You have been either hacked … or just didn’t know you have been hacked.
I predict that the first catastrophic maritime cyberincident will not be the result of a direct attack on a safety-critical specific piece of equipment. It will be the result of an infection on a random PC, perhaps an unassuming email to a crewmember, whose PC is either connected to the vessel's internal "super highway," or he transmits the infection internally while it lies dormant. Crypto locker or ransomware software (used by thousands of hackers) is easily available to download on the dark Web; neither of which may necessarily attack the equipment they infect, but they can lie dormant and infect connected equipment when nobody expects. You have been warned! Watch the video link at the end of this article to see an attack on maritime equipment in real time.
Cyberattack is the current buzzword. It is known by some as an industry killer and even as the potential cause of the next world war, but thought by others to be a myth. So where does the maritime industry stand in all of this?
In the main, but certainly not universally, the maritime industry has a dismal record in its slow and painful transition from paper and analog methods of shipping to new innovative technologies when compared to industry rivals like aviation. But why is this and how could it affect cybersecurity in the maritime arena? Or have some seafarers not even evolved enough to be talking about it yet, let alone implementing new cyberprocedures on board ship? We have all met "that captain" who is nervous about "the machines on his ship."
While the maritime industry doesn’t seem to have been strategically targeted in terms of the vessels themselves, there is now plenty of talk of "accidental" or naive seafarers accepting a generic phishing email that goes on to attack their computers.
Major corporations like Google and Yahoo have released statements stating they were deliberately hacked. The question is what will be first for the maritime industry: the deliberate or strategic hacking of an individual ship, or the shipping corporation as a whole? There has been a call for cyberspecialists to come and give answers to the potentially very real dangers facing the industry that could not only damage reputations, but cause disruption to trade worth billions of dollars. Not all is lost, though, as long as we can move the industry forward to cope with the digital world we live in today.
Cybersecurity was a hot topic in 2016. However, now we are in 2017, and the seafaring community is becoming more aware of what can potentially happen. There is a real threat for cyberactivists to start gaining and changing sensitive shipping data from our onboard equipment — such as changing the vessel's route to cause a grounding, or gaining access to digitally controlled engine rooms and causing an alarm mute while an engine fails or even catches fire due to a "manual" overload by the hacker.
With more and more companies looking for insight into how to stop attacks from occurring, the main area of concern is the lack of security awareness by both companies and employees as they have been taken aback by the swift rise in the industry’s threat level, almost non-existent just a few years ago to today’s high alert. It is expected that shipping companies and independent vessels could be next on the list for major cybercrime activity as it is as yet mainly unexplored territory for hackers who are only now starting to realize its huge potential as a target. Attacks now have the capability to obtain sensitive ECDIS, AIS and GPS data, to name but a few, so it is vital that the correct procedures and processes are in place to stop the worst from happening.
The scary part is that 51 percent of U.S. adults suffered some kind of data security incident between December 2015 and December 2016. In 2015 there were 781 reported major company data breaches in the U.S. alone due to cyberattacks, which combined cost companies $400 billion. These are only the reported data breaches. Sadly, there is often an element of "sweeping under the carpet" in all industries. This total will continue to rise if the maritime industry, where the proportion of those of digital native age is far lower, does not adapt to ever-changing technology and the major security threats it brings with it. Overall, the predicted cost of cyberattacks in 2019 is estimated at a colossal $2.1 trillion.
The issue, alongside a lack of awareness by employees and users of operating systems, is the development speed of technology. This digital age of super computers, 4-D printing and nano technology is like no other and is proving to be self-accelerating, i.e. one technology is put into operation while the next generation, more powerful and innovative, is being produced, thereby creating an always expanding, developing and aggressive cycle. But, due to the speed of production, this process can lead to an unstable, unsecure and untrusted platform, as it is not able to keep up with ever-changing threats. After years of this development, technology companies are starting to adapt to the issue by developing and applying software updates weekly which try to manage security flaws within the software, while changes to future developments can help manage the constantly increasing cybercrime threat until the next global threat takes place or takes over.
Some maritime software manufacturers have used a physical security method of “locking out” their systems in order to intercept physical security threats altogether, however this ironically increasing the complication of applying security software updates. This restriction can complicate a shipping company’s decision to have an integrated bridge system due to issues with syncing and communication between different software manufacturers; also meaning only specialized engineers and trained software technicians are allowed to apply updates, causing additional issues. Restrictions like these could mean that your system is 80 percent more susceptible to cyberthreats.
First off, the solution is simple, but it will cost you, which no one likes to do unless it’s necessary. Only some companies feel that cybersecurity is important enough to invest in it. Nevertheless you will watch multiple companies become complacent and unconcerned about the real threat in the water, until it becomes a reality, and the organization comes grinding to a halt. In reality, if you spend as much on coffee as you do on cybersecurity measures, you will be hacked. It is alleged that almost every company in the world has already been hacked, or if not, will be soon. The director of the FBI, James Comey, had the following to say on Chinese hackers: “There are two kinds of big companies in the United States. There are those who've been hacked by the Chinese and those who don't know they've been hacked by the Chinese.”
This is the world as it is and therefore we need to change with it, not be 10 steps behind. First, we know the industry is struggling from sector to sector, but cyberattacks will only make it worse, so the first move is ensuring everybody is educated in cybersecurity awareness — preferably starting from the top and working down so the entire seafaring community can spot a cyberattack and know what action to take in response. Experienced educational companies exist that offer in-depth, classroom-based courses on the subject of cybersecurity.
Countless companies are missing the correct procedures when it comes to security. A robust IT security policy is highly recommended, as this allows employees and users of all IT equipment to be clear as to how company data and information should be used on IT equipment. It’s not just small companies that struggle in this war against cyberactivists. Large corporations are also at major exposure risk, primarily due to not having a dedicated IT and security team. It is recommended that a company appoints a cybersecurity chief to implement and respond to all cybersecurity-related issues or system flaws that may be found. This is so one person has ultimate responsibility for implementing and maintaining all cybersecurity measures within the company, thus ensuring consistency of approach.
Cybersecurity attacks are incorrectly thought of as attacks that occur just over the Internet due to the wrong security measures being taken; however, lack of physical security can also be a major factor in the cause of industry-changing attacks. During the 20th century a majority of attacks occurred due to people not taking the correct measures to keep our IT equipment safe, another reason why we need everyone to be aware of what’s coming. It really is as easy as someone coming into your reception and asking you to "print off a copy of their CV" from a USB stick, which is actually infected with multiple viruses. This could ultimately allow someone else complete control of your business's entire network and therefore, most likely, destroying it.
In summary, cybersecurity isn’t an issue we can ignore. It may not be heard of yet as giving direct threats toward our vessels, but this will come in time when noticed by any cybercrime activists who either want to damage the industry or cause major damage to infrastructure or even human life. It can be averted. Many, if not all, shipping companies have some form of internal networked server that allows for all of their computers to communicate and send and save files between them, and therefore also connect to the Internet, so with the improper procedures in place it could be easy for anyone keen to infect an "auxiliary" piece of equipment that connects to the "primary." Think of the random software updates that happen every day, for example to an engine room sensor test, or to the bridge's digital anemometer that may appear non-safety-critical, but they are connected to safety-critical systems. We often concentrate and develop robust procedures purely for the few safety-critical pieces of equipment, but the attack will take place on a tertiary system that is connected to it.
Click here to watch a YouTube clip showing a live attack on standard maritime equipment.
George Ward is involved in project support at United Kingdom-based ECDIS Ltd.
