How hackers are targeting the shipping industry
Brian Lord, CEO
The BBC item covering the cyber threat to shipping industry provided several examples of different parts of the industry being subject to various types of ‘cyber attack’. It also cited the collective maritime sector as being historically complacent about the risk.
What is missing from the article is a more detailed insight into those whom would be likely to carry out such nefarious activity and the extent to which it is peculiar to the shipping industry. So is it something the shipping industry has to think about that no other sector does, or is it simply a manifestation of the same risk faced by organisations of other sectors?
The penetration identified by CyberKeel is not unusual and certainly not peculiar to the shipping industry. Invoice manipulation is a global simple criminal phenomenon and this type of attack is a common to any organisation which processes large number of invoices and which relies upon e-mail as the delivery and receipt mechanism. While reasonable sophisticated monitoring technology may detect the hostile presence on the network, this is equally a matter about simple financial controls and procedures that even the most basic control measures should have put in place.
The ‘NotPetya’ proliferation, which was clearly an experiment to determine the extent to which large organisations could be rendered inoperable by tying together publicly available exploits and malware, was equally not targeted specifically at the shipping industry, but at large organisations who can traditionally survive simple Ransomware campaigns by virtue of their routine back-ups and network configuration.
The costs to Maersk are illustrative of any multi-national organisation which relies almost entirely upon technology to operate and whose technical maintenance regime is woefully insufficient relative to the level of organisational dependence placed upon it. Within this context, it is largely irrelevant whether the authors of NotPetya were State actors developing deniable cyber disruptive techniques, or organised criminals experimenting with the next generation of high yield extortion capability, the open source nature of the component parts means that the most basic cyber security hygiene measure would have mitigated the scale of impact on these organisations.
The example of piracy exploitation of container management systems selection of high yield containers once again is not a technique peculiar to shipping. It is, in fact, no different to any criminal exploiting insurance company records to discover what valuables are held in which domestic properties, or a logistics company to determine the warehouses in which the most valuable stock is kept.
Since the dawn of civilisation criminals have found ways to determine the optimum time and place to conduct the lowest risk, highest yield robberies. So as with all data, the additional levels of protection need to be afforded to data sets that are worth most to those who wish to monetise it. And the insurance world has a particular role to play in this arena using the same criteria as they use to any theft coverage.
Which leave the highly dramatic and Holywood’esque scenarios of hacking into shipping navigation and control systems in order to inflict disruptive effect. This starts to get more specific to certain types of industry, but once again not peculiar to shipping. It is certainly true that State capability of all nationalities is looking at ways to disrupt adversaries critical national infrastructure and to ‘militarise’ on-line capability.
The need for investment in effective back-up systems has been highlighted after two high profile incidents. Firstly, there was last year’s incident off the coast of Korea when North Korea was accused of being behind the mass jamming of dozens of South Korean vessels. This was followed by another serious incident in June this year when the GPS signals of 20 ships in the Black Sea were hacked to indicate they were 32km inland.
Whilst the previous biggest worry for GPS is that it can be jammed by masking the GPS satellite signal with noise, it is relatively easy to detect and GPS receivers sound an alarm when they lose the signal due to jamming. However, reports have suggested this latest incident may be Russia playing with new capability and, although it has not yet been confirmed, experts think this is the first documented use of widespread GPS misdirection. Furthermore, as with all aggressive cyber capabilities, the ability to develop hostile activity is not just limited to state actors and so it is important that technical counter measures are not the sole solution, but also modern system design introduces independent back-up capability. This is true of all providers of critical national infrastructure, where disruption of normal operations can serve the purposes of several actors with malicious intent.
So the solutions are not purely technological ones, since there are ways around every single technical counter measure put in place, but they are a blend of technical, physical, personnel and educative control measures. Most cyber threats can be managed down to tolerable levels; but only if the investment is made in organisational understanding of the threat. The recent UK Cyber Governance Health Check survey clearly indicated that 2/3 of organisational leadership had little or no adequate knowledge to manage the risk. If you understand any risk, you can manage it, invest in the right things in the right priority to counter the threats that affect you most. Our experience shows that strategic awareness of the real, not perceived risk, yields huge benefits and sensible balanced counter measures.
Shipping is no different to any other industry; it is not at a greater or lesser risk. But like many other industries, it is sliding behind the understanding curve, and allowing the risk to become a threat.
We help organisations around the world find the cyber security strategy that fits their specific threats and requirements. Talk to us about how we can help you: firstname.lastname@example.org or +44 (0) 845 600 4403