Cyber attacks are becoming more frequent and significant in today’s commercial environment and there are a number of technology growth factors that drive cyber risks. Our entire lives are spent online – we work online; we shop online; we play online; we communicate online. Even our technology systems have started communicating with each other online – without us, without a human being involved.
In recent weeks we have seen the true extent of the over-reliance of large organisations on their IT systems in both the public and private sectors. And when IT systems fail or are compromised, a very real commercial issue emerges and it is not one that can be ignored.
Such incidents are now the new norm – get used to it and expect plenty more too. IT systems function to provide an organisation with availability to its information and in the cases of the recent ransomware attacks of 'WannaCry' and the arguably more destructive 'Petya', this is an attack against that availability and access.
In shipping and international logistics, this means that everything from cargo management systems, supply chain manifests, crew change tracking, personnel onboard, and onshore payment systems are unable to do what they are supposed to.
Such business disruption is extremely challenging and damaging for shipping because it is not localised to one area, but many. In a large group like Maersk, which is still reeling after this week's ransomware attack, a global cyber incident tests its business resilience to the extreme. Even if certain departments do not appear to be affected, services may be taken offline to reduce any further risk or spread, possibly compounding serious business disruption, never mind the reputational, financial, and safety risks that must be managed.
First and foremost are the direct costs associated to the event, which will include containing and eradicating the threat. With destructive malware, this is normally while the business or parts of it are offline adding further downtime cost.
With ransomware, there is the dilemma of paying the extortionists or not. If an organisation chooses to pay, it runs the risk of falling victim again and again (a weak and easy target), or as was seen recently, market demands increase. A web-hosting service in South Korea was held to ransom and agreed to pay USD1.1 million in bitcoin. The criminals originally demanded USD2 million and settled for less. This would seemingly represent the level of exposure that this company faced. To release that sort of money would suggest that there was no backup or business continuity management plans in place – and that the company was desperate. Should an organisation choose not to pay, then there is the cost of either recovering the data from backups, paying thousands of dollars to cyber-security teams (third parties I may add – presenting new risks) in consultancy fees to obtain the decryption keys, or potentially losing the data all together.
Other substantial costs could include the potential loss of profits from the disruption to IT networks, leading to loss of hire of vessels. At present it looks like ‘Petya’, the most recent cyber attack, has only reached as far as these IT networks, which is good news for vessels and operations that require the use of operating technology to run their control systems. It means that vessels can still operate and the risk of physical damage or potential loss of life is minimalised.
These incidents highlight a new type of threat. We are now starting to see intent from criminal or other threat actors that is perhaps more sophisticated in nature. It could be that attackers have learned from 'WannaCry' and honed their attack to vectors (routes in and across networks) to a point that causes real-world disruption. Vessels themselves are inherently vulnerable because no two are configured exactly the same – which in itself creates a risk – and many will also be riddled with out-of-date software, but the motivation to attack a lone single vessel is less attractive. Criminals are leveraging scale – taking out a business’s HQ or a series of port terminals is much more disruptive and damaging to an organisation than taking out a single vessel. Why take out a solider on the battlefield when you can wipe out the whole battalion? That said, people (the human factor) will always be one of the biggest vulnerabilities and criminals will look to use the human target as a gateways and access points into the companies wider operation and critical networks.
All seafarers and shoreside staff need a general basic awareness about cyber risks, not least because it’s just good practice in 2017. Safety is paramount but the maritime industry cannot hide behind a blanket of cyber awareness alone. It is simply not enough. Not when the more direct threat is financially motivated towards the business.
The latest spate of attacks show that any company – big or small – can fall victim. Imagine if critical software that is used to run payroll or manage logistics tracking is compromised and becomes inoperable; a company that can’t pay suppliers or staff or cannot locate its cargo could end up in real trouble very quickly. These hypothetical scenarios are starting to look more and more realistic every day. The online environment is growing more complex and hostile and understanding the enemy isn’t easy.
So what should we do?
Guidelines are available, including the widely accepted BIMCO ones that provide an enterprise-wide approach for cyber security on board vessels. The principles it sets out can be applied to shoreside and overall business operations too.
Organisations must take responsibility and action sooner or later or they too will end up being one of the case studies for others to learn from. There is no excuse for a shipowner or manager to not understand the need to adopt security frameworks and policies across all business units – on land and at sea.
Good cyber hygiene across all IT networks is vital. This needs to be assessed, tested, and continually reviewed.
Organisations needs should have crisis management and business continuity plans in place. These need to be tested with exercises and drills, exactly like you do with all other aspects of marine safety and security in accordance with the ISM and ISPS code
Organisations should run desktop exercises on this exact scenario, identify gaps, and work to mitigate against this very real 21st century threat. The world is changing rapidly and so too is the threat landscape.
A wise man (or industry) learns from his mistakes, but an even wiser man learns from the mistakes of others – the shipping and the offshore industries are in the cross-hairs of cyber criminals and fortune will only favoured the prepared.
Jordan Wylie is the Managing Director of JWC International and the founder of the global cyber-awareness initiative Be Cyber Aware At Sea. Jordan spent 10 years in the British military and the last eight as a maritime security adviser to shipowners. Jordan holds an MA in Maritime Security and a BA (Hons) in Risk Management (Marine) and recently developed the first UK Maritime & Coastguard Agency-recognised maritime cyber security awareness course for seafarers online (1 hour), which has also been approved by GCHQ.