Ships under cyberattack
Ships in the maritime sector are increasingly becoming victims of cyberattacks related to both to IP theft and cyberwarfare. Shipping is the lifeblood of the global economy dominating trade; trade routes interconnect all nations that engage in commerce. Ships are also becoming increasingly digitised using the latest IT to store data, new technologies, data and advanced GPS. Therefore, it has become easier for hackers, whether state actors, pirates, military intelligence or cybercriminals, to attack the shipping industry digitally. The maritime sector by its nature holds many companies in its supply chain, which allows, as noted in Chapter 3 on Japan in the book, indirect entry by hackers into the computer systems.
It is the requirements of the maritime sector, which is more directly globally interconnected than most, that allows hackers to enter through the backdoor and exploit loT systems. Captain Ozgur Dogan Gunes, a Turkish Master Mariner with a software development background who is based in Shanghai, hacked into two Hong Kong vessels in five minutes. Gunes obtained the password and all the data he could gather from the ships’ databases. He stated that the small to medium bulk carriers were sent a courtesy call from him explaining how cyber unready they were and open to reputational and operational loss if discovered by others. Gunes noted that both shipowners had outsourced their IT to the same third party, which left wide gaps in their basic cybersecurity systems.
A survey of 6,000 active seafarers in March 2018 by the consultancy company Futurenautics revealed that 47% of the respondents had sailed on ships that had been the victims of cyberattacks, and only 15% of them had any cybersecurity training. Surprisingly, just 33% of respondents stated that the last shipping company they worked for had a policy to regularly change passwords onboard while 18% noted that the company last worked for had a policy to change default equipment passwords onboard.1
A report in January 2020 from PricewaterhouseCoopers (PwC) highlighted the fact that as the shipping industry becomes more interconnected (like the loT), it needs a plan to respond to cyber events in a proportionate and measured way. PwC further suggested that members of the board should always make security due diligence their primary concern when acquiring new software or new businesses. Ken Munro of the cybersecurity firm Pan Test Partners suggested that hackers are attracted to sectors with weakest security countermeasures. What is the point of hackers developing expensive, sophisticated tools to carry out cyberattacks on banks if they can just use an XP Windows software programme to obtain the same financial rewards through obtaining personnel data to hold their victims to ransom?
In a poll in October 2018 of Lloyd's List readers, only 6% of the maritime industry felt confident it could deal with a cyberattack. This poll came shortly before a major survey conducted by the Copenhagen-based trade association Global Maritime Forum, insurer Marsh and the International Union of Marine Insurance as part of its Global Maritime Issues Monitor 2018 report. This study, which was based on the research of senior maritime stakeholders from over 50 countries, found that cyberattacks and data theft were the weak links in the maritime industry. Cybersecurity was regarded as the most pressing for shipping of 17 global issues highlighted. Compared to aerospace and aviation industries, the International Maritime Organization (IMO) was late in viewing cybersecurity as a pressing need for the maritime sector. The IMO in 2016 issued interim guidelines on ‘Maritime cyber risk management’ but has since chosen to amend its general security codes, the International Ship and Port Facility Security Code and International Security Management Code to include amendments on cybersecurity but not new guidelines. These will not be enforced until 1 January 2021. This has left BIMCO (Baltic and International Maritime Council) and the US Coast Guard, for example, to cover maritime cybersecurity issues, which are outlined in this chapter.
The June 2017 NotPetya cyberattack was the one that increasingly focused the attention of the maritime industry on being prepared through countermeasures to cyberattack. Danish shipping company Maersk lost between USS 250 million and USS 300 million because of this brutal cyber hacking that closed down IT systems across multiple sites and businesses. Luckily for the maritime industry, shipping companies did not rush and spend millions on cyber solutions without carefully assessing the vulnerabilities. Below are outlined a number of vulnerabilities and solutions undertaken by shipowners and port owners.
John Boles, the former head of the FBI’s global cyber operations and investigations division and currently director of global consultancy Ankara, noted that the lack of regulatory pressure in the international maritime sector has given a false sense of security. Like in the banking and power grid sectors, it is the level of lack of information sharing and the under-reporting of cyberattacks that he finds of greatest concern. However, as in other sectors, those owners of shipping companies and ports have the tendency to believe their reputation will be damaged if they are found to be victims of cyberattack, which will undermine clients’ trust in them.2
Therefore, with increased digitisation and greater connectivity such as loT, cyber-risk mitigation measures need to be pursued.
Acceleration of maritime cyberattacks
Cyberattacks on ships are accelerating at an alarming rate as noted by cybersecurity consultants Red Sky Alliance, which have in tandem with Dryad Global, maritime security specialists, begun to publish weekly the names of ships that have been appearing in malicious e-mails. Malware and phishing e-mails have been used most widely by hackers. The most common subject headlines to entice those in the shipping industry to open e-mail attachments and links are motor vessels (MV) and motor tankers (MT). Vessels are being impersonated with such malicious e-mails. Such spoofing cyberattacks are targeted at various levels of supply-chain companies. In the week of 25 February, for example, malicious e-mails trying to insert Trojan malware named Wacatac into unsuspecting supply-chain computer systems also contained a D variant for the first time. Hackers are developing new hacking tools each day and in February 2020 started using Maersk again for spoofing purposes as Maersk was the victim of a notorious cyberattack in 2017?
In 2017, the Russian military intelligence (GRU) launched an unprecedented cyberattack on companies worldwide with Maersk and Federal Express experiencing billions of US dollars in damage. This was the infamous NotPetya cyberattack that was carried out to inflict maximum damage on Ukraine but also subjected the shipping operations of Maersk and Federal Express to extensive damage. It could be seen as part of the Russian attempt to use hybrid warfare, which combines actual conventional attacks on physical infrastructure with cyberwarfare tactics disabling critical infrastructure such as ports, shipping terminals and related loT computer systems. This attack was also linked to a cyberattack on Georgia that shut down websites and television broadcasting. Britain, Australia and other European nations all concurred with the US State Department that these cyberattacks were carried out by Russia’s Main Centre for Technology, a part of the GRU military intelligence.4
In 2018, a number of ports around the world experienced a variety of cyberattacks. The port of San Diego during this time period was subject to a ransomware attack that demanded Bitcoin be paid to re-open computer systems. The attack caused limited functionality to a variety of services such as access to public record requests and business services. The port of Barcelona also suffered a cyberattack and Cosco shipping was victim to a severe cyberattack linked to the port of Long Beach in California. Dr Giovanni Vigna of the University of California, Santa Barbara’s Centre for Cybersecurity noted that shipping ports handle sensitive information that attracts financial fraud and spear-phishing cyberattacks. As such personnel-, financial- and military-related data becomes increasingly digitised, the greater the cyber risk. Dr Vigna suggested that shippers need to become more aware of the cyber threat and invest more in protection.5
Cyberattacks in the Asia-Pacific
As nine out of ten of the busiest container ports are based in the Asia-Pacific region, the region is subject to increased cyberattack. If a sustained cyberattack virus infected 15 of the major ports in Japan, China, South Korea and so forth, a study commissioned by Lloyd’s notes that it could lead to USS 110 billion in losses. At current rates of insurance coverage that would leave roughly USS 101 billion uninsured.
The report produced by the University of Cambridge Centre for Risk Studies under Cyber Risk Management projected that 92% of the global economy would not only be unprepared but also uninsured for losses. Angela Kelly, the Country Manager for Singapore at Lloyd’s, noted that cyber risk is one of the most complex and critical risks facing the maritime industry today. As the implementation of new technology and automation progresses, risk managers and insurers need to work together to plan insurance solutions.
The report notes further that such a projected large-scale attack outlined in the report would not only cause severe disruption to the ports and economy in the Asia-Pacific region but would also impact the global economy because of interconnectivity and global supply chains.
The research report estimates that losses in productivity would affect every country that has bilateral trade with the ports that experienced the cyberattack. Estimated losses would be up to USS 27 billion in indirect economic losses in Asia, in Europe USS 623 million and USS 266 million in North America.
Claims on insurance would emanate from 50% of port operators, 21% of insured losses along the supply chain and 16% of insured losses from logistics and cargo-handling companies.6
Understanding cyber risks
In June 2019, PwC held an audit roundtable with the Audit Committee Chairs of US-listed shipping companies highlighting the need for a greater awareness of cybersecurity issues in shipping. One of the crucial issues highlighted at the roundtable was the need for a holistic, vertical team effort approach to cybersecurity measures including top management, board members, risk technology, legal, operations and auditors. This is especially needed as ships become digitised, with less manning and more complexity.
The complexity lies in particular with operations technology (OT) and the interconnectiveness of loT, which expands the IT surfaces of ships opening avenues for cyberattack that damages critical operational infrastructure. It was noted at the roundtable that there is a good deal of OT that remains unmanaged in relation to cyber-risk issues and it was suggested that it is
Marine sector 93 essential that as a minimum course of action it should be understood and monitored.
It was also noted that software developers need to create cyber-resilient software bespoke to the requirements of ships, which has different critical infrastructure than other industries. As with smart grids as mentioned in the previous chapter of this book, regulatory bodies and policy-makers have a role in such developments to mitigate cyberattacks.
Awareness training for mariners was suggested as an important initiative to stop ships from becoming the entry point for cyber infection of allied corporate networks. As with loT, ships could be an indirect and unsuspected way to infiltrate the corporate networks they are linked to, such as parent companies that hold valuable IP and personnel databases.
Maritime industries have their own distinctive eco systems that include actual vessels, ports, parent shipping companies, supply chains and software designers that all require protection from cyberattack.7
loT, as mentioned many times in the course of this book, is an especially complex cyber risk. A report commissioned by Inmarsat in 2018 noted that in the next three years shipowners intend to spend USS 2.5 million on loT cyber solutions. loT solutions were to comprise the largest part of ships’ IT budgets in relation to adoption of new-generation technology. Japanese companies were the foremost adopters of loT technology while Greek shipowners were found to be the most conservative. Of 125 respondents in the Inmarsat report, 65% were found to be using loT cyber solutions for the purposes of monitoring fuel consumption. That percentage should rise to 100% by 2023.8
The Guidelines on Cybersecurity Onboard Ships outline a number of cyber threats for ships in particular.
One is the activist, including the disgruntled-employee threat that can disrupt operational services and involve reputational loss. The objective can be among others, destruction or publication of sensitive data, to gain attention from the media or DoS. IP theft would occur in the first two objectives and the first and third could involve a form of cyberwarfare to obtain data concerning personnel for recruitment purposes by adversaries and using the media in a propaganda war.
The second are criminals seeking financial gain, commercial or industrial espionage. The end gain would be selling and ransoming stolen data, ransoming system operability, organising fraudulent transportation of cargo and intelligence such as finding the exact location of cargo. Again, IP theft would be part of the first item and cyberwarfare part of the last item. Stealing and selling IP can be a lucrative business for cybercriminals although most criminals after pecuniary gain do not understand the real value of IP. Cybercriminals/mercenaries would use knowing the exact location of cargo to steal military equipment and be involved, for example, in the fraudulent transportation of military equipment to illegal war zones.
The third are opportunists who carry out cyberattacks for the challenge of it. Their aim is to break through cyber defences and for financial gain, neitherof which would involve readily IP theft or for cyberwarfare purposes as these types of hackers are more interested in proving themselves.
The fourth are rival governments and state actors which act for geo-political gain and espionage. The objective is to gain knowledge and disrupt economies and critical infrastructure. Both IP theft and cyberwarfare are integral parts of such cyberattacks. IP theft can include naval blueprints for military technical advancement of an adversary to assist in gaining global dominance. Ports and ships are essential parts of global trade with the bulk of global trade being carried out through maritime activities. To use cyberattacks on ships and ports would be a major disruption to the global economy.
The Guidelines make a distinction between two different types of cyberattacks in relation to shipping. One comprises an untargeted attack whereby a company or ship’s systems and data are one of many potential targets. The second is a targeted attack whereby the company or ship’s systems and data are the actual target.9