High tech has reached the high seas, and there are no safe harbors. That point was made very clear in a recent webinar hosted by the National/International Maritime Law Enforcement Academy and presented by RiskSense, a New Mexico-based cybersecurity practitioner.
Whether in port or in transit, "ships of today are evolving," said moderator Mark R. DuPont, Executive Director of the National/International Maritime Law Enforcement Academy, during the event: No Safe Harbors: Charting a Smarter Course in Maritime With Cyber Risk Management.
Everything is connected, including GPS, trucks, cranes and the ship itself. New ships, both cargo and passenger, are being developed with even more features. One benefit is optimization of routes. With Internet of Things (IoT), a ship’s position can be tracked live, and location information can be sent to other ships on the same network, allowing the captain to change route if necessary.
Also, status and temperature of cargo containers can be tracked. Refrigerated containers can be monitored for temperature fluctuations, so corrections can be made quickly. Finally, ship’s equipment, including engines, can be monitored and repaired at the first sign of trouble.
There are roughly 41 billion devices connected, DuPont said, with no slowdown in sight. Global research firm Statista predicts 75.44 billion by 2025.
How the 'bad guys' take advantage of connected systems
All of this comes together in "touch points" — places where a company’s business and people intersect with internet technology. These touch points radiate out via devices, application groups, service sectors and locations, affecting every portion of a business, including supply chain, headquarters, ports, terminals and ships. And, DuPont adds, those touch points are also entry points for the "bad guys."
The webinar quoted Stephen Simms, a maritime lawyer, who said specific tagging of maritime shipping "happens because there are people who understand the way payments work and data is used in the maritime industry, and they manipulate it to commit cybercrime."
It happened to Maersk in 2017 when a cyberattack was among the biggest-ever disruptions to hit global shipping. The malware surfaced in Ukraine after being spread by a malicious update to MeDoc, the country's most popular accounting software. Maersk picked up an infection that hooked into its global network and shut down the shipping company, forcing it to halt operations at 76 port terminals around the world.
The attack, DuPont told webinar listeners, had a $350 million impact, and 40,000 devices had to be updated.
There are people who understand the way payments work and data is used in the maritime industry, and they manipulate it to commit cyber crime.
Another example: In 2011, the The Iranian supply line IRISL suffered a highly disruptive cyberattack which damaged data, caused huge financial losses and resulted in large amounts of lost cargo. Its servers were compromised, logistics systems crashed, and the entire fleet of 172 vessels and shore-based systems were compromised. False information was entered into the system compromising manifests, falsifying rates, altering delivery dates and corrupting client-vendor data. It caused a major business interruption.
The examples and evidence of cybercrime’s damage go on. The Port of Antwerp was, almost unbelievably, attacked from 2011 to 2013 in a convergence of physical and cyber threat. A Netherlands-based drug ring hired hackers to manipulate systems in the major Belgian port to arrange pickups of drugs they had hidden in certain containers of legitimate products. The hackers obtained access directing spear phishing and malware attacks at port authority workers and shipping companies, then changed the location and delivery times of containers that had the drugs in them. Then, the smugglers sent their own drivers to pick up the drug-loaded containers.
There’s no 'patch-me-now' button
Today’s ships are more IT-based than ever before. And the vulnerabilities are plentiful, according to Hudson Analytix, a New Jersey-based global business risk solutions company. They include, but are not limited to:
- Supervisory Control & Data Acquisition (SCADA) equipment and Industrial Control Systems (ICS) for loading/unloading of cargo
- Engine governor and power management systems
- Navigational systems
- Business software applications
- Security systems
- Communications systems
- Operating systems
- Safety systems
- Dynamic positioning systems
- Crew, employees and contractors
All offer vulnerabilities that must be acknowledged and monitored. And, RiskSense Atlanta Regional Manager Alan Rudd said during the webinar, "There’s no patch-me-now button."
RiskSense has set up a security model to help clients assess, aggregate and analyze cybersecurity risk. It starts with examining your assets, Rudd said. "What is an asset? Is it critical to my business? Does it have vulnerabilities? Is it being targeted? It’s important to understand how data moves around your network. If you have an office printer, why is it talking to Bulgaria?"
The model rates a client’s cybersecurity — anything that connects is considered — on the same scale as credit scores, ranging from 300 to 850. Clients receive an overall score, as well as scores for their own suppliers and customers, host scores and web app scores. Systems are reviewed with pre-defined filters for criticality, vulnerability and potential threats. "Has someone figured out how to attack that vulnerability?" Rudd asked listeners. "A medium-sized organization with 1,000 employees can have 40,000 vulnerabilities."
Where are the pirates?
It’s time to understand that most pirates are no longer just sailing the seas looking for vessels to board and rob. They’re also sitting at computers thousands of miles away. Yes, even piracy has gone high-tech, and they’re looking for vulnerabilities.
They hack into merchandise details including bills of lading, see which vessels are scheduled to carry it. Then they board the vessel, take the crew hostage and locate what they’re looking for via bar code. They steal what they want and leave.
It’s important to understand how data moves around your network. If you have an office printer, why is it talking to Bulgaria?
Atlanta Regional Manager, RiskSense
In one case discussed in the webinar, an investigation showed that one unnamed shipping company was using a homegrown content management system (CMS) that pirates hacked into. The pirates uploaded a web shell onto the web accessible CMS, allowing them to directly call it, allowing them to upload and download data, as well as entering various commands. They identified what they wanted and the vessels carrying it.
In the end, the company was able to shut down its compromised servers, block the pirates’ IP address and reset all passwords, as well as rebuilding and updating its CMS and installing firewalls.
It was a hard, very expensive lesson. And, Rudd told the webinar’s listeners, "It’s a journey that never ends."