Cybersecurity At Sea

The maritime cybersecurity landscape is a confusing place. On the one hand, you have commercial providers suggesting the risks of everything from a hostile attack on ship’s systems.  This allows the vessel to be remotely controlled by pirates and direct it to a port of their choice, or causing a catastrophic navigation errors, a phishing attack or ransomware on the Master’s PC.  

While on the other, you have sensible people who point out that this notion is nonsense due to the number of fail safes and manual overrides and controls in place.  

Then there are calmer voices still, who point out that the most likely threat is actually to the servers inside your head office, or a man in the middle attack on your company’s bank accounts. 

Recognising the threats
So what are the real, documented, current threats to the shipping industry from cyber criminals? Much has been made of the threat to vessels on the water from hackers. However, there is only limited available credible evidence to support claims of hacks at sea. Rather, the real threats on the water come from a lack of crew training and awareness and a culture which turns a blind eye to crew using their own devices at work. 

Bring Your Own Device, or BYOD are being plugged into ship systems to charge them, thereby possibly releasing a malware they may have been inadvertently carrying onto the vessel. 

Maritime cyber security survey results
In 2017, IHS Fairplay conducted a maritime cyber security survey, to which 284 people responded. 34 percent of them said that their company had experienced a cyber-attack in the previous 12 months. Of those attacks, the majority were ransomware and phishing incidents; exactly the same sort of incidents affecting companies everywhere, and not at all specific to the maritime world. 

The good news is that only 30 percent of those responding to the survey had no appointed information security manager or department, meaning that the majority of companies have a resource able to respond and mitigate any attack. However, the survey did reveal that there are still a lot of employees who have not received cyber awareness training of any kind, which means the shipping industry must try harder, for its own security. 

Additionally, only 66 percent of those questioned said that their company had an IT security policy, which is a serious cause for concern; IT security cannot be approached on an ad hoc, incident by incident basis. It’s the security equivalent of plugging holes in a hull with cardboard. 

To underline that, 47 percent of those questioned believed that their organization’s biggest cyber vulnerability was the staff. Hardly a glowing endorsement but, if you don’t train your staff to be aware of threats, it’s not surprising. 
Mitigating the risk – train your staff

Imagine you’re in charge of a company. You trust your staff to do everything. Except, it seems, ensure your bank accounts aren’t handed over to cyber criminals or that your network is exposed to ransomware or malicious attack. It would seem to be a rather curious way to run a company. 

The key to mitigating cyber-crime is training. Yes, you can put posters up; send company memoranda out; promote industry guidelines. But how many of your staff take those in? A robust workplace IT security policy is the first step, but that can only work when also supported by a training course where employees can see the risks through demonstrations, simulations and good teaching. 

There are very simple changes that any company can make to ensure better security in the workplace. From enforcing a zero tolerance on BYOD, which is often disliked by the crew, to separating crew and administrative or operational networks, blanking unused USB ports and requiring monitors be turned away from public view to prevent “shoulder surfing” and a rule that all computers go into secure sleep mode when left unattended.  

For staff dealing with accounts, additional rules may be required to ensure the risks of phishing and social engineering (whale attack) are reduced. You don’t think your company is at risk? In November 2016, Europe’s largest manufacturer or wires and electrical cables, Leoni AG, lost £34 million in a whale attack, when cyber criminals tricked finance staff into transferring money to the wrong bank account. £34 million. Lost… That should be read out to every board of directors. And similar attacks take place every week. 

In the last six months, the shipping industry has seen several incidents in the sector, ranging from a data breach at Clarksons through to the damage done to Maersk by the WannaCry NotPetya variant sabotage/ransomware incident, which the company believes cost it as much as $300 million. 

These are some of the reasons for the creation of the Maritime Cyber Alliance, a project created by CSO Alliance in partnership with Airbus Defence & Space. The aim is simple: connect maritime and oil and gas chief information security officers via a secure, private platform, allow verified cyber intrusions to be reported anonymously and provide members with threat alerts and tools to analyse malware and prevent attacks as well as offering workshops to promote best practice in the industry and listen to concerns. 

February saw the Alliance participate in four workshops across the U.K., in Aberdeen for the offshore industry; Edinburgh for the ports community and Glasgow for ship management. 

The Alliance is already gathering detailed cyber-crime incident reports from industry. We’ve seen an examples from ship-owners who lost two days’ hire due to malware contamination via a USB stick, invoice fraud in the port, superyacht and ship broker sectors. The latter saw a ship broker’s systems compromised by criminals who altered payment details to steal £500,000. Luckily, in that case, the company’s quick reaction, a court order and a rapid forensic investigation ensured they recovered the missing funds. We are starting to see multiple attempts of invoice fraud using privileged information, which means a vendor’s company accounts have been compromised. 

The timely sharing and analysis of information will grow with the increased cyber-crime report data flow via the Cyber Alliance’s crime reporting servers, based in Iceland in order to ensure anonymity. The solution, of course, is to ensure your company requires multiple sign-offs for any payments over a certain amount and pick up the phone to verify and vendor bank account changes. The risk of getting it wrong could bankrupt you. 

There’s clearly a need for industry to take the lead on protection and, hopefully, the Maritime Cyber Alliance will enable that. Further workshops, which are all free to attend, are planned for the coming months.

Regulatory compliance
The next major hurdle facing companies around the globe comes in the shape of the GDPR, which comes in to force in May 2018. It will affect companies in every sector, but the maritime industry in particular, given its global reach. In essence, the GDPR is the first data protection measure to affect the entire world. If your company holds or processes the personal data of EU citizens, people working for EU entities or trading with the EU, then you’re affected and will need to ensure that you’re compliant with the new regulations. Failure to do so will result in huge fines. 

GDPR’s definition of “personal data” is far broader than previous regulations, meaning that any information which can be used to identify an individual, falls under it. 

The new regulation introduces Privacy Impact Assessments (PIAs), which means that companies will be required to conducts PIAs wherever privacy breach risks are high in order to minimise risk to data subjects. Many companies may have to hire data protection officers in order to ensure compliance, while those companies dealing with EU crews will also want to take note of their liabilities in this regard. 

The good news is that GDPR will also bring in common data breach protection notification requirements, so companies will be forced to report any breach of their systems within 72 hours, thus ensuring industry awareness and a better response time to potential vulnerabilities. This, in itself, may require staff training and is yet another aspect of GDPR companies need to be aware of. 

For companies doing business in the EU, which covers a vast swathe of the maritime industry, the NIS Directive covering network and information security also comes in to force in May 2018. In the UK, the government has announced that organisations working in critical services like energy, transport, water and health can be fined up to £17 million as a “last resort” if they fail to demonstrate that their cyber security systems are equipped against attacks. 

The NIS Directive requires organizations to have the right staff in place and the proper software to mitigate cyber-attack and intrusion. Private and public companies in each sector will be evaluated by regulators who will vet everything from infrastructure and issue fines for firms who fail. 

“Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible,” said Ciaran Martin, U.K. National Cyber Security Centre CEO, in a statement.

Ultimately, the new regulations will be of benefit to everyone, but ensuring your company meets the right standards will be crucial. The days where maritime cyber security amounted to just making sure you turned the office PC off are long gone.

Today, cybersecurity demands board room level attention as well as vigilance from all employees, be they in head office or out on the water.

Maritime-Executive

You Might Also Read: 

Maritime Cybersecurity: No Substitute for Testing:

Cyber Security On the High Seas:


 

 

« On Twitter Fake News Gets More Traction Than Truth
African Union HQ Building Bugged »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

SABSACourses

SABSACourses

SABSA is a development process used for solving complex problems such as IT Operations, Risk Management, Compliance & Audit functions.

Okta

Okta

Okta is an enterprise-grade identity management service, built from the ground up in the cloud to address the challenges of a cloud-mobile-interconnected world.

BakerHostetler

BakerHostetler

BakerHostetler is one of the largest law firms in the USA We have five core practice groups including a specialty practice team in Privacy and Data Protection.

FireMon

FireMon

FireMon is the only agile network security policy platform for firewalls and cloud security groups providing the fastest way to streamline network security policy management.

Inspired eLearning

Inspired eLearning

Inspired eLearning provide turn-key Security Awareness and Compliance training programs.

Egis Technology

Egis Technology

Egis specializes in the IC design, research and development, and the testing and sales of capacitive fingerprint sensor.

SureVine

SureVine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

Carson McDowell

Carson McDowell

Carson McDowell are one of Northern Ireland's leading law firms. We are the law firm of choice for many of Northern Ireland's Top 100 companies as well as international companies doing business here.

Mindmajix Technologies

Mindmajix Technologies

Mindmajix is a live and interactive e-learning platform that offers professional online IT training in areas including cyber security.

Audea

Audea

Audea is a consultancy firm specialising in cybersecurity, risk and compliance. We provide professional services addressing all areas of Cybersecurity and GRC.

Dr Web

Dr Web

Since 1992 the Russian anti-virus Dr.Web has been helping companies to keep their digital assets protected and operate in a secure digital environment.

RedLegg

RedLegg

RedLegg is a master provider of information security services, a boutique, nimble, old-fashioned customer service company that enjoys the technology battlefield.

Etisalat

Etisalat

Etisalat Group is one of the world’s leading telecom groups in emerging markets.

Celcom

Celcom

Celcom is the oldest mobile telecommunications provider in Malaysia, providing solutions and services to consumers and businesses.

Data Pie Cybersecurity

Data Pie Cybersecurity

The Data Pie Cybersecurity Consulting offers a 360° around protection for your IT security. Security awareness solutions and consulting.

VulnCheck

VulnCheck

VulnCheck helps organizations outpace adversaries with vulnerability intelligence that predicts avenues of attack with speed and accuracy.