In what appears to be a marked three-year increase in cyber attacks, some 310 hacks against operational technology (OT) were reported throughout 2019, compared with the number of cases reported in 2018 and 2017, according to data from maritime defence company Naval Dome. The number of OT cyber attacks reported in 2018 and 2017 were 120 and 50 respectively.
Robert Rizika, head of Naval Dome’s North American operations, has described the surge in attacks as “alarming” at a recent virtual conference.
Much of the increase may be accounted for by shifting attitudes to cyber attack reporting in the wake of the 2017 NotPetya ransomware, which resulted in a USD300 million loss for Maersk. Nevertheless, the maritime industry is likely to under-report cyber attacks because of fears over reputation damage. The Safety at Sea and BIMCO Maritime Cyber Security survey 2020 findings indicate that less than 12% of the 227 respondents would consider notifying flag states or insurers, or reporting via an external channel, despite 30% having experienced a cyber attack in 2019. Sixty-three per cent of the respondents said they had received cyber-security training.
OT networks are particularly vulnerable as these networks are connected specifically to systems that run individual devices on a ship, such as an electronic chart display and information system (ECDIS) or ballast water pumps. These systems are brittle, and as many of them are bespoke, have not been updated since they were first installed.
“Unlike the IT infrastructure, there is no ‘dashboard’ for the OT network allowing operators to see the health of all connected systems,” Rizika explained. “Operators rarely know if an attack has taken place, invariably writing up any anomaly as a system error, system failure, or requiring restart. They don’t know how to describe something unfamiliar to them. Systems are being attacked but they are not logged as such and, subsequently, the IT network gets infected.
“What is interesting is that many operators believe they have this protected with traditional cyber security, but the firewalls and software protecting the IT side do not protect individual systems on the OT network.”
Indeed, while OT systems are rarely designed with connectivity in mind, nevertheless modern ship design stipulates that these be integrated – connecting them with other systems that are vulnerable to remote connections. Ideally, ‘air gaps’ should separate OT networks into internet-enabled and IT-based groups, but in practice, accidentally bridging these gaps is a very easy mistake to make.
“There will be a whole series of new cyber-security openings through which people can attack if systems are not properly protected,” Rizika said. “There is a disconnect between IT and OT security. There is no real segregation between the networks. People can come in on the OT side and penetrate the IT side. We are actually seeing this now. Successful IT network hacks have their origins in initial penetration of the OT system.”
The Safety at Sea and BIMCO Maritime Cyber Security 2020 survey found that only 10% of respondents view OT as their biggest cyber vulnerability, with IT systems coming in at 17%. Meanwhile, 52% perceived their organisation’s ‘people’ as the highest cyber risk. As to OT cyber threats, 42% said their company protects vessels from these threats; however, some respondents went so far as to describe their company policy to OT cyber risk as “careless”.
Shipowners and managers have until 1 January 2021 to incorporate cyber-risk management into their safety management system or risk their vessels being detained by port state control.