Two global, yet in many ways fairly minor, malware computer attacks in as many months are finally getting the message across: cyber security is serious.
The NotPetya attack in late June was derived from the same code as the previous month’s WannaCry ransomware attack, but was at first thought not to be as virulent. However, it soon became clear this was not ransomware, but malicious software — malware — designed to damage computer networks rather than extort funds.
AP Moller-Maersk, a highly interconnected business, was one of the first global groups to be taken down. It was unable to process new orders and the disruption led to it halting its ships and closure of its 76 terminals around the world. Two weeks later, it was still struggling to access its customer contract database. Costs mounted to $200m-$300m by Maersk’s own estimation.
NotPetya is believed to have been the work of a state testing its capabilities to disrupt or disable political enemies, according to Brian Lord, a former deputy director of intelligence and cyber operations at Britain’s spy headquarters, GCHQ, who is now managing director at private security firm PGI Cyber.
But the nature of the attack, suspected to be by Russia on Ukraine, via an accounting software download, infected several global businesses. Among those that could count themselves as “collateral damage” were not only Maersk but Russian oil group Rosneft.
The “big one” has still not happened, but Ollie Whitehouse, chief technology officer for cyber security at IT firm NCC Group, believes NotPetya represents a turning point.
Shareholders and directors will ask hard questions if companies succumb to known exploitable weaknesses in future. “If they [management] don’t come up with credible answers, people will be held to account,” Whitehouse told the BBC.
Combating cyber threats is a major logistical exercise for global groups like Maersk that have to roll out patches to hundreds of computers using different legacy systems in myriad locations, after first ensuring one system solution does not knock out another program, says Max Everett, managing director at US cyber security experts Fortalice Solutions.
Whitehouse believes businesses need to co-operate to defend themselves. His advice will be music to the ears of Mark Sutcliffe, founder of the CSO Alliance, an online community of shipping company security officers.
The alliance aims to counter a culture of under-reporting crime in the maritime world by setting up a website, run by Airbus, that will allow anonymous reporting of shipping’s cyber-security incidents.
“It’s about getting people to take responsibility for their own safety and security. We are trying to give people tools so they have a place to go to report a crime and collect evidence that allows us to get a legal closure,” says Sutcliffe.
The portal will provide members with curated information, news, best practice and advice on handling cyber incidents. A confidential forum will allow them to exchange experiences and share advice. “At the heart of the existing CSO site [company security officers] wanted geo-located, verified crime reports and a chat room,” Sutcliffe says.
Maritime crime statistics probably do not include 30%-50% of phyiscal attacks but do show that criminals in 63 countries have attacked 1,636 ships with a 60% success rate.
“If we do not get together now, the criminals will keep on stealing until we aggregate all the information,” Sutcliffe warns. “And if we ask people to report crime, we have got to give them something back.”
Sharing information helps captains and crews deal with physical issues, such as which berths at what ports are most at threat to boarding, and how to stay cyber safe as shipping becomes more dependent on connected technologies.
Action on cyber is being taken on several fronts across the industry, leading to some confusion but also attempts to pull efforts together. Voluntary codes and guidelines are being integrated at the levels of the International Maritime Organization (IMO) and International Association of Classification Societies (IACS), among others.
Cyber security will become part of the International Safety Management (ISM) code from 2021, the IMO has agreed. It will encourage flag and port states to address cyber risks “no later than the first annual verification of the company’s document of compliance after 1 January 2021”.
Bizarrely, however, the IMO guidelines will only be recommended, even though, as many people argue, cyber threats should already be taken into account as part of the ISM code’s mandatory requirement that all identified risks be addressed. And despite the deadline, flag and port state administrations will be left to decide exactly how they manage the risk.
The ISM guidelines focus mainly on vessel systems, which has led to criticism that they do not directly address shipping companies’ wider integrated computer networks linked to ports and other internal business functions — the very weakness that hit Maersk so badly.
However, the guidelines stress the need for cyber risks to be addressed by senior management in a top-down way that encompasses companies’ entire approach to business systems. They also largely mirror advice generated by government organisations such as the US National Institute of Standards & Technology, and focus on response and recovery plans to restore operations after an attack.
Shipping cyber security expert Max Bobys at US company HudsonAnalytix agrees that defending against vulnerability needs to start at the top. Recovery plans are key.
“The onus is on the chief executive to think about cyber risk with a balance sheet perspective. It is not about IT, but human behaviour that can be exploited. Training and back-up systems to manage recovery need to be sustained,” says Bobys. That way, losses can be minimised.
Initial partners in the CSO Alliance cyber security project are shipowners organisation Bimco, North P&I Club, the Marshall Islands register and classification society DNV GL. Founder Mark Sutcliffe has been talking to a second tier of important class societies, flags and P&I clubs. The site uses police methodology for “neighbourhood watch” campaigns, and membership licences are as low as $320 per year. Sutcliffe says of one presentation: “Maersk asked, tell us something they didn’t know about containerships and maritime crime.” Well, now it knows.
There is a danger that, as a regulated environment, the shipping industry takes a checklist approach, but he says: “It is no good waiting until 2021 for IMO.”
Bobys likens cyber security to exercising to stay healthy: so that when you get ill, you recover more quickly. “Cyber security is not a question of preventing something from ever happening. You have to assume it will happen. It is about risk management in a sustained, manageable way, and how you respond.”
Maersk chief executive Soren Skou now agrees. He told the Financial Times last month that he has learnt there is no way to prevent an attack, but the container giant will approach its annual risk management exercises in a different spirit
This month, Inmarsat is launching cyber threat management software to provide firewall, anti-virus, intrusion-prevention and web-filtering services for its Fleet Xpress broadband satellite communication and data-sharing system.
Built by Singtel’s US-based cyber-security arm Trustwave, the system aims to prevent malware that does enter a ship — possibly due to crew plugging an infected device into bridge equipment — from getting off the vessel and into the landside computer network.
However, experts warn that relying on satellite communication providers for cyber security may work for the vessel but does not address the issue for landside systems.
US Coast Guard rear admiral Paul Thomas also stresses that thinking about cyber as simply an IT systems issue misses the point.
“Cyber is an operational issue,” he says. “It touches on every aspect of how we design, construct, operate and maintain ships and port facilities, and how we train and equip the people who operate them.” Security is not just about hacking, Thomas adds, but the unintentional introduction of malware by employees, customers or contractors.
Much comes down to training landside staff and crew about not making basic mistakes.
After a career in the British Army and combating Somali pirates, Jordan Wylie set up the Be Cyber Aware at Sea campaign, which spreads guidance as widely as it can. Wylie says research has shown that only 4% of cyber attacks on shipping companies hit the functionality of shipborne systems, but 67% affected IT system functionality and 21% caused financial loss — mainly from paying bogus invoices without sufficient oversight to see they have been copied from a company’s own computer system to look authentic.
IACS is undertaking a project to collate a single specific set of cyber security guidelines for shipping to replace the proliferation currently available (there are at least a dozen versions from as many industry organisations). It should be available in the near future.
Lloyd’s of London insurance market estimates a major global cyber attack could lead to losses from disruption of anywhere between $15bn and $121bn. The wide-ranging amounts are due to the fact that “insurers do not have any meaningful claims data to draw on to model catastrophe cyber losses and price products”, according to Ian Birdsey, cyber security and insurance expert at law firm Pinsent Masons, who says companies’ reputational and remediation costs are often underestimated. Lloyd’s says the vast majority of economic losses are not currently covered by insurance.
Its group, led by George Reilly of ABS, drew up a dozen principles covering the life cycle of a ship, from planning to building and operation, from which to develop a set of affordable standards.
The group includes the International Union of Marine Insurance, reflecting insurers’ desire to understand and assess risks better — a prerequisite for being able to provide cover for cyber disruption. Until now it has often been excluded from policies.
However, Bobys speculates: “Most shipping companies are already compromised at some level, but do not realise it.” Criminals drain off amounts of money just below limits requiring oversight: “Like a mosquito, they get a steady flow of blood without killing their host.”
Danish cyber security firm CyberKeel says it has investigated a medium-sized shipping company where the e-mail system was hacked into and a virus planted to monitor its communications.
CyberKeel co-founder Lars Jensen says the virus changed bank account numbers in e-mails from its fuel suppliers asking for payment, and “several million dollars” were siphoned off to the hackers before the company realised what was happening.
And Bobys adds that shipping executives are at greatest risk. Criminals profile high-wealth individuals from social media, and often attack them through their weakest links, which can be their families.
Shipping execs are extremely mobile people, travelling with a lot of vulnerable gadgets, such as laptops and mobile phones, and they are likely to have demanded privileges to avoid onerous log-in protocols, Bobys says.
You have been warned.
