Because of its importance to the world’s economy, sea-going trade is a potentially lucrative target for cyber criminals with malicious intent. As well as posing a risk to lives and the environment, a well executed cyberattack could trigger instability in global shipping markets or interrupt world maritime trade.
To better understand the issue of maritime cybersecurity, we spoke with an expert, David Nordell. He has spent the past thirty years intimately involved in the information technology sector. He has worked alongside governments, legislators and businesses alike on the security of technology and networks in areas including banking, healthcare, satellites and nuclear defence. For the past five years, he has devoted much of his time to developing an understanding of the vulnerabilities the maritime industry faces. His summary of the current state of global maritime cybersecurity is that a “worst case scenario is likely not a matter of if, but when.”
According to Nordell, the industry is grossly underprepared and vulnerable, to the point that governments neglect legislation, insurers decline coverage, and industry is loath, or unable, to fund its own security. Though maritime can be slow to change, in recent decades ship operators have adopted a range of digital technologies, significantly boosting efficiency and profit. From basic systems like GPS to more advanced digital engine monitoring and control systems, modern ships have increasingly interconnected computing networks.
Understanding the risk
The stability of the global economy is critically reliant upon the uninhibited operations of maritime trade. With over 90% of the world’s goods transported by sea, even a modest interruption could send ripples across global markets. The sheer importance of the industry makes it a prime target for cybercriminals.
Most maritime trade passes through a few global chokepoints, highly trafficked waterways with limited room for navigation, such as the Panama Canal, English Channel, and the Straits of Hormuz. They are of critical importance to global commerce; any incident restricting freedom of movement in these locations could have grave consequences, particularly for trade in food and energy.
From electronic charts to computerized engine controls, the modern ship is increasingly reliant on digital technology. These networks come with a plethora of vulnerabilities cybercriminals can exploit. If a ship’s navigation or steering systems become compromised, the crew could lose control of their vessel. A resulting collision or grounding could effectively obstruct a limited waterway. For example, nearly 20% of the world’s oil passes through the narrow Straits of Hormuz, the economic and geopolitical consequences of a deliberate grounding in this stretch of water could be huge.
As vessels become ever larger with greater cargo capacity, so does their potential to cause great damage. A well-executed cyberattack could effectively weaponize a ship and its cargo. If digitally hijacked, any number of scenarios are possible. A compromised vessel entering a harbour could be forced to collide with other vessels or with the quayside, resulting in port closures or catastrophic pollution. Failure of systems could render a ship unable to depart a facility, stunting port turnover. Malware in the cargo management systems of a chemical tanker could remotely allow cybercriminals to activate pumps and open vents or discharge valves. Toxic chemicals could be released into the surrounding environment, causing pollution and evacuations, or even a massive death toll.
Typically, insurance covers risks that are too large for owners to manage comfortably. Here, the Devil can be in the details. Prudent in their calculations, insurers recognize this issue as a mega-risk. Understanding the vulnerabilities of the industry, insurers are unwilling to share the burden. Most maritime policies carry cyberattack exclusion clauses. Dismissing cause or effect, insurance has effectively left 100% of the responsibility to ship owners and operators.
In comparison with aviation, the maritime sector lags behind in appropriate cybersecurity regulation. The industry’s lawmakers are unable to keep up with the pace of innovation. As an agency of the U.N., the International Maritime Organization (IMO) has to date only made slow and incremental moves toward binding regulation. When asked about an expected timeline for action, Nordell said: “When it comes to cybersecurity the IMO has waffled, and it will probably continue to waffle until there’s a major attack with lots of casualties and lots of economic damage and perhaps someone starts a war, which is possible.“
The IMO’s last consequential statement on the subject was in 2017, just weeks before the infamous Maersk NotPetya malware attack. Though a step in the right direction, the resolutionmerely recommends flag states have companies integrate cybersecurity into their existing safety management systems. With no binding requirements to invest in comprehensive cybersecurity infrastructure, the world’s shipping companies must take the initiative to do so themselves.
How to protect your fleet from cyber attacks
Proper cybersecurity is essential for the stability of business, crew safety, and client confidence. If insurance won’t cover the risk, and governments can’t provide sufficient guidance, companies must act independently to protect themselves.
Ensure leadership understands the risks
Upper management should take the initiative to understand the risks involved with their systems. Modern ships constantly network with external systems. Whether it is a particular brand of ECDIS or the digital pressure gauges for an engine’s oil, all manner of technology can be hacked and manipulated. Ask what the history of the equipment is. Has the same type of equipment ever been compromised? If this is the case, it is not unreasonable for management to insist the manufacturer update the security of their product.
Keep technology up to date
Be sure that all technology is consistently up to date, and strong passwords are used. Software manufacturers, especially for operating systems, provide security patches sealing off known vulnerabilities. But this also means that ship owners must insist on updating all the software they use, with recent versions, because older versions, especially the Windows XP operating system that is still common in ships, no longer have security patches available. Whether via satellite communication systems or the networks of commercial ports, malware can infiltrate from virtually any source. As well as using strong passwords, it is critical that manufacturers’ default passwords are changed on any technology deployed at sea or ashore.
Ship’s crew and shoreside management can inadvertently introduce malware. Educate all levels of employees on the importance of cybersecurity. The opposite of security is convenience. Lock out access to USB ports and have in place a firm policy regarding the use of company and personal devices. In particular, install firewalls between ships’ operating networks and networks used by the crew for personal communications and entertainment, which are typically the most vulnerable entry points for hackers.
Create a blackmail and extortion policy
Though a difficult topic to adequately address, there should be open discussion within shipping companies’ management and crews about how to defend against cyber-extortion and blackmail; and both shore side and ship side staff need to be briefed and trained. There have been multiple reported cases of individuals manipulated into exposing sensitive corporate information and opening breach points for cybercriminals.
Ensure that networks are appropriately segregated. Systems that can operate in isolation are sometimes needlessly connected. Software pertinent to navigation, engine controls, administration, and crew recreation should, to the fullest extent, remain independent.
Conduct regular tests and drills
Contract a third-party security audit. Ethical hackers known as White Hats can be hired to perform penetration tests, assessing networks for vulnerabilities. Companies such as Pen Test Partners or Deductive Labs specialize in this service and can provide valuable solutions for cybersecurity. Cyber security drills should be treated like fire or lifeboat drills, with every team member, at sea or ashore, understanding and practising their specific role in the event of an incident.