MARITIME CYBER SECURITY Archives - Page 28 of 40 - SHIP IP LTD

Development of Autonomous ship technologies in Korea compared to Europe.

It is undeniable that Korea is a leading country in the shipbuilding industry. After Hyundai Heavy industries entered shipbuilding in 1968, Korea got ahead of Japan becoming the 1st in the global shipbuilding industry and rose to the number five spot as a maritime powerhouse. Nonetheless, it is said that the technology development of autonomous ships in Korea is about 5 years behind compared to Europe.

Many companies around the world are working on maritime autonomous surface ships, among which Kongsberg and Rolls-Royce seem to be more ahead of others. As Norway’s Kongsberg Maritime acquired Rolls-Royce Commercial Marine in April 2019, they are now fully integrated and the autonomous shipping projects are being conducted under a new organization.

Korean technological innovation toward autonomous ships

Recently, the Korean government announced $132 million will be spent on developing autonomous sailing technology for six years, to achieve the goal of commercializing oceangoing ships that meet level 3 autonomous navigation defined by the International Maritime Organization (IMO).

To realize a fully unmanned autonomous ship soon, the technology development of autonomous vessels such as intelligent navigation system, instrumental automation systems, communication systems, and land operation management system is required and best combined to allow a vessel to operate safely.

Three big shipbuilders in Korea – Hyundai Heavy Industries, Samsung Heavy Industries, and Daewoo Shipbuilding and Marine Engineering – have already set out to the sector, and their current autonomous ship solutions can reach the first stage of ship autonomy.

However, none of them have yet to reach the stage of remotely controlled ships. Most important about autonomous ships is how to combine maritime ship equipment with information, communication technologies with operational technology ensuring cyber-security and establishing massive infrastructure, where autonomous ships will operate with smart docking systems at ports, other maritime facilities.

What technology is needed and how can it be best combined to allow a vessel to operate autonomously?

The technology needed to make a vessel operate autonomously consists of three main parts, ship control systems, digital connectivity from ships to shores, and onshore infrastructures. The first one concerns what the vessels run autonomously. Subsystems such as sensors, positioning systems, other technologies can detect obstacles on a voyage should reliably, securely function. The data gathered from sensors are jointly collected, what is called sensor fusion, and goes back into the vessels’ autonomous navigation system to make decisions based on it. This is a part of the integration occurring of information, communication technologies and operation technology. Many experts worry that autonomous ships can be hijacked as this system is vulnerable to hacking, putting stakeholders at risk.

The autonomous navigation of vessels is similar to self-driving cars in terms of scanning surrounding and detecting obstacles using vehicle sensors like camera, radar, and lidar. However, it is also different than a self-driving vehicle in that every vessel in a certain size is tracked. monitored under the Automatic Identification System (AIS), an automatic system using transceivers on ships, which provides much more information for ship autonomous navigation systems than is available to cars. Vessels sailing on the open oceans also go slower than cars.

For an autonomous ship to auto berth and cross, many sensors on the ships which interact with the main system can allow the ship to dock without crews on board. Even when a ship on this technology, however, is fully operated without crews, it should be connected to a control station, where humans would remotely monitor the ships and their sensors and should be able to take control manually for security as well. Moreover, full autonomy is not the first stage, we would reach middle levels of automation before going fully unmanned.

The Korean government is supporting the project for maritime transport, where a vessel can be controlled remotely when the crew on board first. Even this partial automation can help reduce costs and ease the burden of maritime companies in shortage of laborers. The labor shortage has been a known issue in the shipping industry as it is hard to find qualified employees. So, automation, whether full or partial, can help fill the gap of shortage.

However, this probably means that the technology requires new workers to become more qualified. Although a study of the social impact shows that workers could lose their jobs in several maritime areas due to automation, new jobs can simultaneously be created such as controlling MASS remotely due to there being a control center.

What will be the potential threats for owners and operators of autonomous vessel in the future?

As the benefits of autonomous vessels are multiple and tempting, a variety of organizations, private or public, within the maritime industry have turned toward autonomy to address impediments associated with ship transportation. Progresses in machine learning, ship sensors, and related technologies are not only making the autonomy of ships increasingly feasible but economically attractive. Autonomous vessels are expected to reduce operating expenditures since costs with their crews, all human support facilities, systems, and storage removed.

However, despite these cost-effective advantages, potential threats associated with cyber-attacks must not be neglected. The risks and vulnerabilities linked to autonomous shipping should be anticipated and properly managed with the related technologies advancing. Increased interconnectivity between vessels and onshore infrastructure also increases potential cyber-attacks on ships. Therefore, it is essential to weigh the cyber-risk contours to rank and mitigate any vulnerabilities. As Operational Technology (OT) systems are increasingly automated, the maritime industry has already witnessed cyber-security incidents which led to ships going off their course.

While the existing ships rely on separate systems for managing OT functionality such as bridge, propulsion, and power control, these systems seem to reach the end of life with new technologies adopted. Maritime company owners and operators have been getting OT systems locally and remotely connected via satellite communications and the internet, leading ultimately to a convergence of IT and OT. Sensors on equipment onboard ships transfer data through communication technology (CT). These new integrated technologies are a double-edged sword, which can enable autonomous systems to operate smoothly but put also the growing automation at a greater risk.

To tackle growing concerns about security threats, IMO has a deadline of 1st January 2021 for Maritime Cyber Risk Management to be addressed in ships’ Safety Management Systems. The main focus of the cyber-security program is to put measures in place to protect both OT and IT. It is estimated that cyber-attacks on the maritime industry operation technology (OT) systems have dramatically increased over the last three years.

As these cyber-attacks can have economic impacts and ripple effects on port infrastructures, it might not be easy for vulnerable ports to be fully recovered through insurance policies after OT systems are attacked. The network connecting traffic controls, cranes, vessel berth systems, and cargo handling systems are currently under threat and will be more venerable to cyberattacks especially after fully or partially autonomous vessels emerge in ports. To make matters worse, unlike IT systems, OT systems are more vulnerable to threat as they don’t have a dashboard which allows operators to monitor the condition of all connected systems. The maritime industry progressing towards more digitalization and increasing the reliance on networked and autonomous systems, more numerous vulnerabilities will keep emerging

Unless systems on vessels are properly managed, a large loophole of new cyber-security for hackers to break into can spring up intimidating. With the maritime industry and its digital exposure getting similar to industrial systems and OT, maritime companies must go faster into the direction of protecting their systems and provide a reliable and safe operating environment from a security perspective. Proactive measures must be developed and applied to OT systems since maintaining effective cybersecurity isn’t just an IT issue but is a fundamental operational imperative.

How Korea respond to maritime security challenges

In preparation for IMO’s Maritime Safety Committee’s resolution “Cyber Risk Management in Safety Management System (MSC.428 (98))” to come into effect, Korean Register of Shipping (KR) has been working together with major shipbuilders to enhance and support the application and verification of ship cybersecurity rules. KR signed a memorandum of understating (MoU) with Hyundai LNG Shipping to conduct joint research on the application, verification, and development of Guideline for Maritime Cyber Security last year. It also signed MoU with Samsung Heavy Industries (SHI) to conduct a joint study on the “Ship Cyber Security Network Construction and Design Safety Evaluation this year.

KR seems to be leading a maritime digital transformation in Korea. It established its own maritime cyber security certification system providing a cyber security certification service for maritime companies. KR has been known for its extensive work on cyber security measures working on big data platforms and e-certificate systems with industry. Moreover, the Korean Register aims to deliver 10 practical digital technologies before the end of 2020.

Source: maritimekr

Cyber security is a major concern for vessels at sea today. The impact of unauthorized, and even authorized, access to ships’ systems can be catastrophic, potentially resulting in reputational, financial and environmental damage, robbery, piracy or simply malicious interference. These are all distinct risks for an unprotected vessel.

Consider potential cyber risks

Not all threats, of course, may be immediately obvious. While an attack on the main propulsion system that causes the vessel to drift without control will be picked up immediately, navigation and positioning systems can be manipulated to show misleading information, inadvertently guiding the ship into trouble.

As the industry slowly approaches truly autonomous shipping, increased reliance on automated systems heightens concerns about security. Vital systems need to be accessible by authorized personnel but protected against any interference. For this reason, type approval processes for systems designed to protect potentially vulnerable components and systems need to consider how the risks of access, both authorized and unauthorized, can be alleviated.

In its type approval process DNV GL identifies four different security level capabilities in line with the IEC 62443 standard. Security Level (SL) 1, the most basic one, provides protection against casual or coincidental violations. Levels 2 to 4 cover increasingly strict protection levels against intentional violation, depending on sophistication of means and the likely level of resources, motivation and skills of potential offenders. Security Level 4 protects against a highly motivated, highly sophisticated attack.

Maritime cyber security specialist Naval Dome has been working with DNV GL, with both organizations sharing knowledge and expertise to improve security requirements for the maritime industry in general and Naval Dome’s own systems in particular. One of the problems identified was that technicians and manufacturers were able to access on-board systems without the knowledge and approval of the crew, which meant they could potentially infect the systems unintentionally.

Therefore a two-step authorization process was needed for which new algorithms had to be developed to prevent remote access without authorization by a vessel’s senior leadership team. To protect the system it is imperative to verify that the person trying to gain access has the necessary authorization and that every action this person takes is recorded in a secure log to mitigate the risk of an internal attack.

Ram Krishnan, CTO at Naval Dome, explains: “In order to protect against marine cyber threats, Naval Dome has developed a solution that is unique among all other cyber threat solutions, because it is designed to protect from the inside-out. We use our software to protect the system itself, thus blocking the two main vectors of attack – external and internal, since the protection is done on the endpoint (PC/HMI).”

One of DNV GL’s original type approval requirements was that once security logs were saved to disk, they could no longer be changed. However, Naval Dome and DNV GL found that this was not necessarily the most secure way of keeping this data safe. Naval Dome therefore devised a new cloud-based solution in which files and logs can be encrypted and saved for 15 years.

The type approval process

The type approval process starts with an assessment of the equipment and its documentation, including installation and operation manuals, applying DNV GL’s stringent and challenging evaluation principles. This often results in revisions before the next phase, product evaluation and test procedure, can begin.

This first phase can be quite a challenge for vendors. Documentation typically requires revision, which can mean it has to go back and forth a number of times until both parties are satisfied with the outcome. This phase also requires vendors to draft test procedure documents which are then sent to the classification society for revision and approval.

Once all of these files have been assessed and revised as necessary, the process moves on to physical testing. If the vendor opts to have systems tested at DNV GL facilities, the vendor will set up the equipment and test protocols before the testing is carried out. In the case of Naval Dome, software was set up on an ECDIS system at the DNV GL facility in Trondheim. However, vendors also have the option to have independent third-party testing performed by DNV GL experts at their own premises.

In order to protect against marine cyber threats, Naval Dome has developed a solution that is unique among all other cyber threat solutions, because it is designed to protect from the inside-out.
Ram Krishnan ,CTO

The tests

DNV GL’s test procedures are based on marinized versions of the international standards ISA/IEC 62443-4-2 and IEC 61162-460 which comprise seven chapters and cover increasingly stringent levels of security requirements. The tests ensure that cyber security equipment is sufficiently robust to prevent penetration attempts while also assessing aspects such as encryption strength. The process covers:

• Human user identification and authentication
• Unique identification and authentication
• Multifactor authentication for all interfaces
• Access privileges
• Software process and device identification and authentication
• User control and functionality
• System integrity
• Data confidentiality
• Restriction to data flows
• Response time to cyber events
• Network/system segmentation
• Monitoring of events
• Resource availability
• The cyber security software must allow the protected application to run without interference

“The tests are important as they can reveal outdated encryption algorithms which the vendor would need to update,” says Dr Mate J Csorba, Global Service Line Leader at DNV GL Digital Solutions.

The tests include remote access, ensuring that ship systems are accessible to vendors’ technicians and authorized on-board staff, but that protocols are in place to prevent malicious access.

“What we are assessing is the security capability of the product. We check the capability and integrity of features such as firewalling and the configuration of the system,” says Csorba.

Depending on the level of security a system is being type-approved for, the number of requirements in each of the seven chapters will differ. The higher the level, the stricter and greater the number of requirements.

The Naval Dome system proved highly effective in DNV GL’s one-week type approval tests. The testing covered the security of the operational system protected by the Naval Dome solution as well as potential interference with vessel systems. “During testing it was not possible to hack, or take control of, vessel systems, and ultimately the ship. The two-step authorization process as well as network and Wi-Fi access security were tested without being able to compromise the protected marine system,” said Ram.

Security concerns

According to DNV GL, few ships are sailing with adequate security systems. “If all ships were sailing with SL1, that would be better than having no security at all, but sadly they are not,” says Csorba.

Without adequate protection, systems on existing vessels are exposed to threats every time data is transferred from shore to ship, or even when crews or technicians do something as straightforward and routine as updating software, including charts and notices to mariners, directly from a CD, a USB drive or technician’s device.

Systems on older ships can be upgraded but will be difficult to bring fully up to date without retrofitting new systems. DNV GL believes that at least SL3 should be specified for newbuilds. According to the definition, SL3 provides “protection against intentional violation using sophisticated means, extended resources, IACS specific skills and moderate motivation”.

To achieve this level of cyber security protection ‒ or the optimum SL4, which offers similar safeguards to those under SL3 with the addition of high offender motivation equipment ‒ vendors need to fully understand the international standards and participate in appropriate workshops with the type approval organization. These help the vendor gain a full understanding of the type approval regulations and requirements, and the approval authority to understand the equipment. Then both parties can jointly determine the security level the vendor or supplier should achieve.

DNV GL and Naval Dome, currently the only specialists capable of offering an SL4 cyber security solution, were able to demonstrate how relatively simple it is to attack live ship systems. The demonstrations have shown that in the absence of adequate cyber protection, the reported ship position can be shifted and the radar display misled. Similarly, the testing experts were able to turn machinery on and off or disable it, and to override fuel control, steering and ballast systems.

These penetration tests allowed Naval Dome to develop a cyber security product that can protect against all kinds of attacks and meet the SL4 standard. The critical factor in certifying cyber security software at this level is to enable shipping and off-shore facilities to implement cyber security quickly and easily without having to re-certify hardware currently in place. Naval Dome’s cyber security software is loaded onto the existing equipment providing cyber security protection immediately.

DNV GL was one of the first classification societies to recognize the growing threat resulting from increased digitalization in shipping and other industries. Its cyber security type approval was introduced in 2017, with the cyber security class notation “Cyber Secure” added the following year.

The Cyber Secure notation has three qualifiers: Cyber Secure (Basic), corresponding to SL1 and intended primarily for existing ships; Cyber Secure (Advanced) for newbuilds, which corresponds to SL3 with specific adaptations for maritime systems; and Cyber Secure (+), which covers additional systems not included in the scope of the other two qualifiers but which can be combined with either of them.

Cyber Secure notations by default cover ten systems: propulsion, steering, watertight integrity, fire safety, ballast, thrusters (other than main propulsion), auxiliary systems, communications, navigation and power generation. Other systems can be addressed under the “+” qualifier subject to risk assessments. Under all parts of the notation, a cyber security management system is required for every ship.
Source: DNV GL

ZIM has partnered with Konfidas, a cybersecutiy expert, to establish ZKCyberStar, a new subsidiary company offering a full range of cybersecurity services, tailor-made for the maritime industry, to increase cyber readiness and ensure business continuity in the event of cyber-attack.

The ever-growing threat of cyber-attack on the maritime industry has only been magnified by the Covid-19 pandemic. At the same time, the industry’s ongoing digitization of its business processes has increased their exposure to cyber-attack. ZKCyberStar will provide a suite of services to support operational cybersecurity readiness, including cyber and regulatory postures, strategy and planning, cyber awareness and executive training, incident response capabilities, supply chain risk management, ongoing threat intelligence and regulatory alerts and briefs. The ZKCyberStar solution employs a unique methodology designed and developed specifically to achieve maximal readiness for and protection against maritime cyber-attack.

ZKCyberStar will be led by Ronen Meroz as CEO, Ram Levi and Eli Zilberman Caspi. Ronen is currently ZIM Global Intermodal Division Manager, a ZIM senior manager with extensive knowledge of the maritime industry. Ram is an international cybersecurity expert, public speaker and advisor to global organizations on cybersecurity. Eli is Co-Founder and COO of Konfidas and an expert on business continuity readiness for cyber-attacks and cyber incident response management.

“ZIM is uniquely positioned to tackle cyber threats in our industry. In recent years, I was approached by global companies seeking advice regarding cyber threats, and I have decided to create ZKCyberStar to support and advise organizations in our industry, using our long-standing cooperative relationship with the top cybersecurity expert team of Konfidas,” said Eli Glickman, President & CEO of ZIM. “With the creation of ZKCyberStar, we join forces to offer the most advanced and skilled services to cope with cyber threats and mitigate the risks and costly impact of cyber-attacks. We welcome Ram Levi, Eli Zilberman Caspi and the team of professionals at Konfidas to jointly create a top-level consulting company to help the industry cope with cyber threats.”

“The maritime and logistics industries have witnessed an unprecedented rise in cyber-attacks in recent years. Those attacks serve as a wake-up call for an industry which is critical to modern trade and commerce. As we move towards heavily networked and increasingly automated systems, cybersecurity must be a top priority,” said Raif Ram Levi, Founder & CEO of Konfidas. “Our unique partnership with ZIM, a global leader in container shipping, will enable ZKCyberStar to provide strong client-driven cybersecurity solutions with global expertise and implementation.”

About ZIM

Since 1945, ZIM has been providing creative operational and logistical solutions to customers. Over the years, ZIM has grown to become a leading force in the shipping industry by pioneering innovative technologies and expanding its vast geographical network while maintaining its tradition of excellence.

About Konfidas

Konfidas is a Tel Aviv-based boutique consulting firm specializing in a multi-disciplinary approach to cybersecurity. Our experts combine a proactive offense-directed mindset with a pragmatic defense-based approach to enhance organizational cybersecurity preparedness and incident response (IR). The company was established in 2013 with the goal of providing best-in-class cybersecurity consulting and related services to medium and large organizations.

Source: supplychainbrain

Shipping executives are particularly adept at risk management. They regularly have to navigate unpredictable weather systems, climate change, persistent piracy, evolving geopolitical tensions, commodity price and forex fluctuations. They place faith in around 20 seafarers to operate each vessel worth tens of millions, in environments that would be challenging to reach quickly in an emergency. But cyber risk is new territory. And many don’t really know whether their organisation is ready to manage a cyber incident.

One way to prepare your organisation for a cyber attack is to set up a cyber drill. Here’s how to set one up with your own management team that can help improve your organisation’s cyber readiness. Register here for a free consultation with our team of experts on how to design and optimise a cyber drill and improve boardroom awareness of cyber risk.

So it has happened…

The screens on the business PCs in the engine control room and bridge have all locked down. The computers are simply displaying a black screen with a blank pop up window. No text. There is no ransom note (yet). One of the ECDIS systems is also no longer functioning properly and keeps restarting randomly.

The vessel has entered US waters and a pilot has boarded to bring the vessel into safe harbour. The crew have also received notification from the US Coast Guard of their intention to dispatch an inspector and are anticipating a Port State Control examination when the vessel is in port.

The master is on the phone to the Technical and IT Managers, trying to follow instructions in order to rapidly diagnose the problem. But the phone line isn’t great at the moment as the vessel is currently in a position with poor connectivity. In his mind, he is working out the best way to explain what is happening to the authorities, while trying to make up contingency plans on the fly. The pressure is on to avoid a detention.

This scenario is entirely plausible from 1 January 2021 when the cyber security requirements set out in IMO 2021 becomes effective and as cyber attacks on shipping operations continue to increase.

A false sense of readiness and resilience in shipping

“We thought we were prepared for a cyber attack and then we got a nasty surprise when one actually occurred.” This is a common reaction of those who have lived through a cyber attack.

Based on CyberOwl’s experience engaging with nearly 100 fleet operators, less than 5% of them would be able to answer a few fundamental cyber security questions when they are under pressure during a high profile cyber incident, such as: “what is actually happening to the onboard systems?”, ”are we sure we have been cyber attacked?”, “will it spread and how do we stop it spreading?” and “how quickly can we recover operations?”

This is before the more complicated questions that come later during forensic analysis, such as: “what has been the full scale of the impact of the cyber attack?”, “what systems have been compromised?”, “how did the attack actually happen?” and “how do we prevent the same attack in future?” In fact, there are some security teams that never properly answer these latter questions.

If you’re the Fleet IT Manager, scrambling around trying your best to quickly put fires out during such a cyber incident is not going to be a fun day at the office. One of the key decisions you are going to have to quickly make is whether you should be reporting the incident to the leadership team. If so, when do you report it and what do you say? Then, how regularly do you update them?
Effective cyber risk management approach actually starts with the leadership

Recent IMO guidelines and The Guidelines on Cyber Security Onboard Ships (version 3 produced by BIMCO et al) makes it very clear that “effective cyber risk management should start at the senior management level”.

Industry leaders in other sectors all concur. According to the annual Global Risks Report 2020 by the World Economic Forum (WEF), cyber-attacks pose an existential risk (just below climate change in terms of likelihood) to organisations the world over.

Developing emergency response plans with senior management early means you’ll already know what information they expect and when.
How does your leadership team perceive the level of cyber risk?

Siraj Shaikh, our Chief Scientist, and Kristen Kuhn, a Researcher at Coventry University, are working on an initiative addressing Cyber Readiness for Boards (CRfB) to uncover this, supported by the UK’s National Cyber Security Centre (NCSC) and the Lloyd’s Register Foundation. Initial findings suggest:

a key factor that drives a leadership team’s cyber risk perception is their trust in their organisation’s ability to respond to it. If you’re a Fleet IT Manager, that’s you and your team. And in many cases, this is likely to be overly-optimistic. Certainly, the ability to handle a cyber attack is rarely stress-tested in shipping, unlike in some other sectors .

the current focus for the shipping sector is on compliance. While timely, this doesn’t suffice to actually address cyber risk.

the responsibility for cyber risk still rests too heavily on IT or HSSEQ Managers.

Instead, cyber risk needs to be owned and managed as a core business risk, with ultimate accountability at the leadership level. If you are the IT or HSSEQ Manager shouldering that perceived responsibility, it is in your interest to get your leadership team to understand that.

What does a cyber-ready leadership team look like? The leadership team needs to more clearly understand the cyber risks the organisation faces, ensure there is sufficient budget to ensure cyber resilience and set clear roles and responsibilities to preserve business continuity. This includes knowing what their roles are during a cyber attack crisis.

This is where cyber drills are useful

The concept of a drill isn’t new to shipping. Safety drills have long been a requirement either by legislation or as part of a ship manager’s Safety Management System (SMS).

A scenario-based cyber exercise provides an ideal means for leadership teams to engage with and to rehearse for an effective response to a potential cyber-attack. The scenarios offer a creative license to run through both common incidents and also simulate low probability, high impact situations (also known as ‘black swan’ events). It is easy to write off the need to prepare for such black swan events. And yet, COVID-19 shows us how the lack of preparedness may pose an existential threat to an organisation. Indeed, other sectors have shown how ‘doomsday exercises’ have been important to them to cope with the current crisis.

Ultimately, the goal here is to build increased awareness and understanding of cyber risks in your leadership team. It prepares them for when (rather than if) a cyber attack occurs. The drill also helps you identify ways to improve your organisation’s ability to execute effective mitigation strategies.

How would they react?

What information would they need to make decisions?

Who do you need to communicate with and when?
Designing and running an effective “boardroom cyber drill”

Leverage IMO 2021 as an opportunity to encourage a drill. The upcoming deadline of 1 January 2021 to address cyber security as part of the SMS is an ideal opportunity to get senior buy-in. It brings with it direct responsibility for the board on cyber readiness. In fact, being able to demonstrate specific initiatives, such as a boardroom cyber drill, driving cyber readiness is part of evidencing a robust cyber risk management system.

Focus on business risks, not just technology risks. Gain clarity on what risks you want to raise and those that have a significant impact on your organisation. You can then link technology-related and cyber attack events back to those business risks; this is a key tip to designing meaningful scenarios for the drill. A structured mapping of business risks could be a useful resource for this purpose: the Cambridge Business Risk Hub provides a Taxonomy of Business Risks serving as a useful guide for such scenario writing, covering financial, governance, geopolitical, technological and environmental risks.

Do not focus purely on black swan events. While meaningful lessons can be gained from testing an extreme scenario, focusing the drill solely on such doomsday events may be counterproductive and lead your management team to conclude that cyber attacks are unlikely to impact your organisation. Consider an escalating drill that incorporates more commonplace cyber attack events.

Contextualise the drill to your organisation. The scenarios need to be customised to meet the specific practices of your organisation. Do you technically manage your fleet and crew directly, or is some or all of it outsourced? What type of cargo, voyages and ports of entry are involved? How do the responsibilities and liabilities in the charterparty work? While the drill should be grounded in deep expertise in cyber security and organisational resilience, ultimately the scenarios need to be made accessible for the leadership team (in terms of content, format and presentation). It is also important to consider whether there are suppliers and partners that need to participate in the drill.

Collect and visualise some hard data and metrics. This will help you demonstrate cyber security weaknesses and visualise this to the board after the drill. It will also set a baseline for improvement. Critical dimensions to measure include:

How long did each part of the incident response take? There is no right answer for how long response should take, but measuring this sets up a discussion on how much risk the leadership team are willing to live with. If the drill is a tabletop exercise and measuring response times is not possible, then consider getting the participants to estimate how much time each response action is likely to take, challenging them on how realistic their answers are.

How clear were the roles and responsibilities during the drill? This is often where interesting debates and tension points can develop. Especially when there is a lack of clarity.

How clear were the lines of communication? Record what information is given to whom and when. This can be used later to improve protocols for communication.

What were the main gaps of information? Ask any executive that has lived through a cyber attack incident and they will tell you that the first three questions are normally: ”are we sure we have been attacked?”, “how badly are we affected?”, “how quickly can we recover?” Use the drill to discover how easily you can gather this intelligence.

Plan enough time to gain consensus on the lessons learnt. The key here is to capture insights from the discussions and tension points through the drill, which could later be a source of strategic guidance for the organisation to achieve operational cyber resilience. Consider using the metrics above to develop team report cards. These can then be referenced in future once incident response processes have been improved.

Document a report of the drill. The exercise and the lessons they derive should form part of your cyber risk management approach and SMS. The report may also serve as useful evidence for inspections and to build reputation with customers, demonstrating that you are taking proactive steps to managing cyber risks.
Source: CyberOwl

“Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.”

Dryad Global’s cyber security partners, Red Sky Alliance, perform weekly queries of  backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Email subject line Motor Vessel (MV) or Motor Tanker (MT) keyword usage is a common lure to entice users in the maritime industry to open emails containing malicious attachments.

With our cyber security partner we are providing a weekly list of Motor Vessels where it is observed that the vessel is being impersonated, with associated malicious emails.

The identified emails attempted to deliver malware or phishing links to compromise the vessels and/or parent companies.  Users should be aware of the subject lines used and the email addresses that are attempting to deliver the messages.

Malicious Email collectino 22 Aug-29 Aug 2020

I

Top 5 Malicious Senders

In the above collection, we see malicious actors attempting to use vessel names to try to spoof companies in the maritime supply chain. This week we observed a wide variety of maritime-related subject lines. Some of the new vessel names used this week include “MT Tiger Spring” and the “MV Glory Forwarder” among others. Analysts continue to see multiple malicious emails from different senders using “JEBEL ALI LCL SHIPMENT” as part of the subject line. It is still unclear why this specific port is being leveraged in malicious email subject lines, but the specific use of “LCL” (Less than a Container Load) is appearing more often in malicious email subject lines.

Analysts observed the malicious subject line “Mix container 2 purchase orders” being used this week. This email appears to be a purchase order coming from a German food company to a Korean marine company. Emails coming from foreign countries can prevent a targeted victim from becoming immediately suspicious when there is incorrect spelling and/or grammar in the malicious email.

The malicious email appears to be sent from “kelly.mfc.china[at]mikado-foods[.]de” which does not appear anywhere publicly in open source data. However, Mikado Foods has “bonnie.mfc.china[at]mikado-foods[.]de” listed as a contact for Mikado Foods China Co., Ltd. The malicious sender appears to have sent malicious emails in July 2019 as well. At that time, attackers were targeting a Belarusian Bank BelVEB OJSC. The sender does not have any name listed in the email signature, only contact details.

Notably, the email greets the specific target by their name which makes it more likely that this is a spearphishing attack. In the email message, the attacker tells the target to find 2 attached purchase orders, but there is only one attachment. The email also instructs the target to “please load (the first purchase order) and then (the second purchase order).” Often malware works in stages, so it is possible the attackers are attempting to get the target to activate the malware in a certain order.

The targeted email address does not appear publicly in open source. The targeted domain is used by Argo Marine Total, which is a maritime inspections and logistics company out of Korea. It also does not clearly indicate which department/division the email would be sent to. It is common for these types of malicious “purchase orders” to target the billing/accounting department to steal sensitive data or commit other cyber-attacks against the company.

If the target were to open the document titled, “M I K A D O® foods.doc,” they would activate HEUR:Exploit.MSOffice.Generic malware on their machine which in this case exploits CVE-2017-11882. This is one of the most common observed exploits leveraged by attackers. The malware can surreptitiously receive commands from a command and control server run by attackers. Using this access, attackers can exfiltrate sensitive company information including passwords, and financial data.

Analysts observed another malicious email subject line being used “RE: Request flight booking for MV. SEA FUTURE off signers at INCHEON, KOREA.” This email is disguised as a “flight booking” request for the MV Sea Future off signers. This is likely a reference to travel arrangements for crew changes. Due to CoViD-19, this type of request would not be completely uncommon. This vessel is currently in the East China Sea.

The email is being sent from “Ms. San San” at accounts2[at]princehr[.]com. Prince HR Services is a staffing service based in Delhi, India. The sending email does not appear in the Red Sky Alliance breach data, so it is more likely that this user is being spoofed. The email seems relatively professional and addresses “Ms. So Mi” which indicates this is a targeted attack as opposed to a spam campaign template which typically addresses “Dear Sirs/Ma’am.” Because of COVID-19, international crew changes has been a contentious issue and is a very good lure.

The referenced document is titled “661081608860286.doc.” When opened, the file activates TrojanDownloader:O97M/Emotet!rfn which installs the infamous Emotet malware. Red Sky Alliance continues to observe an increase in Emotet activity since July. First identified in 2014, this malware can steal sensitive banking, financial, and user information including passwords. As with many of the Emotet samples observed, the malware deletes the original Word document to make detections more difficult.

The target email is “crew[at]withuskor[.]com”, yet is specifically addressed to “Ms. So Mi.” Analysts were unable to find this particular employee listed anywhere in open source. Often attackers will target users with elevated privileges, but in the case of Emotet malware, the attackers are often looking for employees with access to financial data in order to steal the data and turn a profit.

These analysis results illustrate how a recipient could be fooled into opening an infected email.   Doing so could cause the recipient to become an infected member of the maritime supply chain and thus possibly infect victim vessels, port facilities and/or shore companies in the marine, agricultural, and other industries with additional malware.

Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the maritime industry.  These threats often carry a financial liability to one or all those involved in the maritime transportation supply chain.   Preventative cyber protection offers a strong first-line defence by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily.  Using pre-emptive information from Red Sky Alliance-RedXray diagnostic tool, our Vessel Impersonation reports, and Maritime Blacklists offer a proactive solution to stopping cyber-attacks.    Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles.  Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently.  Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Pre-empt, don’t just defend

Preventative cyber protection offers a strong first-line defense by preventing deceptive messages from ever reaching staff inboxes, but malicious hackers are developing new techniques to evade current detection daily. Using preemptive information from Red Sky Alliance RedXray diagnostic tool, our Vessel Impersonation reports and Maritime Blacklists offer a proactive solution to stopping cyber-attacks. Recent studies suggest cyber-criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking maritime contemporaries in the hope staff lower down the supply chain will drop their awareness and follow the spoofed email obediently. Analysts across the industry are beginning to see maritime-specific examples of these attacks.

Source: Dryad Global

ZKCyberStar will provide cyber security solutions, guidance, methodology and training to the maritime industry. This comes as shipowners need to comply with changes in ship safety management systems as required through amendments to IMO’s ISM Code, which come into effect from 1 January 2021.

The company was formed in response to growing threats to shipping companies from cyber attacks, such as the attack on the Carnival group in August.

Zim, which operates a fleet of container ships, is deploying its experience and long-standing co-operation with cyber-security experts Konfidas to establish ZKCyberStar.

This will increase cyber readiness and ensure business continuity for shipping lines in the event of a cyber attack and provide cyber risk management to help shipowners protect their business from cyber events.

These are becoming more frequent in the maritime industry as owners, operators and managers adopt digitalisation on ships.

ZKCyberStar will provide services to support operational cyber-security readiness, including cyber and regulatory postures, strategy and planning, awareness and executive training.

It will provide response capabilities, supply chain risk management, ongoing threat intelligence, regulatory alerts and briefings.

ZKCyberStar will be led by Zim global intermodal division manager Ronen Meroz as chief executive, international cyber-security expert Ram Levi and Konfidas co-founder and chief operating officer Eli Zilberman Caspi.

Zim president and chief executive Eli Glickman said ZKCyberStar was formed because of the growing importance of cyber security to shipping lines. “We are uniquely positioned to tackle cyber threats in our industry,” he said. “In recent years, I was approached by global companies seeking advice regarding cyber threats.

“I decided to create ZKCyberStar to support and advise organisations in our industry using our long-standing co-operative relationship with the top cyber-security expert team of Konfidas,” said Mr Glickman.

Mr Levi said the maritime and logistics industries have witnessed an unprecedented rise in cyber attacks in recent years.

“Those attacks serve as a wake-up call for an industry that is critical to modern trade and commerce,” said Mr Levi.

“As we move towards heavily networked and increasingly automated systems, cyber security must be a top priority.”

Risks to shipping and ports was discussed in depth during Riviera’s Maritime Cyber Security Webinar Week. Use this link to view these events in Riviera’s webinar library, and this link to view details of upcoming events including a Maritime Cyber Risk Management Forum in November