Below is an excerpt from the article “Piracy in the Digital Age” as published in the Daily Cargo News (thednc.com).
Following several damaging attacks on shipping and logistics companies, cyber security analysts warn the industry remains dangerously vulnerable. By Jonathan Sharrock
The logistics sector needs little convincing of the risk of cybercrime to its operations. FedEx in 2017, Maersk in 2017, Toll group in 2020 – twice – are just some of the highest-profile cases with costs reaching hundreds of millions of dollars. This risk is reflected in increasing regulation. Aside from the responsibilities imposed by data regulations such as the GDPR in the European Union, the International Maritime organisation is also increasing regulatory requirements. By the 1 January 2021, shipowners and managers must incorporate cyber risk into ship safety assessment; for the maritime industry it’s not just about data protection but about real, physical danger. After this date, ships that do not comply with this requirement will be detained, and so the industry should start preparing now.
Maritime logistics firms are particularly vulnerable to cyber attack. They have large scale and wide-ranging employment, involving permanent employees, contractors, and third parties. They operate onshore and offshore teams, which need constant lines of communication, and ship crews are often transient making device and traffic monitoring difficult and increasing the risk of cyber breaches due to phishing, human error, or internal sabotage.
In addition, maritime company digital networks are complex and often highly heterogeneous, with technology ranging from dated legacy systems right up to state-of-the-art Internet of Things devices.
Legacy systems are vulnerable because many weren’t designed to be connected to the Internet, let alone deal with cyber attacks, and are often difficult to patch since those who built them have long ago left the company.
Modern devices bring their own problems, and poorly secured IoT devices are a favourite weak point for attackers to exploit.
Logistics companies, in turning to technological upgrades to improve industrial output, have placed many of their everyday processes at greater risk from cyber crime. This is because more and more of the supply chain is becoming automated. From autonomous vessels and sophisticated collision avoidance systems, to processes such as hull cleaning and ship environment data collection (temperature, vibrations, etc.), everything is now moving to automated and computerised control. This means that soon every process in the supply chain will be targetable by cyber criminals.
As a manager or company director, it is easy to be overwhelmed at the prospect of addressing problems with such a complex network. The solution is to tackle the problem with a comprehensive risk management program.
Cyber Security Risk Management
First, the problem needs to be identified. This isn’t straight forward, but rigorous and honest self-assessment is the critical first step in addressing vulnerabilities and finding solutions.
Consider a company as a whole – onshore and offshore – and include all interactions with third party providers and clients. Include all the aspects of a digital network: the hardware, software, internal network, and network connections to external devices, the latter being critically important to maritime security. Taking this into consideration every time a new device is integrated, or a new service provider is contracted will help keep the system continuously watertight. This continuous assessment is at the heart of good cyber security practice.
The Human Factor And Prevention
Cyber security is not just about technology, and perhaps the most important aspect of security improvements is assessing people and identifying high-risk staff. Maybe they are client facing, they communicate constantly with external devices, or they have high security privileges and so are likely to be targets.
Once vulnerabilities have been identified, the next step is prevention. The highly complex nature of logistics networks means that first the architecture should be analysed as a whole. Appropriate segregations should be made to compartmentalise the network and reduce the risk of lateral movement in the event of an infection. Again, assess continually: when a new device is added to the architecture, think about how it should be segregated.
Minimum Cyber Security Privilege
In terms of people and processes, careful consideration should be given as to who has access control – both physically and remotely. Moreover, give an employee only the minimum amount of cyber security privilege required for them to fulfil their job. This reduces the risk of an attack due to human error or a spear phishing scam becoming a major incident, and also reduces the number of unhappy employees able to sabotage the company through data theft.
In addition, implement good security practises. For example, ban personal devices from being connected to on board, network-connected systems. Even charging a phone could allow malware to infiltrate a network. Avoid the use of removable media devices, except those that have been scanned and only connected to approved devices, and carefully consider the security requirements of any essential personal devices such as laptops or tablets.
Legacy systems are vulnerable because many weren’t designed to be connected to the Internet, let alone deal with cyber attacks.Jonathan Sharrock, Cyber Citadel
The Value Of Training in Cyber Security
Training is a critical component of the risk management program and should be given to as many employees as possible. This will not only increase awareness and diligence but builds a positive cyber security culture that leads to better reporting, logging, and following of good security practices.
There is a huge benefit to addressing people and process issues; not only are the majority of attacks the result of human error or poor company practice but making these types of changes is a very low-cost way of improving company security.
Furthermore, while making network changes or introducing monitoring software such as Deep Packet Inspection can really slow down a network on border ship where Internet access relies on narrow bandwidth via VSATs. Implementing people and process changes will have no effect on the functioning of any part of the system or network connection.
The best mitigation is of course prevention. But in the event of an attack, companies need to react quickly, and this means early detection, fast response. Improving detection means improving monitoring, both of access and of data exchange.
The practical issues of sophisticated inspection already have been raised, but companies might decide to implement such monitoring for higher risk events. For example, employees requiring remote access such as remote support engineers should have tightly regulated device security, and any data exchanged should be carefully monitored to prevent eavesdropping or the transfer of malicious code – either intentionally or by some form of accident.
Comprehensive cyber training and policy can also improve detection. And again, this is a low-cost, adverse-free approach to improving general security. Effectively communicating flagged emails, questionable activity, or poor practice through the company structure will help to mitigate the frequency of intrusions and reduce the dwell time of any hacker.
Incident Response Plan
Managing an incident can be stressful, so it’s important to have a complete, effective, and well-understood instant response plan. The most critical step is isolation. Maersk revealed that over 45,000 computers had to be rebuilt during the 2017 ransomware attack, and there were reports of IT staff running through buildings unplugging devices in attempts to protect them from infection. Let this be a lesson for all future network architecture in the need for segregation.
Remember, backup all systems, multiple times with multiple methods. This is the ultimate insurance against any cyber attack, but in particular ransomware, which is currently the most prolifically employed method of attack.
While securing a network as complicated as those in maritime logistics companies might seem daunting, firms just need to approach cyber security in a logical and systematic way – like any other task – and remember how much can be achieved by addressing people and processes. However difficult it might seem, it is clear from recent history just how important it is.
Full article published in The Daily Cargo News (thedcn.com) – August 2020 (paid content) Piracy in the Digital Age, p. 20.