The last victim in a long list of cyber-attacks was cruise operator Carnival Corp, who announced on 15 August 2020 that they had suffered from an attack involving files being stolen. According to David Bernstein, chief financial officer for Carnival, the company “detected a ransomware attack that accessed and encrypted a portion of one brands’ information technology systems. The unauthorized access also included the download of certain of our data files.”
It seems that the ransomware attack included unauthorized access to personal data of guests and employees. The incident may become a costly one for the cruise operator, as it may result in potential claims from guests, employees and regulatory agencies.
This was the most recent event in a series of incidents that affected both shipping companies and ports. Since NotPetya caused US$300 million in losses for Maersk, the attacks are increasing at an alarming rate. In 2018, the ports of Barcelona and San Diego fell under attack. Australian shipbuilder Austal was also hit ,and the attack on COSCO took down half of the shipowner’s US network.
Fast forward to 2020, when the shipping company MSC was hit by malware, which resulted in shutting down the shipowner’s Geneva headquarters for five days. According to a US Coast Guard security bulletin, a cargo facility’s operating system was infected with the Ryuk ransomware. Finally, the OT systems at Iran’s Shahid Rajee port were hacked, restricting all infrastructure movements and creating a massive backlog.
The convergence of IT and OT systems creates new challenges
Until relatively recently, topics relating to cybersecurity have been the domain of the IT department. However, securing Operational Technology (OT) is becoming critical for maritime and shipping business, since they rely more on smart, cutting-edge technology. (This is especially true for the digitalized maritime sector, as we discussed in a recent post.)
“All new builds are based on software that runs systems within the ship pertaining to safety and security, and also for monitoring of operations,” says former naval officer Chronis Kapalidis, a maritime cybersecurity researcher at HudsonAnalytix and an analyst at Chatham House. “It’s important that cybersecurity across IT and OT becomes part of a new cyber culture. It shouldn’t be something that ship owners are requesting and pushing the vendors for – it should be something vendors have in place to demonstrate their competitive advantage.”
The IMO recognized the need to make sure that these OT systems are secure. In response, it required that all maritime administrators appropriately address the cyber risk of their Safety Management Systems by January 2021.
Addressing these risks begins with knowing your vulnerabilities and being prepared for a constant increase of cyber threats. Paul Ferrillo, partner at Law firm McDermott, Will & Emery said in a recent webinar that all ports and terminals are attractive targets for cyber attackers. “If you have data, you are a target,” he warned. “You will be attacked and breached – you may already be breached, but you may not know it.”
However, cyber threats that threaten to break the maritime operational reliability and delay cargo delivery carry additional risks. “Infected systems can compromise navigation or propulsion, threatening ship safety itself as well as the marine environment,” reads a recent article by ABB.
With cyber-attacks against port operators and shipping companies increasing, “people need to be aware of the threats,” says Scott Dickerson, executive director at Maritime Transportation System ISAC. “It is not just a technology challenge. Some ports do not have a dedicated IT person, so at operational level people need to understand how they are being targeted and make sure they have good cyber hygiene.”
Traditional cybersecurity does not work
The quantity of information transmitted from ship to shore has increased dramatically thanks to advances in maritime communications and an ever-increasing reliance on technology-enabled on-board systems.
“What is interesting is that many operators believe they have this protected with traditional cybersecurity, but the firewalls and software protecting the IT side, do not protect individual systems on the OT network,” says Jonas Blomqvist, General Manager, Cyber Security, Marine Business at Wärtsilä.
Installing an antivirus platform on a vessel bridge navigation system (ECDIS) could very quickly impair and inhibit system performance, for example.
“Operational networks, in contrast to information networks, are measured by their performance level. Their operation cannot be disconnected and stopped. An emergency state in these systems can usually only be identified following a strike and they will be irreparable and irreversible,” adds Blomqvist.
Taking precautions by installing security systems, such as firewalls and detection systems for denial of services attacks and other malware, is crucial but insufficient. Adopting proactive cybersecurity risk management provides an opportunity for shipping companies to differentiate themselves.
Maritime cyber resilience is a strategic advantage
Cyber resilience has emerged over the past years because traditional cybersecurity countermeasures are not sufficient to protect organizations against sophisticated attacks. Preserving both cybersecurity and cyber safety are important because of the potential effect a cyber-attack might have on personnel, the ship, the environment, the company and the cargo.
Cyber resilience programs should be able to identify, assess and manage the cyber risks. They must continuously monitor all mission critical systems to detect anomalies, change and potential cybersecurity incidents before they cause significant damage and disrupt the reliability and safety of operational processes. An incident response management program ensures business continuity and helps the maritime and shipping company to continue to operate despite a cyber-attack.
With cyber-attacks increasing in frequency and severity, supposing that maritime and shipping organizations can defend against every potential attack scenario is just wishful thinking. Organizations need to combine cybersecurity with business resilience to be cyber resilient. As the maritime sector continues its digitalization journey, a safer shipping offering is a competitive strategic advantage.