Photo courtesy of KVH Industries
At any point in time, there are 50,000 ships sailing the open seas. This gives hackers 50,000 targets that may be running on systems designed in the 1990s. The significantly outdated systems, coupled with the notorious employee turnover in ships’ crews, make the shipping industry an easy target for hackers.
Cyberattacks on Maritime Industry
Just like the computer systems on the majority of ships at sea, the International Maritime Organization (IMO) is behind the times when it comes to cybersecurity. IMO, the United Nations (UN) body charged with regulating maritime space, didn’t release a cybersecurity risk management guide until 2016. The guide, which is broad and not particularly maritime specific, is likely going to see an update sooner rather than later. In the past three months, there have been three major cyberattacks on shipping enterprises. Last Thursday, (September 20, 2018) the Port of Barcelona, which falls under the IMO, suffered a cyberattack as well.
In late June, A.P. Moller-Maersk fell victim to the Petya ransomware attack that spread across Europe and India. The shipping giant, which handles one out of seven containers shipped globally, said Petya affected all business units including container shipping, port and tugboat operations, oil and gas operations, drilling services, and oil tankers. The company’s port operator, APM Terminals, had 17 shipping container terminals hacked by the Petya campaign. In a statement released by CEO Soren Skou, the attack caused a loss of $250 million to $300 million.
A month later, Clarksons, one of the world’s leading providers of integrated shipping services, disclosed they had suffered a cyberattack where a third party had gained access to its systems from May 2017 to November 2017. The hacker accessed Clarksons’ systems in the U.K., copied data, and demanded a ransom for its return. As soon as Clarksons discovered the incident, the company launched an investigation, notified regulators, worked with third-party forensic investigators, and informed law enforcement.
Eight months after the initial cyberattack was discovered, Clarksons released a statement saying the information breached varied by individual, however, they were able to determine the type of information stolen.
“This data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax return, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV/resume, driver’s license/vehicle identification number, address information and/or information concerning minors,” Clarksons released in a statement. Basically, what they’re saying is any information that’s valuable to an individual may have been compromised.
Within days of Clarksons disclosing their breach, Cosco Shipping Line’s U.S. operations were hit with a cyberattack that compromised the ability of the carrier to communicate with its vessels, customers, vendors, and marine terminals. The initial cyberattack only affected the U.S. office, however, over the next few days, offices in Canada, Panama, Argentina, Brazil, Peru, Chile, and Uruguay experienced problems. While the news about the cyberattack spread and the rumor of a ransomware attack loomed, Cosco never substantiated any claims and only released statements confirming they indeed suffered an attack.
Shipping Industry Targeted
There are several factors that make cybersecurity for the maritime industry challenging to address. Just like cars, there are many different classes of ships that operate in different environments and have different computer systems built into them. As we mentioned before, these computer systems are built to last over 30 years. What this means is that ships run on outdated and unsupported operating systems, which are often the most highly targeted systems by cybercriminals. Think back to the WannaCry ransomware attack. This attack specifically targeted equipment running on outdated Windows software.
Another factor that is particularly dangerous to the shipping industry is the employees. We constantly talk about employees being the weakest link in the cybersecurity chain. For the maritime industry, this factor is much higher due to the high employee turnover and short-notice hiring. Crew members are often using systems they are unfamiliar with, increasing the potential for cybersecurity incidents due to human error. Furthermore, the maintenance of onboard systems such as navigational units is often contracted to a variety of third parties. It’s very possible that a ship’s crew has little understanding of how onboard systems interact with each other.
A third factor to consider is the linkage between onboard and terrestrial systems. Companies need to stay in constant communication with their vessels. Therefore, the cybersecurity of the ship is dependent on the cybersecurity of the land-based infrastructure that makes this possible. The A.P. Moller-Maersk is a prime example. This attack led to cargo delays across their entire fleet, costing them over a quarter of a billion dollars.
Righting the Ship
Based on the recent attacks, it’s obvious that the entire maritime industry needs to address cybersecurity. Just like the automobile industry, we are headed toward autonomous ships. Rolls-Royce, a pioneer in engine manufacturing, recently opened an autonomous maritime research facility in Finland. The company hopes to put autonomous ships in the water by 2025 and envisions fully-autonomous ships carrying cargo across the world by 2035.
Before that happens, cybersecurity needs to be at the forefront of industry concerns. Imagine the damage that could be done or the ransom that could be demanded if a cybercriminal hacked a 400-meter ship.
While the shipping industry is miles behind other sectors in the realm of cybersecurity, the positive side is that hopefully they can learn from the mistakes of others. In addition, the slow and steady approach to the development of cybersecurity regulation for the industry allows regulators to fully understand the risks they face rather than making ill-informed decisions.