Companies in the shipping industry are some of the most at risk of being hacked and defrauded by cybercriminals and should address the problem seriously, according to a cybersecurity expert speaking at the TPM Asia 2017 conference in Shenzhen.
“Cybersecurity is often talked about as very technical and about IT,” said Benjamin Wootliff, partner and head of the cybersecurity practice at Control Risks, an international business risk consultancy. “It’s not. It’s about states; it’s about criminals; and it’s about activists, who are looking to attack assets of some sort. They’re looking to attack information, systems and processes. Why? They’re looking to breach confidentiality; compromise availability, or change integrity.”
One major trend that has been happening, according to Wootliff, is a growth in the number of disruptive operations. Whether politically or criminally motivated, attacks have been getting more sophisticated, imaginative and successful.
“It’s become increasingly easy for people to get hold of the tools to conduct these disruptive operations,” he said. “The Maersk attack was a classic example of this. It was probably done on behalf of a nation state which was testing out something. It’s not difficult to disrupt somebody’s operations now.”
Wootliff has also personally worked on cases of CEO fraud, where companies have defrauded of as much as US$50 billion because of emails purporting to be a top-secret instructions to transfer money.
“Obviously most cases are somewhere in the middle, at about US$100,000-200,000,” he said. “This is commonplace, and actually, companies in the maritime sector have been complete suckers for this. I have to say that they have been the most vulnerable to it.”
Despite its importance, the shipping industry hasn’t yet accounted for a large proportion of the world’s attacks, in comparison with sectors such as health finance and healthcare technology. But Wootliff said that this will change because of the increase in technology and the push for digitization.
“That’s great for improving efficiency of the sector, but what it also does is make it a much bigger target for cyberattacks,” he said. “If you are a connected entity, you are a vulnerable entity. You cannot have one without the other.”
Another reason is that criminals look for the easiest targets and, in Wootliff’s eyes, the shipping sector is a “low-hanging fruit.”
“They look for the slow, the weak and the stupid,” he said. “And I have to say that the maritime sector falls into that category. It is the weakest member of the business pack. So I think we’re going to see increasing targeting on the maritime sector.”
The most high-profile instance occurred in June 2017, when A.P. Moller-Maersk was among a group of large companies around the world to be hit with the NotPetya ransomware. The attack caused disruption across all of Maersk’s business units including shipping, terminal and forwarding operations. CEO Søren Skou has estimated the financial impact to be US$200-300 million.
“What’s interesting about the Maersk attack is that this was the sort of thing that could have happened to any business,” Wootliff said. “Maersk was particularly vulnerable. It is a large, well-run organization yet it fell victim to it and was the largest commercial victim, probably because it hadn’t thought about this enough. It will be thinking about it a lot more in the future.”
The electronic chart display and information systems used in shipping are an obvious risk and have already been identified by cybersecurity firm NCC Group to contain several security weaknesses.
“Access to this would enable interaction with the shipboard network,” Wootliff said. “You could effectively take out the ship. This wasn’t difficult to do. The ship was rendered inoperable by the compromise of the system.”
Satellite communications and automatic identification systems can also be hacked or manipulation. In 2014, antivirus and computing security company Trend Micro identified that AIS systems could be compromised relatively easily.
“What could you do if you compromised one of these?” said Wootliff. “You could modify all the ship details such as position and course, create ghost vessels, trigger a false collision-warning alert, send false weather signals, render the ship invisible, etc. The implications are quite severe.”
For example, hackers could flood and overwhelm these systems in a denial-of-service attack so the AIS system globally stops working. Criminals could also identify specific ships carrying arms or particularly valuable cargo.
“The capability is there,” Wootliff said. “What’s surprising about this is that if you compare it to the financial services sector, for instance, this information is much more easily available. The financial services sector has really strengthened its defences, whereas the maritime sector is crawling with these sorts of vulnerabilities.”
According to Wootliff, the most important thing companies should do to minimize cyberattacks is to identify the priorities.
“Assess your risk exposure based on the company’s current level of cybersecurity maturity,” he said. “I think this is key. I actually think this is more important than identifying the vulnerabilities.”
Naturally, companies must develop measures to detect a breach and have in place a tested crisis management plan in case of an actual breach. Each company also needs to develop a cyberthreat intelligence programme which is relevant and specific.
“If you try and do it on a one-size-fits-all basis, you’ll get a limited amount of protection for a large amount of money,” said Wootliff. “So improve your return on investment, and actually try and understand what you’re defending yourself against, what they’re looking to attack, and how you might be attacked.”
Companies have to keep in mind that a cyberattack is possibly inevitable, because a connection to the internet in any way means that somebody somewhere is going to ty to launch an attack at some point.
“A successful cyberattack, though, is not inevitable,” Wootliff said. “To say otherwise is an abrogation of responsibility as a fiduciary for your company and I think it’s actually perfectly possible to make a real defence against cyberattacks.”
He added that most companies do not take it seriously enough and push the issue of cybersecurity down to someone at a relatively junior level. These companies take it from a purely technical perspective and don’t put the proper defences in place, but what they should be doing is going back to first principles, such as thinking about what they have which is important; who would like to attack those things which are important; and how attackers would go about doing it.
“Let’s start from those threat-risk-based principles, and then you can actually drive forward a holistic response,” said Wootliff. “If you start by thinking about what the technology is, you’re going to get lost in that morass of expensive problems. The thing about cybersecurity is that 10% of it is technology, and 90% of it is change management – getting people to think in a certain way.”
Overall, the shipping industry needs to be involved in a constant process of learning about cyberattacks and improving protection against them.
“The maritime sector is good at dealing with crises and knows how to respond to these sorts of things,” Wootliff said. “From using those principles which it has developed over hundreds of years, it should be able to deal with the cybersecurity challenge.”
By Jeffrey Lee
Asia Cargo News | Shenzhen