Maersk cyber attack sharpens regulatory focus

A new cyber security regulatory regime could be on the cards. Credit: Press Association
A new cyber security regulatory regime could be on the cards. Credit: Press Association

The maritime industry is bracing for a potential new cyber security regulatory regime as shipowners, shipyards, and terminal operators reassess their vulnerability to an attack such as the one that crippled the world’s biggest container ship operator.

As of 6 July, operations at Maersk were running “close to normal” after an outside virus infiltrated the Copenhagen-based company’s information technology (IT) systems on 27 June. The cyber attack, aimed at government agencies in Ukraine before spreading, caused disruptions worldwide at Maersk’s terminal operator subsidiary APM Terminals (APMT) and the liner carriers and alliances that feed into them.

Asked about any internal damage caused by the attack, a Maersk spokesman told IHS Markit, “At present we do not have any indication or presumption that data [including personal data] have been leaked to or reviewed/accessed by any unauthorised third parties outside of the Maersk Group.”

Container ship operator Mediterranean Shipping Company (MSC), which along with Maersk forms the 2M liner network, confirmed on 3 July that its operations were running smoothly in the wake of the disruptions at APMT.

“With some of these terminals on shutdown last week, Maersk and MSC activated the necessary contingency plans,” MSC said in a statement. “Several vessels were diverted to other terminals to ensure that customers’ cargoes were not unduly delayed. MSC and Maersk have found alternative ways to transfer data for items such as load lists and bayplans, and this is not significantly affecting vessel [estimated times of arrival].”

Cyber security experts acting as liaisons between government and industry are convinced that the Maersk attack could be a watershed moment for shipping, and could place more urgency on maritime policy being considered on every level.

“This is going to expedite what the US Coast Guard [USCG] is doing, whether it’s policy, standards, or guidance, and will certainly underscore the importance and seriousness of what the federal government will expect of the private sector,” said Norma Krayem, a senior policy advisor at the law firm Holland & Knight who specialises in supply chain security.

“It’s not just about the commercial impact that a cyber attack has on a company like Maersk, but the larger national security and economic considerations that go with that,” she added.

Kate Belmont, a cyber security specialist at the law firm Blank Rome, went further. “Events such as these often have the potential to lead to regulatory initiatives, both in the US and abroad,” Belmont told IHS Markit. “Unfortunately, due to the continually evolving and advancing risks and threats of cyber-attacks, it was only a matter of time before [the maritime industry] ended up on the front page.”

Shipping had gotten serious about cyber security before Maersk made headlines. The USCG published a cyber security strategy in 2015 that included voluntary guidelines to address cyber incidents. In early 2016, a consortium of cargo vessel groups that included BIMCO, INTERCARGO, and INTERTANKO published industry-backed guidelines addressing cyber incidents on board ships.

Regulators paid greater attention to cyber security risks this year when the USCG issued a policy letter underscoring requirements within the US Maritime Transportation Security Act that obligate vessel and facility operators to report “without delay” suspicious cyber activity and security breaches to the USCG National Response Center.

The guidance gives owners and operators the option of reporting to the National Cybersecurity and Communications Integration Center, the federal government’s clearing house for cyber incidents across all industry sectors, depending on the nature of the threat.

In November 2016, the Maritime Safety Committee (MSC), a discussion group within the International Maritime Organization, agreed to delay a decision on whether to make interim cyber security guidelines mandatory.

That decision was approved in June at MSC 98, when the committee also adopted a resolution encouraging flag states to address cyber risks in vessel safety management systems “no later than the first annual verification of the company’s Document of Compliance” after 1 January 2021.

Class societies, which help the industry comply with regulations on the books, have also been affected by escalating cyber risks.

“The focus on cyber safety is increasing, and that is changing the expectations [the] industry has for classification services,” said ABS president Christopher Wiernicki earlier this year.

The Houston, Texas-based ABS society was the first class society to offer a notation that can be used to help evaluate a vessel’s exposure to cyber risk.

Container operator Hapag-Lloyd considers cyber attacks a “permanent challenge” for the industry.

“We have already faced several attempts to hack our systems – but so far we have been able to successfully fight them,” Hapag-Lloyd spokesman Nils Haupt told IHS Markit.

He noted that Hapag-Lloyd has an action plan in the case of a breach, with “sophisticated and progressive systems in place, and that our set up is pretty good”, although he declined to disclose details.

He revealed, however, that “if [cargo] bookings were suspended for 24 hours, we would need [an additional] maximum 24 hours to clear the backlog.”

In a cyber security survey conducted by IHS Markit and BIMCO (see chart below) last year, 21% of respondents revealed they had been a victim of a cyber attack. So far, however, the cyber regulatory regime in place, aimed at reducing the risks of such an attack, has been based on voluntary guidelines and recommendations. Big vessel operators think it should stay that way.

“The nature of the beast is such that you can’t come up with a one-size-fits-all regulation,” World Shipping Council president John Butler told IHS Markit – Butler’s members represent over 90% of the world’s container ship capacity.

“Everyone has different systems, different vulnerabilities, and different protections built in. It’s really a process of getting appropriately trained people in place to analyse the vulnerabilities of the systems and take measures to button them up,” said Butler.

His assessment of what regulators might be up against in trying to make cyber guidelines and policy mandatory is underscored in the details of the IT breach against Maersk.

The attack, originally reported as a type of ransomware, was later identified as the ‘NotPetya’ virus, which simulates ransomware but is in fact “destructive wiper malware disguised as ransomware”, according to EC-Council, the world’s largest cyber security technical certification body.

Lars Jensen, CEO of security firm Cyber Keel, explained that the NotPetya virus essentially overwrites the master boot record. That means that the infected computers and systems will not be able to start, and therefore the user will not be able to access files, with re-installing data from scratch the only remedy.

“There is no way to protect [yourself] from such an attack,” said Jensen. What you have to do is “design and configure your systems to prevent the virus from spreading. If Maersk had applied the appropriate patches and configured their systems correctly, the virus should not have spread.”

Jensen emphasised, however, that Maersk should not be blamed for being penetrated in the first place because penetration is inevitable. The question is how well the company is equipped to deal with such a breach, he said.

Although Maersk’s ships were not directly affected by the latest cyber attack, the increasing connectivity of vessels to the internet, and the likely evolution of maritime autonomous surface ships, is increasing the risk of attacks on vessels – thus further complicating the breach scenarios that must be considered by regulators.

Tipping the scale, however – at least in the United States – could be laws passed by the US Congress and signed into law by President Donald Trump, who has made cyber security within the maritime sector a priority.

Congress passed a trillion-dollar government spending bill signed by Trump on 5 May that includes a provision requiring the US Department of Homeland Security (DHS), along with the US Director of National Intelligence, to submit a report on cyber security threats against US maritime shipping, including “entities conducting significant operations” at ports.

The provision requires that the USCG provide a status report on efforts “to include cyber security concerns in the National Response Framework, Emergency Support Functions, or both, relating to the shipping or ports of the United States”.

A week later, Trump signed an executive order directing agency chiefs to provide a risk management report to the secretary of the DHS and the director of the Office of Management and Budget within 90 days, including the amount of money requested to carry out mitigation measures.

A solution that could reduce the need for formal regulations is solving the problem from the ground up.

O Kitamura, a naval architect and engineering manager at Japan shipbuilder Mitsubishi Heavy Industries, as well as a member of the Active Shipbuilding Experts’ Federation (ASEF), said it would be impractical for the thousands of shipyards to have proprietary cyber security teams.

However, with the key International Association of Classification Societies (IACS) members developing their own cyber security systems and protocols, yards can liaise with classes to form a more comprehensive system. IACS’ joint independent working group (JWG) on cyber security first met about 18 months ago, and is now working on defining the risks involved.

“Identifying a unified risk is not possible, so the group must consider how to design, equip, and verify a system,” said Kitamura. He added that the JWG is still at the conceptual stage of development and so its systems are not verified.

Dave Iwamoto, ASEF council member and a member of Japan Marine United’s planning department, told IHS Markitthat shipyards are not experts on cyber security technology. “Cyber security is not so simple,” he explained. “It goes back to ship design and integrating the systems at the time of the ship’s design … we need to see how we can benefit from a system integrator’s view.”

ASEF wants to be a part of a broader, more long-term solution to the problem of maritime cyber security. That goal is certainly considered to be essential by Jensen, whose company conducted a survey in 2014 following the ‘Heartbleed’ and ‘Poodle’ data encryption cyber attacks using a sample of ports and shipping lines.

The results, as was the case with the IHS Markitsurvey, were sobering: 70% of the sample had not used the patches to protect their systems.

“Following the Maersk attack, we repeated the survey and found that after two-and-a-half years, 10% of lines and 20% of ports had still not applied the patch protection against Heartbleed and Poodle. Moreover, 44% of the top 50 lines displayed weaknesses in their cyber security,” Jensen asserted.

As a result, Jensen concluded, “There were areas where Maersk’s contingency could be improved, but Maersk is one of the few [maritime] companies that is assigning resources to the problem.”

He said that it should serve as a warning to vessel operators that are less equipped to deal with a cyber breach on what could be awaiting them.

Visit IHS Markit’s dedicated cyber security topic page here