Cover Story: A ‘low-hanging fruit’ for cyber criminals

‘one-size-fits-all’ approach to cybersecurity will not be an effective solution for the shipping industry, a security expert has warned.

Jalal Bouhdada, Founder and Principal Industrial Control Systems (ICS) Security Consultant for Netherlands-based Applied Risk, says the industry presents a “unique challenge” for hardening cyber security as every ship is different.

“A lack of standardisation across vessels means a vast mix of legacy OT has been deployed, much of which was not designed with security in mind, as well as further networked technologies which have been added over time.”

He also said a major concern encountered within maritime was the lack of recognition that a container ship is a critical environment, warranting robust protective systems like any other Operational Technology (OT) environment.

“The threat is a real one,” said Mr Bouhdada. “Researchers have demonstrated proof of concept cyber-attacks against many of the most common maritime systems, and there’s evidence of incidents at sea in which navigational computers were infected with malware on a USB stick being used for upgrades.”

A major vulnerability, he says, is the lack of cybersecurity skills, knowledge and focused training among crew members to recognise, understand and address incidents.

“On the most part, the person responsible for IT combines the role with another leaving little time to monitor, respond to or rectify a cybersecurity breach,” he said. “In this circumstance, remote monitoring for such issues is also problematic due to a shortage of reliable bandwidth at sea.”

The lack of seafarer knowledge and focused training has also been highlighted by cybersecurity company Templar Executives, a UK-headquartered cyber security company staffed by ex-Government employees, which delivers bespoke cyber security solutions to governments, private companies and public sector organisations. Indeed, the concern over lack of awareness was so great that it has partnered with technology group Wärtsilä to establish a cyber academy in Singapore.

The new academy forms part of the company’s Maritime Cyber Security Centre of Excellence, along with its Maritime Cyber Response Team (MCERT) due to be launched on 1st September, also in Singapore.

The Templar Cyber Academy for Maritime (T-CAM) will enhance the cyber training available to the maritime community and courses are available for delivery in both London and Singapore. Topics range from cyber security coaching for senior management to cyber awareness for all organisational levels, along with bespoke courses. Some courses take five days but most are either half day or a day.

Andrew Fitzmaurice, Chief Executive of Templar Executives, said raising Cyber Security awareness was critical for the maritime culture but many companies were not carrying out the necessary training.

“Cyber hygiene can cure up to 80% of the issues and initiatives such as ‘securing the bridge’ are a good example of basic best practice – you just don’t bring electronic devices up to the bridge and plug them in, even if it is only your mobile phone charger,” he said. “Some of the malware these days is so clever and there are so many attack vectors that before you know it, environments such as your Electronic Chart and Display Information Systems (ECDIS) can be contaminated.”

He added: “Quite often the complexity of the environment, means those who command ships don’t realise it’s actually a cyber-attack they are experiencing as the fault often presents as an engineering issue.”

He cited a case where an engineer was put on a vessel for 40 hours because the ship kept losing power. “Eventually he figured it was nothing to do with the engines per se – there was some malware on the ship.”

However, he says the maritime culture will not change unless cyber security is embraced from high up in the company.

“Unless the Board understand the business benefits of the cyber security agenda, no money will be spent and no change in culture is going to happen.”

Last year, cybercrime cost the UK alone an estimated £55 billion – almost half the National Health Service budget. The Maersk NotPetya incident in 2017 is thought to have cost more than the $300 million reported by the company.

Has Templar Executives seen cyber security gain traction since the Maersk incident?

“Incidents such as Maersk and even more recently COSCO are making international headlines and people are starting to take serious note. This combined with commercial and regulatory pressures such as the IMO’s requirement for cyber security to be incorporated in the ISM Code safety management on ships by 1st January 2021 means we will inevitably see more traction,” said Mr Fitzmaurice.

“From our company’s perspective and experience of working closely with the National Cyber Security Centre, and other organisations around the world, it is important that the sector recognises the need to help itself and collaborate in the adoption of appropriate cyber security solutions. The best way we can support and make an immediate contribution to this goal is through the establishment of the international Maritime Cyber Centre of Excellence (MCCE). The MCCE incorporates a Maritime Cyber Emergency Response team (MCERT) making it a ‘one-stop-shop’ for cyber security mitigations for the maritime industry.”

The MCERT will use intelligence feeds from the global maritime community, and Templar Executives has partnered with Wärtsilä and the Maritime Port Authority of Singapore on this exciting initiative. Other organisations from across the maritime ecosystem are also being invited to contact the team for an opportunity to join the MCERT Advisory Committee and to become a member. The MCERT will provide advice and support, including real time assistance, to members on cyber-attacks and incidents. There will also be a portal to allow anonymous reporting through a secure app.

Mr Fitzmaurice explained: “If you happen to be at sea and your engine fails and you suspect it might be a cyber-attack, you can literally contact us through the app and we can offer triage through secure communications.”

The amount of cyber-attacks being reported is
very small, he said, because currently “there is no reason or pressure to report it and, as a ship owner, why would you when adverse cyber-related incidents tend to
have a significant negative impact on reputation and share value”.

“This is one of the biggest barriers to vital industry collaboration – inevitably people only self-declare when it’s obvious that an organisation has a problem, or when it affects the eco-system and safety at sea” he said.

Commenting on the MCERT, he said: “This is a cost-effective insurance policy. You join and then you can get some expert help quickly.”

He believes once organisations get used to reporting incidents it will become a virtuous circle and people will realise the benefit and wish to contribute.

He also believes there will come a day when a vessel is classed as unseaworthy because it has not taken the necessary steps to be cyber secure. “Big Oil vetting and some ports are already looking towards that.”

As with Applied Risk, he said legacy OT was proving to be a major headache for many vessels.

“If you go into older ships, you will find unprotected USB ports everywhere that can be used to launch an attack either deliberately or by accident,” he said.

IMO member states are encouraged to ensure that cyber risks are addressed in Safety Management Systems no later than the first annual verification after 1st January 2021 when the company’s Document of Compliance will have to include a chapter on cyber security.

Does Mr Fitzmaurice believe there will be a mad rush to secure vessels as we head towards 2021?

“We really think 2019 will be the year,” he said. “The Regulator needs to do something to prove it’s not just lip service. It will be interesting to see in the maritime sector how much effort from the Regulator is put in place by 2021.”

With piracy, it has been widely acknowledged that the situation has improved, particularly in the Gulf of Aden, off the coast of Somalia, following a range of measures including best practice (BPM4), EU NAVFOR – the European Union Naval Force – and putting armed guards on vessels sailing in the high risk areas.

Can Mr Fitzmaurice see the shipping industry getting on top of the cyber threat?

“Yes, but it will take effort. The genie is out of the bottle and it’s never going away for any sector; because of our inter-connectivity we are now also dealing with collateral damage – NotPetya and Maersk showed that you don’t have to be the target to be a victim,” he said. “You can reduce your day-to-day running risk, and that is feasible, but in the terms of the sophistication, while people are still able to make money from cyber-attacks or cause disruption to other people, then they will do it if they can.”

He also highlighted that technology advancements in the shipping industry were a huge challenge.

“The future of the sector is based on automation and digitalisation and this transformation is happening at pace. Leaders expanding their digital footprint and making technology choices for their organisations will also need to consider the return of investment through the lens of cyber security.”

Applied Risk’s Mr Bouhdada echoed this point saying the rapid evolution of technology and, in particular, the Industrial Internet of Things (IIoT) was transforming critical environments, bringing many benefits such as optimising processes, reduced costs and energy efficiencies.

“Although such advances are to be applauded,” he said, “they bring with them a high element of risk. Security researchers have been warning for many years that the shipping industry is a ‘low-hanging fruit’, due to the fact that high-value goods are transported by ships with legacy systems and poor cybersecurity practices to safeguard from malicious attacks. This is leaving vessels at risk of a wide range of threats from live location tracking, to the loss of critical function such as power and navigation.”

However, Panos Moraitis, CEO, of Greek-headquartered maritime and cybersecurity company Aspida believes the rewards of technology will always outweigh the risk.

“Let’s keep in mind that the latest generations of vessels offer some level of autonomy in different functions, and these autonomous functions will only increase in number and reliance. Hence, a non-connected vessel will soon be non-competitive in the market. The operational benefits based on deeper understanding that Data will bring will be unheard of to date.”

Mr Moraitis believes there will be companies that will try to delay the jump to the new ‘era’ of shipping due to resistance to change or in order to avoid what he says are ‘minimal’ cybersecurity costs, but this is not the optimal way to go.

“All vessels’ systems should be initially designed and configured with cybersecurity in mind. Newbuildings are a great opportunity to design infrastructure correctly from scratch, allowing reduced costs when compared to changing everything later.”

Gideon Lenkey is Technology Director of maritime cyber security solutions provider EPSCO-Ra, which was launched in 2016 and operates out of New Jersey and Cyprus and will soon be opening a security operations centre in Singapore. It offers managed security services, enterprise penetration testing and remote assessments and is a partnership between Ra Security Systems, a US-based cyber security company and EPSCO Group, a Cyprus-based maritime services company.

He said: “There is an overcapacity right now in shipping that has kept the shipping rates down so until that is resolved, there’s not going to be a lot of investment except in areas that do reduce operational costs, and that is where automation comes in. The problem is the risk that this type of automated technology brings isn’t really being addressed. There’s this vague notion that this is kind of an issue but everyone is going round and round and from what we see, in the most part, is it just gets pushed down the IT department.

“This is really the wrong way to do this. This needs to come as a business process so it needs to start at the top and it needs to go through the entire organisation. That’s not a new idea. That’s just what other industries have had to seriously deal with this have done, and are doing, such as in healthcare, banking and insurance. All these types of organisation have gone through this process of adopting this technology having increased the risk and then coming up with business processes to manage it.”

Mr Bouhdada says the challenges of cybersecurity are not unsolvable and cybersecurity will be a powerful enabler in the world of more automated shipping, however adopting a risk management approach, where risk appraisal is used to identify, evaluate and prioritise risks in order to control the probability or impact of the incident – will be key to the maritime sector’s future.

He said the risk management approach should involve frequent testing and hardening of systems, as well as securing devices and networks by closing unused data ports and ensuring full network segregation between OT and IT systems.

Mr Moraitis believes the new IMO guidelines will help create a level playing field and understanding of the risk and will act as good guidance for companies who have not been managing their cyber risk, but says compliance for compliance’s sake will not be enough.

“There are all sorts of dangers and every employee of a company using any part of its infrastructure should attend cybersecurity awareness courses.”

He also warned that handling of a breach by untrained people could result in making things worse or even unwillingly destroying valuable evidence on the origin of the breach that could later be used in forensics. “Hence, we recommend management companies to contact us or their cybersecurity partner of choice and enrol on an Emergency Response subscription.”

Aspida’s ‘Security Stack’ offers a multi-layered cyber hardening approach comprising advisory services, training, managed security, cyber risk management, forensics and an additional layer of physical security addressing all threats in relation to people, technology and procedures.

Does Mr Moraitis believe the industry is doing enough as a whole to mitigate the risk of cyber-attack?

“The shipping industry has been both late, and slow, in acknowledging and addressing cyber risk,” he said. “Many attacks occurred before organisations started having cyber risk in their radars and risk matrices. The Maersk incident happened relatively late in this timeline, when cyber risk was widely recognised and it was a shocking incident, especially when one realises who was compromised and that it was absolutely preventable.”

He added: “Understanding the risk is indeed key. As each organisation is different, there is no ‘silver bullet’ for cybersecurity for the whole industry.”

There was a need, he said, to keep in mind that the needs of each company, its fleets, vessel types and infrastructure are different and the best approach is to first understand each organisation’s specific needs and identify any potential gaps.”

Mr Lenkey said Epsco-Ra went into the maritime cybersecurity market early as they knew it would be a “slow sell”. He believes the company was the first to put any type of UTM (Unified Threat Management) appliance on a vessel, two years ago, adding that it had learned a lot along the way such as the technology required and the infrastructure. It is now on the second generation of its product, which has been trialled on vessels already.

“Now, we are in round two of that and are starting to look at things at a fleet level rather than a vessel level,” he said.

However, he believes the cybersecurity market is still a year or more away from a wide uptake.

As with Templar Executives, he advocates the use of an anonymous reporting mechanism and this formed part of his address during a cybersecurity event held in Singapore Maritime Week earlier this year.

“Owners and managers look at cyber-attack as a brand damage issue,” he said. “There is financial incentive to hide this stuff.”

Epsco-Ra performs ethical hacking on systems but rather than just using a traditional penetration testing environment, the testing is more designed to look at security at a fleet level.

One company which they performed a ‘pen test’ on even discovered two hacking groups in the system which had been there for well over two years and had gone unnoticed.

“The testing is really important because it’s an actual pragmatic, objective test of controls,” said Mr Lenkey.

“It’s also important because it not only tests but it convinces for the need to make this a more robust business process.”

How can cybersecurity solution providers such as Epsco-Ra drum home the message to 9,000 ship owners and 500 third party managers who have all got hackers in their systems, and what can be done to stop it?

As stated by Mr Fitzmaurice and Mr Bouhdada, awareness is critical he says.

“Not everyone becomes aware all at once and, honestly, there are people who, for the rest of their professional careers, will keep their heads in the sand for as long as they can. As long as it doesn’t happen to them – that is their strategy.”

“The rest of the people come onboard one at a time. You can lead a horse to water, but you can’t make it drink!”

Mr Lenkey said the way in which security is tackled is also crucial as it is not just the case of buying a product.

“Security is about a process, and a part of it is tools that people use in that process to do the job. You have to look at the entire enterprise and you have to design controls and processes that address the risk. Unfortunately, most people select the tools first and then find some people to run them. It’s never going to work because the attackers have a lot of time and a lot of money and are organised in teams.”

Aspida’s Mr Moraitis agreed saying: “Having proper procedures in place to encourage continuous use of adopted measures is crucial. Doing just a penetration test once a year is not enough.”