SAS cyber roundtable identifies weaknesses in the system

SAS cyber roundtable at Nor-Shipping. Credit: IHS Markit

From a maritime cyber perspective, it is unanimously agreed that the ‘human element’ remains the weakest link in a firm’s defense. But at the Safety at Sea and BIMCO cyber roundtable, held at Nor Shipping in Oslo in early June, it was clear that addressing this weakness is a far trickier task.

While humans can certainly be better taught to identify the hallmarks of a potential phishing effort, ship crews and port employees are not cyber experts. Speaking at the maritime cyber security roundtable, sponsored by ABS Advanced Solutions, on 5 June, Lewis Woodcock, cyber security expert at Maersk, outlined what the industry is dealing with. “NotPetya was a state-sponsored cyber weapon,” he said, referencing the 2017 cyber attack, which heavily impacted Maersk Line. “It was a supply chain attack, which targeted a specific type of accountancy software used in Ukraine. The exploit didn’t rely on a single missing patch.”

The attack completely confounded Maersk’s own cyber experts on shore, with the company being forced to communicate on WhatsApp in order not to transmit the virus. “We lost around 49,000 endpoints [for the uninitiated: servers, routers, and PCs/laptops] and all of these servers had to be rebuilt, meaning we had to rebuild our entire IT infrastructure over 10 days,” Woodcock told the roundtable.

In the face of a state-sponsored attack like NotPetya, Woodcock explained, almost nothing could be done; but shipping companies should still have a plan in place. “Start with the worst-case scenario for a cyber attack,” Woodcock said. “Think about all the different teams that will be involved – commercial, legal, human resource teams. Ensure there are no silos.

“Try to keep communication aligned without the assumption of access to email or intranet. We have to think about what other channels we would have to use. We cannot stop every future attack, so the mindset changes to ‘when’ and not ‘if’”.

When it comes to keeping systems offline, part of the focus has typically been in keeping the realm of internet-connected IT away from sensitive operational technology (OT) systems. These can be incredibly easy to disrupt; as they are often bespoke systems, if just one parameter is incorrect they will shut down.

Keeping IT and OT separate is normally done using so-called “air gaps”. A physical disconnect between two systems yields the quite reasonable presumption that malware will never cross between them. “The idea is that we don’t have to worry about interactions between this system and that system, because they’re not connected. For example, the navigation system and the crew entertainment system – they do not connect. But then, an engineer physically removes a panel, sees a wire.”

Chris Dewitt, senior technical advisor at ABS, uses the example of a printer to demonstrate how vulnerable mixing OT and IT can be. Most printers have a wired interface, but also a WPS Wi-Fi interface for remote connections. “In this case there are two access points, one of which – the wired; is known, the other – the wireless; unknown,” he said. There are automated exploit tools that are designed to take advantage of that exact thing.”

All systems, then, must be hardened against cyber attack. As one attendee described it, crew and employees are akin to “white-hat hackers” – revealing issues that would not otherwise have been considered. “In this industry we are trained in redundancy; we build all of our other systems with redundancy, and cyber security is no different. Think: have I built my company structure, my processes, with redundancy?”

The law has yet to catch up with cyber crime, explained insurance expert Hari Krishna. “Not much has changed,” he said. “From an insurance perspective, there is certainly the understanding that cyber is ‘out there’.

“Buybacks are becoming the norm. People are buying back their risks. This is happening because almost no one is doing their business in an offline world.” According to Krishna, insurers may be unwilling to cover a vessel whose owner has shown inadequate preparation for a cyber attack. “A lack of adequate cyber-risk protection might cause a ship to be unseaworthy, legally speaking,” he said.

It should not be forgotten that the motivation for a cyber attack is almost always some form of financial gain; whether it be simple extortion, theft of financial information, or simply an attempt to misappropriate funds. “We are dealing with situations in the Middle East; bunker suppliers have been attacked, fake invoices to accounts in Bolivia.

“One London insurance broker got an invoice apparently from a long-standing customer, and just paid the money,” Krishna indicated, giving the lie to the notion that ship crew are uniquely susceptible. “Before you make a payment, pick up the phone and check the banking details. You’re less likely to be caught up in a war between countries than to be attacked for financial gain.”

Even so, said Kevin  Jones, head of the Maritime Cybersecurity Research Group at Plymouth University, uniquely asset-heavy shipping differs from banking, legal, media, or many of the other segments frequently targeted. Here, there is a large proportion of vulnerable OT in the system. Jones’ facility at the university includes a ‘cyber-range’ – where various original equipment manufacturers (OEMs) send their equipment to be bombarded, in a controlled environment, with the worst humanity has to offer. “We play with some truly obnoxious malware,” said Jones. “We have a cyber ship lab, where we bring in real world kit, set it up in a configuration akin to what you would find on a ship bridge, and do nasty things to it. We test the set up more than the individual devices.”

The facility has put together a risk model for cyber, to help organisations identify where their weak points are. “The risk model we have includes all the vulnerabilities, what can be done to exploit them, and also the possible motivations for doing so.”

The latter is extremely important for owners handling politically sensitive trades, said Jones, echoing Dewitt’s earlier statement, “If a nation state wants to get inside your company, they’ll get in. You need to know who is likely to be interested in targeting you, and why.”

Collective responsibility will be necessary for dealing with cyber attacks going forward; both in terms of shoreside staff being prepared to take responsibility for the safety and security of their crews and vessels, but also in terms of companies assisting one another. There exist myriad incentives to keep quiet when a cyber breach happens, Intelsat Maritime director Shane Rossbacher explained. “Relevant training coming down from the management to the staff and crew on board is key,” he said. “But people need to recognise that a cyber security breach has occurred, and there is a responsibility to come forward and ensure that these issues are known.”

All have a role to play in protecting their fellows, suggested Rossbacher. “One of the lessons we took from the discussion today is that we are all part of the maritime supply chain, and have a key role to play, and a responsibility to ensure the security of our partners, and of our end users.”