In June, cyber security researchers at Pen Test Partners warned that poor cyber hygiene and vulnerabilities in operating technology are exposing shipping companies to a range of cyber threats including; physical damage, business interruption and the potential theft of cargo.
Using proof-of-concept attacks, Pen Test demonstrated how vulnerabilities and weak security procedures, associated with satellite communications and electronic navigation systems, could be used to gain remote access to a vessel’s control systems. Pen Test also showed how hacking Electronic Chart Display (Ecdis) systems could force ships off course, causing a collision or grounding, or even to block or disrupt busy shipping routes like the English Channel. In June 2017, 20 ships in the Black Sea reported receiving false GPS data in, what is believed to have been, a spoofing attack.
Pen Test previously warned of the threat posed to container ships from vulnerabilities in cargo loading plan software and procedures. Hackers could prevent loading and unloading by infecting on-board systems, or even sink a vessel by affecting stability. The firm also warned that vulnerabilities could enable criminals to re-route containers and steal their contents – in 2012 Australian customs cargo systems were hacked, and a year later the Port of Antwerp discovered that drug cartels had hacked its systems as part of a scheme to smuggle drugs and firearms through the port.
Like many other sectors, the shipping industry is going digital. New ships are bristling with technology, while port and cargo operations are becoming increasingly digitalised and automated.
According to the Global Marine Technology Trends report, marine technology is likely to evolve rapidly over the next decade or so. Sensors, big data and analytics, robotics and autonomous systems will revolutionise the sector by 2030, it predicts. Such advances are expected to bring huge efficiencies and improved safety, but they will also bring challenges. Interdependencies are likely to rise, while shipping companies and the wider logistics supply chain could become vulnerable to crippling outages of critical systems and destructive cyber attacks.
Vessels increasingly employ sensors for maintenance and performance monitoring, while operating technology controls propulsion, steering and stability. However, such technology often relies on legacy systems that may be remote and difficult to maintain and update. Common weaknesses include; the use of obsolete and unsupported operating systems, out-dated antivirus software, the use of default administrator accounts and passwords, and limited use of system segmentation.
Cyber security in the maritime industry is likely to become even more challenging as the Internet of Things becomes more common place and integrates with IT systems and networks.
Historically, ocean-going vessels are seen as remote and the shipping industry of little interest to hackers. In reality, the maritime industry is an attractive target for cyber criminals and nation states looking to cause physical damage and disruption, or to carry out criminal acts such as theft or extortion.
Ransomware, extortion and phishing attacks have already led to some high profile incidents in the maritime sector. Last year the NotPetya malware attack caused massive disruption for shipping company Maersk, costing the company USD 200-300 million. Maersk, which took a week to restore its systems, was unable to dock and unload containers at 76 ports and was forced to reinstall 4,000 servers, 45,000 computers and 2,500 applications. In 2017, UK shipping brokerage Clarksons revealed that it had been the victim of cyber extortion, after cyber criminals hacked into its systems and stole confidential client data.
TURNING A SUPER TANKER
Cyber security has been slow to develop in the sector, but regulation and standards are developing. The International Maritime Organisation (IMO), for example, issued interim cyber security risk management guidelines in 2016 and has given ship owners and managers until 2021 to incorporate cyber risk management into ship safety. Last year the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cyber security draft guidelines, while shipping group BIMCO published updated cyber security guidelines for shippers.
Classification Societies are also looking to help ship owners and operators bolster cyber-resilience. The International Association of Classification Societies has established a joint industry working group focused on cyber safety, while classification society DNV GL recently introduced cyber class notations for control systems to help ship owners and operators protect their assets from cyber security incidents.
Interest in cyber insurance has been growing in the maritime industry, and has accelerated since the NotPetya cyber attack, which caused significant disruption to the logistics supply chain. In particular, shipping companies are exploring insurance solutions for business interruption and the risks associated with automation and connected control systems.
Download Cyber Decoder Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org.