With cyber crimes becoming ever more frequent on a global scale, the maritime industry faces new challenges in order to ensure security of its data.
As a result, players across the maritime supply chain are under pressure to find the ways of responding properly to cyber threats in the industry and implement counter strategies.
On November 13-14, 2017, Ohio’s Tiffin University hosted the Maritime Risk Symposium, which discussed vulnerabilities, threats, and challenges affecting cyber security and the marine transportation system.
World Maritime News spoke with Scott Blough, Executive Director of Center for Cyber Defense & Forensics, Tiffin University, and James Dean, President of TrueCourse Advisory Services, a management consulting firm specializing in banking, insurance, maritime and shipping industries to find out more on the topic.
There are four main types of threats in the maritime industry, Blough and Dean explained.
1. Cyber crime
2. Facilitating piracy
3. Cyber fraud
4. AIS, GPS, and ECDIS spoofing and jamming
Cyber criminals typically resort to activities such as ransomware, data exfiltration or manipulation, and cyber fraud. Each of these activities usually involves a network or data breach.
Facilitating piracy is another endeavor that is typically reserved for the cyber criminals (although in this case, they are actual pirates). A report by Verizon (2015), “Pirates on the high-seas”, noted that pirates had obtained access to a shipping company’s data and were using that data to target specific ships.
Cyber fraud is also typically reserved for cyber criminals. World Fuel Services was the victim of a USD 18 million fraud in which cyber criminals sent a fake fuel supply email invoice that was accepted and paid, our interviewees added.
Automatic Identification System, Global Positioning System, and the Electronic Chart Display and Information System are also vulnerable to cyber attacks. They can be targeted by cyber criminals, nation-states, terrorists and other threat actors, depending upon the desired outcome. The main threat for these systems, which are used for navigation, involves spoofing.
Spoofing means sending false data that is accepted by the targeted system as real data. This is problematic in the maritime industry because of the interconnected nature of the navigation and port traffic control systems, our speakers pointed out.
“A terrorist organization or nation-state could potentially close or seriously impact a port’s ability to receive cargo, creating a significant economic impact.”
Speaking of the ways of achieving cyber resilience in the shipping industry, Blough and Dean said that steps are being taken to reduce the reliance on single-system navigation platforms to incorporate redundancy.
“The most important part of cyber resilience comes from the integration of cyber security and cyber hygiene policies into the existing business continuity and disaster recovery plans of the maritime industry.”
“The good news is that the key is in applying well known general cyber security best practices in a disciplined and consistent manner. This alone will thwart the majority of attacks from both cyber criminals and state actors.”
WMN: The shipping industry has been described as immature when it comes to countering and dealing with cyber threats, especially in the aftermath of the attack on Maersk’s IT systems. How can the industry players be encouraged to prepare better?
Blough and Dean: A successful cyber attack may cost the equivalent of losing one-two ships for a shipping firm. Aligning the focus of maritime financiers, insurers, law enforcement, and regulatory bodies to ensure companies are accountable for losses is an important first step. Along with that alignment, it is vital that the C-Suite and Board Room become engaged in cyber planning.
The C-Suite and Board Room are ultimately responsible for raising cyber security awareness in the private sector portion of the maritime industry. Organizations must have a cultural shift from cyber security as an IT issue to cyber security as an organizational issue. Standards and best practices are a recent and welcome addition to the maritime cyber security portfolio.
WMN: Are mandatory regulations and fines a way to go to make ship owners more aware of the dangers and the need to take preemptive action?
Blough and Dean: In the end, holding organizations financially accountable through regulatory means will be the best motivation for C-Suite and Board Room to raise cyber security awareness. The current profit pressures on the industry preclude many firms from investing more in cyber security, so the self-regulation principle is ineffective.
WMN: Are there any estimates on the market preparedness, especially when speaking of training of workers, when it comes to dealing with cyber attacks?
Blough and Dean: There are numerous industry studies that point to an overall deficit of one to two million cyber security professionals across all industries. Many industry observers believe that the maritime industry is at least five to seven years behind the cyber security level of the financial services sector and up to a decade behind the energy sector. Thus, many of the maritime cyber security positions have likely not even been identified.
Blough and Dean also referred to the level of preparedness/skillfulness of crews for taking over ship navigation in case of an IT failure onboard.
” Given the rash of collisions and groundings of both military and commercial shipping that has occurred recently because of a lack of the bridge crews’ knowledge of how their navigation and control systems actually work, it would appear that there is certainly work to be done in this area.
Assessing fines may help, but penalties through increased premium rates for high-risk vessels and reduced claim payments for damaged or loss ships would have a much more significant impact.”
WMN: Back-up plans are key when speaking of cyber attacks, especially on board ships. In an age of heavy reliance on the big data, developing IT skills seem to be as important as ensuring the crew’s professional navigation skills are at a high level. What is being done in this respect?
Blough and Dean: There are increasing pressures to have a properly certified cyber security professional officer on highly automated ships. There are also calls to implement a “cyber hygiene” training program as part of the STWC certification process.