleasure from their delinquent activity.
A malicious attack on a ship operator can be very debilitating and prevent cargo bookings, production of cargo documents, payments of ships dues and supply invoices that could lead to an arrest of the ship and so much more. Attacks on shore networks
need to be addressed because of the financial loss and disruption to services but attacks to systems and networks on ships are a clear danger to life and property. When it comes to protecting commercial information and even commercial assets, the onus is clearly upon the shipowner to establish needs and put appropriate measures in place. However, when it is security of ports, nations and safety of navigation that is threatened something more – or perhaps less – is needed.
The concept of e-navigation and the inevitable increase of electronics and software/firmware in systems and instruments pose risks that need to be addressed now before they have the potential to become the cause of a disaster. As previously mentioned, early computer use on ships was limited to the stowage and loading computer and word processors. Neither of these systems was connected to each other or to any other ship systems. However, since then shipping has seen the advent of integrated navigation systems and mandatory carriage of ECDIS, and with VDR data from all of the main systems are fed into one place with the possibility of contamination
growing all the time. There is no requirement under any aspect of SOLAS or STCW for crew to have training in IT with regard to anti-virus security or system recovery except under GMDSS where it is an option for ensuring system availability. It is certainly not part of the ship security officer’s role under ISPS or of the safety officer’s under ISM, even if the ISM Code does require essential systems to be available at all times.
Often the operating system of navigation equipment is proprietary and even if a seafarer has been given training in one system there is no guarantee that his expertise would be useful in the case of a different maker’s equipment. System makers have naturally promoted the benefits of their equipment but have been less forthcoming on the potential for systems to be infected by viruses. An ECDIS for example could be updated with electronic notice to mariner data using a memory stick that may last have been used to download something entirely different from an internet site or another personal device that has been infected by a virus or bot.
If a virus or malware can so easily be introduced into a ship’s navigation systems with the result that alarms are not sounded when appropriate or if in a worst case scenario, control of the ship is hijacked by someone on shore it is no use relying on the ship operator having put in place appropriate safeguards. More to the point, ships which are unaffected by a cyber-attack may be put at risk by another that is.
Communication systems – a source of vulnerability
Communication systems are another area where recent changes bring risks that perhaps were not though of at the initial stages of rollout. For the last decade, two things have been promoted as the future – crew communications and equipment monitoring.
Crew communications obviously have a welfare element but the traffic in and out is not intended to be monitored by officers and if the virus protection or firewalls that may be in place are not regularly updated then a system can easily be compromised.
It is hard if not impossible to prevent crew from innocently opening attachments to e-mails which they believe to be genuine but which may be malicious attempts to attack the system from which it is activated. However, if the problem of cybercrime continues to grow, ship operators may have no option but to limit crew communications in some way.
Equipment monitoring should not present a threat in itself but since it uses the communications system to send data, there is always a possibility that a compromised communication system could under some circumstances transmit corrupt data that could be interpreted as there being a problem that requires attention when no such situation actually exists. Where equipment monitoring also extends into the possibility to make remote adjustments to settings then the possibility for more threatening situations arises