The BBC item covering the cyber threat to shipping industry provided several examples of different parts of the industry being subject to various types of “cyber attack”. It also cited the collective maritime sector as being historically complacent about the risk.
What is missing from the article is a more detailed insight into those whom would be likely to carry out such nefarious activity and the extent to which it is peculiar to the shipping industry. So is it something the shipping industry has to think about that no other sector does, or is it simply a manifestation of the same risk faced by organisations of other sectors?
The penetration identified by CyberKeel is not unusual and certainly not peculiar to the shipping industry. Invoice manipulation is a global simple criminal phenomenon and this type of attack is a common to any organisation which processes large number of invoices and which relies upon e-mail as the delivery and receipt mechanism. While reasonable sophisticated monitoring technology may detect the hostile presence on the network, this is equally a matter about simple financial controls and procedures that even the most basic control measures should have put in place.
The “NotPetya” proliferation, which was clearly an experiment to determine the extent to which large organisations could be rendered inoperable by tying together publicly available exploits and malware, was equally not targeted specifically at the shipping industry, but at large organisations who can traditionally survive simple Ransomware campaigns by virtue of their routine back-ups and network configuration.
The costs to Maersk are illustrative of any multi-national organisation which relies almost entirely upon technology to operate and whose technical maintenance regime is woefully insufficient relative to the level of organisational dependence placed upon it. Within this context, it is largely irrelevant whether the authors of NotPetya were State actors developing deniable cyber disruptive techniques, or organised criminals experimenting with the next generation of high yield extortion capability, the open source nature of the component parts means that the most basic cyber security hygiene measure would have mitigated the scale of impact on these organisations.
The example of piracy exploitation of container management systems selection of high yield containers once again is not a technique peculiar to shipping. It is, in fact, no different to any criminal exploiting insurance company records to discover what valuables are held in which domestic properties, or a logistics company to determine the warehouses in which the most valuable stock is kept.
Since the dawn of civilisation criminals have found ways to determine the optimum time and place to conduct the lowest risk, highest yield robberies. So as with all data, the additional levels of protection need to be afforded to data sets that are worth most to those who wish to monetise it. And the insurance world has a particular role to play in this arena using the same criteria as they use to any theft coverage.
Which leave the highly dramatic and Holywood’esque scenarios of hacking into shipping navigation and control systems in order to inflict disruptive effect. This starts to get more specific to certain types of industry, but once again not peculiar to shipping. It is certainly true that State capability of all nationalities is looking at ways to disrupt adversaries critical national infrastructure and to “militarise” on-line capability.
The need for investment in effective back-up systems has been highlighted after two high profile incidents. Firstly, there was last year’s incident off the coast of Korea when North Korea was accused of being behind the mass jamming of dozens of South Korean vessels. This was followed by another serious incident in June this year when the GPS signals of 20 ships in the Black Sea were hacked to indicate they were 32km inland.
Whilst the previous biggest worry for GPS is that it can be jammed by masking the GPS satellite signal with noise, it is relatively easy to detect and GPS receivers sound an alarm when they lose the signal due to jamming. However, reports have suggested this latest incident may be Russia playing with new capability and, although it has not yet been confirmed, experts think this is the first documented use of widespread GPS misdirection. Furthermore, as with all aggressive cyber capabilities, the ability to develop hostile activity is not just limited to state actors and so it is important that technical counter measures are not the sole solution, but also modern system design introduces independent back-up capability. This is true of all providers of critical national infrastructure, where disruption of normal operations can serve the purposes of several actors with malicious intent.
So the solutions are not purely technological ones, since there are ways around every single technical counter measure put in place, but they are a blend of technical, physical, personnel and educative control measures. Most cyber threats can be managed down to tolerable levels; but only if the investment is made in organisational understanding of the threat. The recent UK Cyber Governance Health Check survey clearly indicated that 2/3 of organisational leadership had little or no adequate knowledge to manage the risk. If you understand any risk, you can manage it, invest in the right things in the right priority to counter the threats that affect you most. Our experience shows that strategic awareness of the real, not perceived risk, yields huge benefits and sensible balanced counter measures.
Shipping is no different to any other industry; it is not at a greater or lesser risk. But like many other industries, it is sliding behind the understanding curve, and allowing the risk to become a threat.
Protection Group International believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering strategic vulnerability assessment services and offer a range of senior cyber awareness education to enable you to tackle cyber threats in-house. For more information click here.
Our partner company, Protection Vessels International, is focussed on the efficient delivery of high quality, cost effective security solutions for the maritime community. We invest in our well-maintained logistic infrastructure to enhance customers’ business continuity through the protection of their assets and people. For more information click here.
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.