Cyber attacks in shipping go largely unreported, but the growing threat they pose should be keeping maritime businesses on their toes, with prevention much better than cure.
Shipping is arguably the most international industry in the world. It prides itself on its ability to keep over 90% of global trade moving efficiently and safely, around the world and around the clock. Increasingly, it relies on sophisticated technology and information systems to ensure that ships and cargoes are where they should be, when they should be. Ironically, however, there is increasing evidence to suggest that this technology is being used against shipping, and that information systems are being compromised through breaches of cyber security.
Shipping is not the first industry one thinks of as being vulnerable to threats from cyber crime. This is partly because awareness of the threat to cyber security is lower in the shipping industry than in most others. Moreover, a high percentage of cyber attacks in the shipping sector go largely unreported, and there is a general misconception that security breaches of this nature only ever happen to ‘other people’.
A recent Reuters report described the shipping industry as ‘the next hacker’s playground’
For evidence of the threat posed to shipping by cyber crime one need look no further than the recruitment by drug-traffickers of hackers to breach the IT systems at the Belgian port of Antwerp over a two-year period beginning in June 2011. Using information provided by the hackers, it was possible for criminals to control the movement and location of containers as part of an operation to illegally traffic heroin, cocaine and other drugs.
It is not just ports which are at risk, either. A recent Reuters report described the shipping industry as “the next hacker’s playground”, referring to the opportunities for exploitation presented by internationally trading vessels such as large oil tankers and container ships. The report also noted the risk inherent in the offshore maritime sector, referencing a study by insurance broker Willis which estimated that cyber attacks against oil and gas infrastructure alone could be costing energy companies almost $2bn a year by 2018.
Keep it real
Underestimating the extent of the threat is itself one of the biggest threats that shipping faces from cyber crime. Dedicated in-house information and communication systems can be hacked into by unscrupulous individuals. So, too, can personal IT equipment, laptops and mobile phones.
On another level, there is concern about the apparent ease with which the standard navigation systems currently in use in the shipping industry, including GPS and ECDIS, as well as AIS, can be compromised. Indeed, researchers from one US university recently demonstrated that it was possible to direct a ship to a dummy port by fabricating a GPS signal which confused the onboard navigation system.
Prevention is better than cure when it comes to dealing with the threat of cyber crime. There are some basic steps which can be implemented to ensure that sufficient procedures are in place to react to cyber attacks, ranging from technical, business and organisational initiatives to frequently testing the ability of the systems to detect intrusions and withstand an attack.
CESG, the information security arm of the UK’s Government Communications Headquarters (GCHQ), has issued a list of ten recommendations to help businesses reduce their cyber risk. In its 10 steps to Cyber Security, CESG notes that basic information risk management can stop up to 80% of the cyber attacks seen today, allowing companies to concentrate on managing the impact of the other 20%. It recommends that companies take steps, ranging from the basic to the advanced, to review, and invest where necessary, in the following key areas:
(1) Home and mobile working: Develop a mobile working policy and train staff to adhere to it. Apply a secure baseline build to all devices. Protect data both in transit and at rest.
(2) User education and awareness: Produce user security policies covering acceptable and secured use of the organisation’s systems. Establish a staff training programme. Maintain user awareness of cyber risks.
(3) Incident management: Establish an incident response and disaster recovery capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement.
(4) Information risk management regime: Establish an effective governance structure and determine your risk appetite, in the same way you would for any other risk. Maintain the board’s engagement with cyber risk. Produce supporting information on risk management policies.
(5) Managing user privileges: Establish account management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.
(6) Removable media controls: Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto corporate systems.
(7) Monitoring: Establish a monitoring strategy and produce supporting policies. Continuously monitor all IT systems and networks. Analyse logs for unusual activity that could indicate an attack.
(8) Secure configuration: Apply security policies and ensure that the secure configuration of all IT systems is maintained. Create a system inventory and define a baseline build for all IT devices.
(9) Malware protection: Produce relevant policy and establish anti-malware defences that are applicable and relevant to all business areas. Scan for malware across the organisation.
(10) Network security: Protect your networks against external and internal attack. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls.
It is generally accepted that, every day, thousands of IT systems are compromised, most commonly with the intent to steal money or to access privileged commercial information. The technical ingenuity used to mount cyber attacks is growing exponentially, and the cyber security governance regimes in a large majority of companies in the shipping industry are inadequate to deal with this.
The responsibility for managing a company’s cyber risks begins and ends at board level. No amount of controls can be guaranteed to prevent all cyber attacks, but proper guidance from board level, and consistent observance of the ten steps to cyber security, will result in a comprehensive information risk management framework which will significantly hinder the vast majority of attackers.
Paul White is governance, risk and internal audit manager at Moore Stephens in London. He has a number of years’ experience of delivering IT audits within the public, private and not-for-profit sectors. Paul can be contacted on firstname.lastname@example.org or +44 (0)20 7334 9191.