Collaboration and communication are key to safety in shipping, according to the secretary general of the International Maritime Organization (IMO), Kitack Lim.
Speaking at the Safety At Sea awards ceremony, which took place during September’s London International Shipping Week, Lim closed his official speech and then told the surprised audience that he wanted to take a little more of their time to emphasise his point that safety and security must be an industry-wide effort.
Earlier the same day, BIMCO’s manager for maritime security, Phil Tinsley, had been delivering a similar message to delegates gathered for a series of lectures on cyber security at the Cavalry & Guards Club in central London.
In particular, Tinsley praised Maersk for its openness during the recent NotPetya attack that the Danish company suffered. Tinsley said Maersk had helped the industry greatly by publicising the attack, this was a “great benefit to the industry”.
However, Tinsley also pointed out that the scale of the cyber threat faced by the maritime industry remained uncertain because of the reluctance of owners to speak out and share their experiences. He pointed to the recent GPS attack in the Black Sea, which had seen hackers reportedly set a course for a number of ships that would see them converge on an airport.
In another event that has emerged in the Gulf of Guinea, cyber criminals sent spoof emails in an attempt to discover details of containerised cargoes with a view to possibly attacking the vessels and breaking open containers with more valuable cargoes.
Meanwhile, the CSO Alliance, an organisation dedicated to improving the communication between company cyber security officers, is now recording instances of cyber crime for an industry website, with the event details explained, but the descriptions ‘sanitised’ and identifying names or vessel descriptions removed.
One such case was highlighted by CSO Alliance director Mark Sutcliffe, who told the LISW audience that a container vessel had recently been stopped in the English Channel in May this year following an event where crew had inserted a contaminated USB stick into the vessel’s systems.
The malware quickly spread through the ship’s systems, forcing the vessel to close down all operations for two days while specialists were brought to the vessel to cleanse the systems.
Such events are not rare, as Gideon Lenkey, director of technology at the Cyprus-based cyber-security firm EPSCO-Ra, told IHS Markit. Lenkey confirmed that in the vast majority of cases he was aware of the shipowners’ reluctance to give details of cyber attacks as they feared clients would see the ship operator as a security risk.
EPSCO-Ra, however, also believes the industry must learn to talk as a method of developing its defences against the cyber threat.
A case study, written by EPSCO-Ra MD Lance Savaria, in co-operation with the Cyprus Shipping Chamber (CSC) was, “prepared to show a ‘real life’ snapshot of a company”, specifically “a shipowner, technical-operations manager, and crew manager and how they, in the early stages, are evaluating and implementing a programme of cyber security for their ships with online connectivity”.
However, the writers caution that it “should be recognised that this is not an all-inclusive guidance or evaluation and does not critically assess their efforts. Rather, it is intended to contribute to the greater discussion of maritime cyber security by exposure to what is likely [to be] a typical case and find some value to their cyber-security efforts”.
What is more, the report attempts to identify the initial view of cyber security by the company and what efforts were made to assign responsibilities within the company to staff and what resources were allocated to cyber security.
The ship operator is a large company that operates as an owner and technical operator that includes crewing for more than 100 ships, including bulk carriers, tankers, and container ships, and has more than 3,000 employees in seven offices around the globe.
In the first instance the company wanted to reduce the risks posed by cyber attacks but clearly there were issues regarding vessels that were either entering or leaving ship management. The challenge was to maintain the uniform of cyber-security programmes as each ship differs in communications systems technology and operational budget.
“Efforts to establish a fleet-wide standard cyber-security strategy is an efficient way to maintain a consistent and effective level of defence and response across a fleet. “A further complexity is that shipping lines operate a mix of vessels that they either own or charter for a short period of time.”
Various vendors, port agents, and equipment suppliers, as well as company employees all visited the vessel routinely and all posed cyber risks.
The report suggests, “Knowing who is using your ship network and for what purpose is important and a real concern relating to cyber security. Discovering early malicious intent, unintentional mistakes, or poor cyber-security practices are a risk that needs to be addressed. Ship network monitoring and analysis is one way to have this capability.”
However, many vessels are now connected to the internet via VSAT and fleet broadband (FBB). The CSC report cautions that “it needs to be noted that FBB and VSAT have in-common cyber-security vulnerabilities as each is connected to the internet. FBB is likely to be a risk as the systems protecting the network are commonly older firewalls that are left with the default configuration and have never been updated. Compounding the risk is the prevalent infrequently updated antivirus [package] and out of date operating systems on computers”.
The VSAT and FBB vulnerabilities have also been highlighted by Cyber Keel MD Lars Jensen in the past. He told IHS Markit that cyber criminals could access all a vessel’s internet connected devices if the VSAT system was not secure.
Cyber Keel has conducted surveys of shipping companies in the past and Jensen said there was still a top-20 container shipping line that allowed customers to use ‘X’ as a password, while VSAT equipment was commonly found to be installed on ships at factory settings.
“Cyber hygiene is an issue for a number of shipping lines,” explained Jensen, “there is a lack of awareness of cyber-security principles and if they get the basics wrong, what are they doing behind the scenes?”
Backing up of crucial data on external hard drives that can be used to restore data is an essential first step to protecting assets.
However, the CSO Alliance has gone one step further, having developed as association with aircraft manufacturer Airbus to learn how it protects critical safety systems on board its aircraft.
Airbus was unavailable for comment. However, IHS Markit understands that it first recognised the importance of developing separate systems for various aircraft functions, so that if a hacker managed to breach one level, the aircraft’s other systems were still protected.
That lesson was first learnt when IT students boarded a plane bound for a holiday destination and they wanted to steal the films from the aircraft’s entertainment system, an Airbus insider said. “They achieved their aim, but that’s when we realised the need to protect other systems.”
Airbus is keen to help the maritime industry, which, broadly speaking, has similar IT systems to other transport modes, and therefore has similar cyber-protection issues.
Initiatives such as the CSO Alliance’s collaboration with Airbus can only be successful if shipping companies follow Maersk’s lead and are willing to share their experiences and build on the information that will provide a safer cyber environment for all.