Maritime Cyber Alert
For some years now, the maritime sector has experienced breaches of various computer and information technology (IT) systems. Primarily, these breaches have been collateral damage. The maritime sector has almost never been the intended target. That does not mean that the damage has been minor. In June 2017, A.P. Moller-Maersk suffered a major cyber-attack. The malware had been designed by Russian hackers to disrupt the Ukrainian power sector. Once released, though, it proved to be indiscriminate, infecting IT systems worldwide that had not been kept up to date. In the case of A.P. Moller-Maersk, its container ships and associated ports were most impacted, halting operations for a while and causing economic damages of up to $300 million. The company had to scrub 40,000 devices to fully remove the malware. The Ports of Barcelona and San Diego and the American division of COSCO Shipping Lines have also been impacted by untargeted cyber-attacks.
Recently, hackers have commenced actions specifically targeting the maritime sector.
Most targeted hacking is accomplished via spear-phishing. The hackers modify legitimate emails using tools such as EmailPicky, appearing to retain a legitimate sender’s name and address, but adding malware so that the receiver of the email infects the IT system by downloading the attachment. Alternatively, the hacker crafts a fake email from a legitimate sender with instructions to transfer funds to the hacker’s ghost account. Payment of fraudulent billings sometimes go on for months before they are discovered. Between 2011 and 2013, spear-phishing drug dealers hacked the Port of Antwerp IT system to arrange pickups of drugs hidden in shipping containers.
Agreeing to connect to an unknown network can also result in the unwitting downloading of malware. Once that malware is on a device with access to another network, such as that of a shipping company, the malware can easily spread throughout the entire network unless robust cybersecurity protocols are in place.
Many individuals and business entities utilize simple passwords (e.g., ABC123) and never change their passwords. These practices are the electronic equivalent of unlocked doors for hackers.
Software producers regularly issue updates and patches to their products. They also retire older products, replacing them with new, more sophisticated versions. It is vital that software users install these updates and patches promptly and replace retired software. A software producer issues an update or patch when a flaw in a product is discovered. That update or patch often discloses, perhaps inadvertently, what the flaw was. Hackers utilize that information to exploit the IT systems that utilize the product but do not keep it current.
An infected IT system can be directed to provide hackers with sensitive commercial information or to upload additional malicious software. In some instances, that malicious software consists of ransomware. Ransomware is designed to freeze the IT system or copy sensitive data and send a ransom demand to the system administrator. If the ransom is paid (generally in bitcoins or another electronic currency), the IT system is released or the data returned, but not always. Numerous public and private entities have been the subjects of ransomware attacks, including law enforcement agencies, hospitals, municipal governments, shipping companies, and in 2017, the major British shipping services firm Clarkson Plc.
The Australian shipbuilder Austral Limited was also the apparent subject of a ransomware attack.
The Internet of Things (IoT) has made access to information and control systems easier. These has created expansive opportunities for improved efficiencies. Connected devices and systems offer the possibility of ubiquitous access, which equates to more possible entry points for both authorized and unauthorized users. As more devices become connected to each other and to the internet, the overall risk and impact of a compromise increase, along with the possibility of a cascading effect in the event of a cyber attack. Navigation, propulsion, and other vessel operation systems can be hijacked.
Following are a few of the steps that may be taken to reduce the risk of cyber attack:
• Utilizing unique passwords and changing passwords on a regular basis.
• Installing software updates and patches promptly upon receipt.
• Routinely checking the IT system for malware.
• Backing up data frequently onto a stand-alone device disconnected to the IT system.
• Two-factor identification is an effective means of ensuring that persons seeking access to an IT system are properly authorized, but few entities utilize it.
• Cyber security training is vital. Since the threat evolves rapidly, the training must be continual.
The US Coast Guard recently issued a Marine Safety Information Bulletin advising the maritime industry to be on guard against email phishing and malware intrusion attempts. Cyber adversaries were reported to be attempting to gain access to sensitive information including the content of notice of arrival (NOA) messages. Masters of US vessels were reminded of the obligation to report suspicious cyber activity to the USCG National Response Center (NRC). Unsolicited emails, particularly those requesting sensitive information or including attachments, should be verified by contacting the sending entity via separate means prior to acting or downloading any attachments.
Cyber security procedures and protocols must be laid out in the safety management system (SMS) of the vessel and the company. Failure to do so constitutes a deficiency and may result in the vessel being determined unseaworthy.
Baltic and International Maritime Council (BIMCO), the largest international shipping association, has developed a new cyber security clause for use in maritime contracts requiring parties to implement cyber security procedures and systems to reduce the risk of an incident.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly developed the information security standard ISO/IEC 27001. The standard specifies a management system intended to bring information security under management control and lays out specific requirements for conformance. Organizations meeting those requirements may be certified by an accredited certification body following successful completion of an audit. Such certification is generally considered the gold standard in cyber security.
Cyber experts say that they are two kinds of company IT systems: those known to have been hacked and those that don’t yet know that they have been hacked. This may be an over-statement, but not by far. There are so many threats and the sophistication of those threats is increasing so fast that the IT system administrators are getting overwhelmed. Entities and individuals should take as many steps as possible to protect their IT systems and data. Continual vigilance is required.