The threat of cyber-attacks is still strong in the shipping industry. Just as memories of the 2017 ransomware attack on Maersk had started to fade, another hack took James Fisher's systems offline in late 2019. With seafarers likely to be in the firing line if something goes wrong, it’s time we were clued-up on how to protect ourselves, says Witherbys, which has published a new cyber-security guide
The maritime industry has undergone a digital revolution; ships have transformed from being tiny islands, isolated from the internet, to hubs of digitisation and connectivity. Advances in technology mean that ships' systems – from the most basic of programmable logic controllers to complex bridge systems – are now connected to each other and, because of the affordability of internet-providing VSAT spell out in full first-time systems, to the wider world of ports and onshore offices.
These VSAT systems also provide recreational access to the internet for a ship’s crew, and the use of personal devices onboard to stream entertainment, use social media and communicate with friends and family ashore is the new normal for life at sea. In fact, this is now contained within maritime legislation, with the Maritime Labour Convention (MLC) stating that ships must provide crews with 'reasonable' access to the internet and to email.
This digital boom has brought many benefits to seafarers including faster, more intuitive ship's systems, quicker access to updates and new information, as well as a happier, more connected crew. However, it has also brought a dangerous new reality: the threat of cyber-attacks. Johan Machtelinckx, technical director of Witherby Publishing Group and former chief officer with EXMAR, notes that the shipping industry has become 'low hanging fruit' for hackers, who are becoming increasingly knowledgeable about how the industry operates.
Machtelinckx's statement is supported by the number of prominent cyber attacks on the industry in recent years, including on Maersk in 2017 – a ransomware attack that affected over 45,000 PCs across 4,000 servers and cost the company an estimated $300 million – and the attack in November 2019 on James Fisher and Sons PLC, in which unauthorised access to the company's computer systems resulted in all systems being temporarily taken offline.
Attacks are becoming more common and are increasing in complexity and sophistication. Andy Powell, Maersk's chief information security officer, explains: 'The change in threat is very big. In the past, it was small groups of criminals launching cyber attacks on companies. Now, we are seeing a much more structured and organised threat.'
Criminals are increasingly targeting the control systems onboard ship – known as operational technologies or OTs – to gain access to ships' systems, as opposed to the traditional IT route. These OTs are often overlooked and unprotected, offering an easier route for hackers to penetrate networks.
The motivation of hackers has changed as well. Making direct demands for money was, until very recently, the most common motivator, but now hacks are also being carried out to gain access to sensitive information with a view to selling this on.
According to a 2018 report by Futurenautics, 47% of seafarers questioned said that they had sailed on a ship that had been the target of a cyber-attack, but only 15% had received any form of cyber-security training
Hacking is a tool of other criminal enterprises, too, with drug traffickers and pirates employing hacking techniques to achieve their goals. Drug traffickers may manipulate systems that control the movement and location of containers within ports to smuggle drugs within legitimate cargo – for example, the 2013 attacks on the Port of Antwerp. And the increase in global security measures means that acts of piracy are moving from physical attacks on ships to more insidious uses of social engineering for financial gain, as with Gold Galleon, a criminal organisation that uses social engineering to launch attacks solely on the shipping industry.
The growing threat has been a wake-up call for the maritime industry, and national and international legislation is being rapidly developed and implemented. In June 2017, the International Maritime Organization's (IMO) Maritime Safety Committee (MSC) adopted Resolution MSC.428(98), which encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the International Safety Management Code), no later than the first annual verification of a company’s Document of Compliance after 1 January 2021.
Alongside this, some industry groups including InterManager and Intertanko have published a set of guidelines interpreting this resolution and giving advice to shipowners and operators as to how to implement it. The International Association of Classification Societies has also just announced the replacement of its 12 cyber security proposals with a set of recommendations designed to aid ships in being 'cyber-resilient'.
However, there is still much more that must be done. The guidelines and resolutions are designed from a top-down perspective and are clearly aimed at onshore ship owners and operators rather than crew, but it is the crew who are on the front line.
According to a 2018 report by Futurenautics, 47% of seafarers questioned said that they had sailed on a ship that had been the target of a cyber-attack, but only 15% had received any form of cyber security training. Furthermore, an astonishing 80% of seafarers believed that cyber security was the responsibility of a single person onboard (41% of this number believing that person to be the ship’s master). This mindset needs to change quickly to avoid the potential damage that a cyber-attack can cause to a ship, its crew and the environment.
Cyber security is the responsibility of everyone onboard – and the industry needs to move beyond the belief that cyber security is a complicated, esoteric topic. Cyber security risks must be treated the same way as any other threat to safety and security. Cyber security practices can easily be integrated into daily onboard processes and procedures, and should be the priority of everyone onboard.
This is the approach taken by Witherby within the Cyber Security Workbook for On Board Ship Use. Developed in conjunction with BIMCO and ICS, this workbook takes a practical stance to cyber security, focusing on the most important component to a safe ship: the crew.
As well as outlining the importance of training and offering detailed guidance on how to craft specific, tailored training programmes, a holistic and practical approach is taken to all aspects of cyber security onboard.
Checklists turn what can be confusing into simple, step-by-step processes and specific manageable tasks, designed to make cyber security checks routine.
This guide focuses on both IT and OT systems and breaks down complex issues (network segregation, ECDIS security, etc) into manageable and easy to understand tasks. From password protection to the use of personal devices onboard, every aspect of digital life at sea is taken into consideration.
Cyber security will become more and more important as ships become more technologically advanced, and the maritime industry needs to act fast to stay ahead of increasingly sophisticated cyber threats. It is hoped that the Cyber Security Workbook for On Board Ship Use will prove to be a valuable tool for every ship at sea to help them stay protected and to enhance crew awareness and vigilance.