jcpjr - Fotolia

NotPetya highlights cyber risk in shipping industry

Malware attack has shown that the shipping industry is vulnerable to cyber attacks, with Danish shipping giant Maersk reporting potential cost of up to $300m

The impact of NotPetya on the Maersk shipping operations is just the tip of the iceberg in terms of cyber attacks on the maritime sector, according to maritime cyber security firm CyberKeel.

In fact, this is nothing new, is steadily increasing – particular in the past year – and has been going on for years but is often unreported, according a report published by the company recently.

Under-reporting is typically down to the fact that victims of successful cyber attacks want to keep such incidents secret from other potential attackers and from customers, and because companies might simply be unaware that they have been breached because of a lack of IT infrastructure monitoring.

Increasing cyber attacks on industries such as shipping underlines the fact that cyber security must be a key component of any digital transformation programme, say security commentators.

The report said the maritime industry is a prime target because there is a significant need for exchanging detailed information across multiple stakeholders, which have different back-end systems and different levels of cyber security.

The maritime industry is also attractive to cyber criminals because large monetary transfers take place involving a large number of stakeholders that are often scattered across multiple countries and time zones, tempting attackers to take advantage of asynchronous systems.

The main motivation for cyber attacks includes general reasons such as stealing money, stealing information and causing disruption and loss, but there are also industry-specific motivations, such as the illegal movement of goods.

As a result, there is a significant cyber risk to the maritime industry, said the report, but executives are not addressing it effectively, despite the national security implications arising from the importance of the maritime industry to most countries.

Strategic risk decisions

This failure is partly due to the fact that executives see security as the responsibility of the IT department and that they do not understand that they need to be involved to make necessary strategic risk decisions.

Managers also typically fail to realise that people are the most vulnerable attack point, and so any cyber defence strategy must include policy to guide employee behaviour, the report said.

CyberKeel said a survey of the commercial maritime sector revealed that decision-makers generally lack awareness of cyber attacks in the maritime and related sectors. And because they see cyber security as a technical issue, it is usually delegated to the IT manager or the CIO, and is not seen as something involving the CEO, CCO, COO, CFO or the HR manager.

CyberKeel also found that many decision-makers believe cyber threats are chiefly theoretical in nature and typically doubt that anyone would have a motive to carry out a cyber attack on their company.

Despite under-reporting, there is growing evidence of cyber attacks on the maritime industry, with reported attacks demonstrating a range of malicious cyber activity.

According to the report, these activities include:

  • Stealing money using man-in-the-middle attacks to take over email exchanges between shipping firms and their suppliers to change bank accounts and channel funds to cyber criminals.
  • Deleting data relating to rates, loading, cargo number, date and place, leading to significant disruption, resulting in misdirected cargo and loss of cargo, resulting in financial loss.
  • Using malware pre-installed on barcode scanners to hack into the ERP (enterprise resource planning) systems of at least eight logistics companies to steal financial information and modify the shipping database.
  • Establishing back doors into targeted companies to extract documents, email account credentials and passwords to enable access to resources within the network.
  • Hacking into port IT systems for smuggling drugs and guns by releasing containers to collaborating truckers without the knowledge of the port or the shipping line and then removing all trace of the container.
  • Hacking into customs systems to check whether shipping containers used for smuggling were regarded as suspicious by the police or customs authorities.

The report also highlighted the vulnerability to hacking of automatic identification systems (AIS) used for tracking vessels, navigational systems, and electronic chart display and information systems (ECDIS), that has been demonstrated by various security research groups.

Security researchers found that by spoofing an AIS system, it could be possible for cyber attackers to modify all ship details, including position, course, cargo, speed and name; create “ghost” vessels at any location; alter any ship’s course by sending false weather information or triggering a false collision warning; and cause vessels to increase the frequency with which they transmit AIS data, resulting in all vessels and marine authorities being flooded by data.

The key problem with AIS is that it has no built-in security, the report said. “All information is automatically assumed as being genuine and hence treated as a correct piece of information,” it said. “Additionally, AIS messages are not encrypted and therefore very easy for outsiders to tap into and manipulate.”

The report pointed out that it is not only commercial companies in the maritime sector that are at risk: in September 2014, it was made public that the Danish Maritime Authorities had discovered they had been subjected to a successful cyber attack in 2012.

Read more about software exploits

The attack is believed to have been initiated through a pdf document infected with a virus, whereupon the attack was spread from the Danish Maritime Authorities to other Danish government institutions.

Like most cyber attacks, those directed at the maritime industry also include criminals without cyber attack skills, cyber criminals with the skills to perform advanced attacks, hacktivists and nation states, the report said.

The report noted that although criminals with no cyber attack skills are in themselves not a threat, they increasingly have access to a thriving black market, where the required cyber attack skills can be procured as a service.

In view of the wide variety of motivations and opportunities for cyber attacks against the maritime industry, it is vital to implement a risk-reducing strategy, the report said.

“This should be done both from an individual company perspective as well as from an industry-wide perspective,” it said.

According to CyberKeel, it is critical for each company to make a thorough analysis of the realistic risks it faces and make informed decisions about the level of security to implement versus the business impact and cost of such measures.

The report offers the following cyber security guidelines:

  • Look for attacks from the inside and do not rely on keeping attackers out.
  • Test applications as well as hardware for security vulnerabilities and malware.
  • Consider the human factor and implement business processes and education programmes to reduce the likelihood of social engineering attacks.
  • Become cyber resilient by through contingency plans and well as well-planned backup systems to reduce the impact of successful cyber attacks.

The report concluded by calling for an industry-wide cyber security organisation similar to those that have been created in the banking and financial services sector.

CyberKeel said it plans to take the initiative to launch a maritime industry cyber security forum, the key purposes of which will be to:

  • Establish a trusted environment wherein companies can share specific technical details of ongoing cyber attacks to allow similar companies to easily scan, detect and deflect identical attacks.
  • Establish a forum to develop practical cyber security standards that can be implemented to the benefit of all industry players.
  • Establish a forum to serve as the locus for joint-industry efforts to prioritise, and execute, testing into specific systems issues of relevance to the industry.

Jon Geater, CTO at Thales e-Security, said digital transformation is increasingly being seen as more of a Hobson’s choice for traditional large industries. “Those who fail to adopt the latest computer and data systems will be consigned to the scrap heap of history, while those that adopt them too fast leave themselves open to crippling cyber attacks,” he said.

“Logistics firms, rail companies, power, shipping – nobody is out of the crosshairs of the attackers, whether motivated financially or to cause disruption, anyone on the net is fair game and it is open season.

“As was the case with NotPetya recently, these attacks are typically financially motivated, with criminals attempting to extort money by holding important data to ransom. When data is the lifeblood of a business, having someone work their way inside and accessing it can be costly.

“With Maersk revealing that the incident could cost as much as $300m in profits, this highlights just how important it is for businesses, particularly those key to critical national infrastructure, to take a robust and hardline approach to their digital defences as a primary part of their digital transformation activities. If they opt not to do so, they – and those who rely on them – will continue to face dire consequences.”

Read more on Hackers and cybercrime prevention