In the wake of the June 27 cyberattack on Dutch shipping giant A.P. Moller-Maersk, any vessel operator that isn’t seriously assessing and taking steps to minimize security risks is being reckless, according to a maritime industry cybersecurity expert.
The Petya ransomware attack on Maersk and other companies’ computer systems was “the final straw” for waking up operators of all sizes to the cyber risks they face, said Dean Shoultz, chief technology officer for MarineCFO Inc., a Houma, La.-based compliance and risk management specialist.
“It’s no longer OK to say, ‘we’re talking about it.’ The time is here. Now. What happens if ransomware takes down your software and your navigation system goes down and you run aground and a life is lost?” Shoultz said. “If a hacker truly wanted to create damage, they could do it at the right moment in time. From a legal standpoint, not taking steps to protect the public is reckless and opening yourself up to indefensible lawsuits.”
Maersk, the world’s largest container shipping company, was forced to reroute ships to alternate destinations after its information technology systems were targeted by hackers. The company was unable to dock and unload containers at some of the 76 ports where it operates, and it was forced to suspend its main platforms for taking orders for six days. Other prominent companies also were targeted, among them WPP and FedEx.
Some vessel operators have started taking cyberthreats more seriously in the past few years and improvements have been percolating, but far more action is required for an industry that has unique — and growing — security risks.
Shoultz explained that it’s more common than not for ships to have cobbled-together operational systems — a fix made here to the propulsion system during an emergency, another revision there to fix a late-night problem — and that means operators often have no way to understand everything comprehensively.
Often times, each player thinks the other is responsible. Operators assume original equipment manufacturers (OEMs) have implemented cybersecurity measures on their behalf, and OEM integrators assume that was taken care of by the operator; so, there are gaps.
“Shockingly, the operator often isn’t aware that data is flying off their vessel,” Shoultz said.
The situation is compounded by the connectivity challenges aboard ships, especially oceangoing vessels. For example, a crewmember might be thrilled to connect to a “free” wireless network that opens up as his ship approaches a city. He has no clue that doing so also gives the network owner free access to his information. His simple email to a friend referencing the ship’s cargo could be dangerously revealing.
With better security in place — in this case, disallowing Wi-Fi discovery — this is avoidable. Additional steps like limiting access to sensitive areas via fingerprint scanners, limiting the use of personal devices, and making sure all software updates are in place are among the many mitigation strategies that Shoultz and others are highlighting with renewed vigor.
“Vessels are large floating platforms full of systems that are constantly being tweaked through the Internet — propulsion, fuel, steering and navigation systems for starters. Any system that’s connected has the ability to be hacked,” said Matt Hahne, vice president of the global marine practice at Marsh, a subsidiary of insurance broker Marsh & McLennan Companies. “And hackers have gotten better, smarter and grossly more abundant.”
In light of that and the Maersk incident, Hahne’s company has been sending targeted emails “begging people to look at their insurance policies so that they can narrow down threats and vulnerabilities.” And he and Shoultz have been speaking around the country at conferences about the need to put cybersecurity front and center.
“Cyberthreats have brought the war here to the coastal and inland United States,” Hahne said. “They’re now considered malicious acts. We’re on a mission to convince people to protect themselves in real terms.
“Whether it’s a dry cleaner or a doctor’s office, every company should look at a common cyber policy to protect confidential information. It doesn’t matter who you are. The threat is getting greater, and cyber policies just make plain common sense. Bang for the buck, these policies are relatively cheap,” he said.
If you have a policy already, especially a longstanding one, don’t automatically assume that you are adequately covered. You should actually read it, rather than blithely renewing it, to check for cyber exclusions, Hahne warned.
“Let’s say your electronic bridge system gets hacked and disrupts your ability to use your steering system and you cause a collision at the mouth of the Mississippi River. There’s a good chance you’re not covered because your coverage has a cyber exclusion clause,” he said.
When companies can’t determine risk exposures, they put in exclusions, Hahne said. It’s worth periodically checking the limits of any policy, because more attacks like Petya, WannaCry and others are inevitable.
In the meantime, cybersecurity needs to be treated as a “first-class system” that is included in regular training, just like fire safety and man-overboard drills, Shoultz said.
“Ultimately, it’s the responsibility of the folks getting vessels built to demand that everyone work through a cyberplan and that there’s a holistic approach to security,” he said. “And then it’s the operators who need to make it part of the culture and make the necessary improvements.”