Did the Maersk cyber attack reveal an industry dangerously unprepared?


A recent survey by Futurenautics found that shipping companies are still largely unprotected from potential cyber attacks, even after the recent ransomware attack that left Maersk reeling. Joe Baker examines the current state of preparedness for protecting vessels from cyber threats and finds out what's being done both from a technological and regulatory point of view.

In recent years, shipping companies have become increasingly reliant on interconnectivity between IT systems and operational technology (OT) to automate operations on ships. However, the higher number of systems connected to the internet has boosted the risk of cyber attacks, the effects of which can be devastating.

In June, Danish container firm Maersk was one of many businesses stymied by the 'Petya' ransomware attack. The company's container shipping, tug boat and oil tanker operations were crippled by computer outages, which reportedly slashed the company's profits by up to $300m.

With disasters of this magnitude hitting the headlines, shipping companies are becoming increasingly worried about the lack of effective security on vessels. A 2017 study by Futurenautics has shown that 44% of ship operators believe their company's current IT defences are not effective at repelling cyber attacks, and that 39% experienced a cyber attack in the last 12 months.

"The connected ship is becoming more of a normality and the use of IT and more importantly OT on ships is starting to take a hold," says Peter Broadhurst, senior vice-president of safety and security at Inmarsat Maritime. "What we've not been very good at is securing those services up and effectively treating cyber security as a bolt-on to what we've got, as opposed to designing it in."

Vulnerable vessels

According to Broadhurst, many vessels use digital systems that do the job but haven't been built with security in mind, and which are often too old to be kept up to date with the latest antivirus technology.

"The mindset of maritime is that you build a ship and it lasts fifteen or twenty years, and so you don't need to upgrade it, when actually from an IT perspective that's not the way it works," he says. "We've got to get around that mindset so that when you purchase IT and OT you purchase the right thing with security in mind from day one."

Another issue is that existing cyber security standards assume that support is provided by a substantial IT team, but ship crews often lack dedicated expertise in this area. In October, a survey by satellite communications provider NSSLGLobal reported that 84% of respondents had little to no training in cyber security.

"The crew are not necessarily aware of the problems they're introducing, or how to mitigate them, and they're not trained in best practices," says Broadhurst.

Building defences

Part of the issue could be solved by the development of specialised cyber security solutions for ships that minimise costs and hassle for operators.

As part of its Fleet Express broadband service, Inmarsat has launched Fleet Secure, the maritime industry's first fully-managed service for identifying vulnerabilities in on-board technology and protecting ships from widespread cyber attacks.

The Fleet Secure software detects external attacks through high-speed satellite broadband connectivity, while also protecting vessels from malware introduced through crew devices connected to on-board local area networks.

"The majority of the issues are generated on-board the vessel," says Broadhurst. "It is the crew member putting the USB stick in, going to the wrong site or clicking on the link in a fishy email."

According to Broadhurst, other cyber security offerings don't provide vessels with an on-board unified threat management system like Fleet Secure. A management team ensures the software is updated and connected to a security centre outside the customer's bandwidth, preventing disruption to day-to-day ship operations.

"A lot of the time, people buy these services and then they switch the updates off because they're worried that it's going to cost them a fortune in airtime. [With Fleet Secure] they don't have to worry about that," says Broadhurst.

Keeping crews informed

The provision of monitored services with frequent updates could help defend ships from malware. However, training staff to be more aware of the problem and getting ship operators to ensure best practices are adhered to will also be crucial.

In October, the Liberian Registry launched a computer-based training programme that will enable ship crews to learn more about network security, identity theft, risk management, and other common threats to maritime security.

Political and maritime organisations have also introduced new documentation to help inform and provide guidance to shipping companies. This year, the UK Government released a comprehensive code of cyber security practices for ships, while the International Maritime Organization (IMO) issued a set of guidelines it claims will help "safeguard shipping from current and emerging cyber threats and vulnerabilities."

"I think the largest impact will come from awareness and through training," says Broadhurst. "Once people don't click on the embedded links, look out for emails which obviously don't come from their boss, are very aware of social media, and protect their password, those kinds of standard best practices will make a significant difference."

"Then you should look at the risk assessment of your own vessel and what kind of IT and OT that you are going to connect [to], and what the vulnerabilities are."

Regulating cyber security

Nevertheless, actual regulations for cyber security will be key to ensuring that ship operators upgrade their vessels. As Broadhurst explains, it's not 'if' these regulations will be implemented but 'when'.

"Each country in the world is starting to adapt a cyber position. GDPR [General Data Protection Regulation] for Europe is going to come in in May of next year, and the Americans are going to put their policies in place," he says. "In Asia, a number of countries are talking about their own cyber security. So we're going to have ships that have to abide by certain cyber regulations as it goes from port to port."

The IMO has indeed adopted a resolution telling shipowners and managers they need to incorporate cyber risk management into their ship safety plans by 2021, or face having their vessel impounded.

In the meantime, the International Association of Classification Societies has formed a new Joint Working Group (JWG) to develop a coordinated response to cybercrime amongst industry stakeholders.

As a founding member of the JWG, Inmarsat has been tasked with developing standardised industry practices tailored to the maritime sector. The company enlisted Paul Dorey, chairman of the Internet of Things Security Foundation, to help provide insights on the biggest cyber threats.

"We have retained the services of Professor Paul Dorey to try and bring the class societies and the industry together to create the right guidelines, look at the right risk approach that you need to take, and create that set of principles that will move onto a set of standards," he says. "If the industry wants to regulate it, we need to get to that level of standard first."

Shipping might currently be behind other industries with regards to cyber security, but recent developments have shown that companies are thinking about ways to specialise security systems for maritime, and that a path is being built to regulation.

Broadhurst claims the industry simply needs to approach it in the same way it treats health and safety, which has already become deeply entrenched in the maritime mindset.

"This is just another risk that people have to recognise and understand, and then this industry will be in no worse position than anything else and we can get on with our day-to-day business," he says.

Read more: https://www.ship-technology.com/features/maersk-cyber-attack-reveal-industry-dangerously-unprepared/