Understanding cyber risk – from C-Level to sea-level

June 27, 2017

RansomScreen

To say that the WannaCry malware attack has been a wake-up call for shipping would be an understatement. An attack organised by hackers and spread through networked computers across the world brought home the risks of operating on outdated platforms and the ease of infecting multiple systems by clicking on apparently innocent-looking emails.

Of course these days there is no such thing. Even daily users of communications technology must have their credulity front and centre at all times. Even then, the risk of infection is greater than most people imagine and the chances of things going wrong are magnified without having training, awareness and protocols in place.

Gaining anything other than anecdotal evidence from shipping companies of the problems they have had with cyber security is difficult. This is in part because many attacks go unreported, but more evidence is emerging of the kind of risks that shipping companies face, as well as the impact on their business.

One UK-based shipping company had ransomware installed and their data locked. They chose not to pay the ransom and subsequently lost a considerable amount of that data. A shipping company in Asia had a similar experience but did pay the ransom and are taking steps to secure themselves against a repeat occurrence.

A European operator was subject to a phone fraud where hackers compromised the PIN codes used to protect the accounts department phone lines while the offices were closed. Some 81 successful calls were reported and total losses exceeded E1,200 before the fraud was identified and blocked.

The telephone network operator in the country concerned later told the company that more than 20,000 similar frauds took place during the first five months of 2017.

The scale of the problem is daunting and the task of managing it often falls to an IT department whose budgets and technical expertise are already under pressure. As we have noted here in previous cyber articles, Cyber ‘is everybody’s problem’ in the sense that decisions made at C-Level will flow down to sea-level.

And it is here, so the industry believes, that many of the greatest risks lie. Seafarers keen for news from home, entertainment and diversion are considered one of the weakest links in the chain.

This is perhaps an unfair focus – especially when we consider that, according to research by Inmarsat, 90% of those it surveyed had received no cyber security training at all. Even if vulnerability to infection is heavily weighted towards operational staff and crew it is equally valid to consider how well-trained and cyber-aware are shoreside office users.

However, the fact remains that ships are home to a lot of outdated IT infrastructure – including systems vulnerable to hacking, which begs the question of how the industry can apply cyber hygiene if the foundations are potentially unstable?

In addition, it’s not unusual for systems to be compromised long before an attack happens – hackers tend to gain access then wait for an opening that will deliver a large prize – which suggests that there may be significant numbers of already compromised floating assets.

Hackers are motivated by money and by accolades from other hackers, which makes them unpredictable, but it’s not just about malicious hacking.

An arguably greater risk is the connectedness of shipboard systems that used to be discrete. Failures from software and hardware upgrade/update problems are already a major headache. More anecdotal evidence suggests there are owners who confess that they have not lost one dollar to hacking but have lost thousands on software failures.

There are preventative steps that can be taken, around awareness building, best practice and improving procedures, that needn’t cost a lot of money. The costs of a clean-up are much higher.

And as always in shipping, the regulators are watching. Cyber is already implicitly covered under the ISPS and ISM Codes and it could be argued that until or unless there is greater regulatory attention, some owners will continue to view cyber as an irritant rather than a threat to business continuity.

Certainly the evidence from the recent Nor-Shipping cyber panel is that lawmakers and industry associations view vessels in port – and the ports themselves – as holding potentially the greatest threat of infection.

Any future regulation thus needs to take a co-ordinated approach from ship to port and along the supply chain to end users. The impact of ‘shared risk’ – the spread of infection beyond corporate borders and therefore impact on potentially critical systems – could have a serious effect far beyond the ship itself.

While some companies will always try to stay one step ahead of the hackers, others will argue that there is no such thing as 100% cyber security because criminals will continue to develop new threats.

Either way, the responsibility for demonstrating cyber-resilience rests with each individual company and cannot be ignored. This is especially true where your operations run the risk of spreading infection to the systems of your business partners.

GNS recognizes that while individual companies and vessels have their own policies and procedures to guard against the impact of cyber-attacks, there is still a critical need for a programme that can be adopted by crew and those responsible for vessel operations.

Its recent article ‘Six simple steps to cyber security at sea’ applies the concept of layered defence, an approach that relies upon a number of independent but complementary measures that work together to defend against the threat.

Each one of the layers plays its own individual role in protecting against cyber threats, but the combination of measures makes life even more difficult for those that threaten the integrity of IT and other systems.

The programme has been designed as a simple guide that can be adopted by those in the front line of maintaining vessel safety. The six steps are not designed to be exhaustive, but for operators in need of practical advance, they are a very good place to start.