When I first got involved in maritime cyber security in 2014 with CyberKeel (now a part of Improsec) we approached a wide range of maritime companies to make them aware of the risk they were exposed to. The feedback was quite consistent. The shipping industry stakeholders mainly did not believe there was a threat. The risks we pointed out were seen as purely theoretical and dreamt up by consultants trying to create a market where there was no need for the product.
From ignorance to a real threat
This led us to change the approach and focus on pointing out examples of incidents which had de facto taken place, rather than be theoretical about it. In our whitepaper from 2014, we provided an extensive listing of incidents that were indeed very real and had taken place in 2014 or earlier. These included a container line that lost all information and systems due to a cyber attack (yes, that did happen before. Maersk was not the first).
Now we are 6 years further down the line. In the meantime, we have had the emergence of the voluntary BIMCO cyber security guidelines which have now led to the IMO2021 rules where new maritime safety rules come into effect from January 2021. At that time, it becomes necessary to address cyber risks in the safety management systems on the vessels. This is incorporated into the ISM code and has to be addressed no later than the first annual verification of the company's Document of Compliance after 1 January 2021.
Some companies in the shipping industry have indeed increased their focus on maritime cyber security, whereas others as late as 2019 have stated at public conferences that they do not believe the cyber risk to be of material importance.
Hence there is a sense of deja vu. Are we really still at point where companies in the shipping industry do not believe the cyber threat is real?
From the perspective of Improsec, we know the threat is real – we have been onboard vessels as well as inside the land-based systems. We have had to tell clients that what they thought was impossible was not only possible to do – it was even trivial to do. We have seen the aftermath of successful attacks.
Hence, in a repeat of what was done in 2014, what are some examples of what has happened in the past year?
Feb. 2019: successful malware attack on a vessel bound for the port of New York. The US Coast Guard described the campaign as “malicious software designed to disrupt shipboard computer systems “. They further stated that the response team sent to the vessel found the vessel to be operating without effective cybersecurity measures.
May and June 2019: Two cyber attacks on the Kuwait transportation and shipping industry. Attacker obtained backdoor access to the systems.
May 2019: Spoofing campaign targeting shipping companies purporting to originate from the port state control in the US
June and July 2019: Israeli ports of Ashdod and Haifa experienced problems in crane operations likely due to GPS tampering. A spokesperson from Haifa port attributed this to likely collateral damage from Russian activities not specifically directed at the port. Port attacks are clearly not unheard of as there were also successful attacks in the ports of Barcelona and San Diego in September 2018.
31 January 2020: A successful cyber-attack against Toll Logistics, a global top-50 shipping and logistics company, brought all operations to a standstill. The company needed to take 500 applications down which supported its operations across 25 countries.
Key take-aways:
The key conclusion is that the cyber risks in shipping are as real and present as ever. The risk of having your full operations brought to a standstill is genuine. The risk of having your ships rendered inoperative, or ineffective, is genuine.
Our experience from Improsec is that if you have never had your systems properly tested against a cyber-attack, you are unlikely to have a good overview of your actual vulnerabilities. However, our experience is also that many of the vulnerabilities can be alleviated if a proper plan is drawn up based on the actual vulnerabilities found, whereas a plan made only on the basis of assumptions is likely to miss the mark.