Digitalisation: An arrow in shipping’s quiver or hackers’ ace in the hole?

Digitalisation in the maritime sector remains a double-edged sword, because while technology and digital tools support the supply chain significantly, these same tools have opened new vulnerabilities.

Competition in the digital arena is the reflex response from the shipping sector designed to compete at every level. The industry, however, must relearn its reactions to develop a collaborative mind-set when developing cyber systems, particularly where cybersecurity is concerned.

Increased connectivity via the internet and between servers, Information Technology (IT) systems and Operational Technology (OT) systems all increase the potential cyber risks, as Maersk Line discovered in a severe Not Petya attack in 2017.

The rapid evolution in the use of, and reliance upon, digital (computer-based) and communication technologies, as well as the advances in automation and the potential for integration of multiple electronic systems supporting management functions and business applications, increases the importance of addressing inherent vulnerabilities, according to the Implementation Guide for Cyber Security on Vessels from the Digital Container Shipping Association (DCSA).

Daniel Ng, chief executive officer of CyberOwl, a maritime cybersecurity monitoring and analytics system, told Container News that increasing vessel automation will definitely affect the cybersecurity of the ships, mainly by changing the nature of the cyber risks.

He said that the vulnerabilities change, as automation opens up more connectivity and therefore the ability for an attack to move across from one critical vessel system to another. Additionally, he noted the alteration of threat, while the disseminating attacks on emails and USBs are replaced by the cyber attacks on the autonomous systems of vessels. At the same time, the impact of any attack becomes more critical, according to Ng, as we see significant harm in commercially-sensitive intellectual property on vessels with automated vessels instead of physical damage in the past.

However, Ng mentioned that advances in automation could improve cybersecurity on the shipping industry, if they are designed and managed carefully. “Because you could actually increase visibility and control of cyber risks to the shoreside team who have the cybersecurity skills to handle incidents and mitigate risks, rather than rely on a crew who will not be as skilled in cyber risk management,” he pointed out.

Daniel Ng believes that the digital evolution has brought both positive effects and challenges in the shipping industry’s cybersecurity sector.

He further noted that digitalisation is bringing the focus on cybersecurity more into the spotlight and now there is a more frequent and better quality discussions about what is needed for cyber risk management in shipping at a senior managerial level.

On the other hand, Ng believes that digitalisation projects are often taking place without sufficient consideration for cybersecurity extensions and explained that some digitalisation initiatives involve onboard vessel systems, which tend to be led by electrical or marine technical engineers who have limited knowledge and understanding of cyber risk. “This is where we have seen regular instances of insecure configurations and behaviour,” Ng pointed out.

These are the high-risk digitalisation efforts, according to CyberOwl CEO, while we also see technology projects that involve shoreside or cloud applications and are operated by IT specialists, who have a better awareness and understanding of cyber risks and how to mitigate them. In these cases, the “baseline approaches tend to start from a higher level of cyber maturity,” noted Ng.

Cybersecurity is not just about preventing hackers gaining access to systems and information, potentially resulting in loss of confidentiality and/or control, according to DCSA, but it also addresses the maintenance of confidentiality, integrity and availability of information and systems, ensuring business continuity and the continuing utility of digital assets and systems.

To achieve this, consideration needs to be given to not only protecting vessel systems from physical attack, force majeure events, etc., but also to ensuring the design of the systems and supporting processes is resilient and that appropriate reversionary modes are available in the event of compromise, said DCSA in its cybersecurity report.

“Personnel security aspects are also important,” it added. “The insider threat from shore-based or shipboard individuals who decide to behave in a malicious manner, or the untrained user that makes errors cannot be ignored. Ship owners and operators need to understand cybersecurity and promote awareness of this subject to their stakeholders, including their shipboard personnel.”

The fact that the four largest container shipping companies, AP Moller Maersk, Mediterranean Shipping Company (MSC), CMA CGM Group and COSCO, have all suffered a cyberattack over the last four years is certainly a discouraging sign and maybe an “alarm” in the industry that everyone is a potential target. If hackers are able to hit the systems of the biggest carriers, which spend billions of dollars for their cyber protection and security, they probably are in position to penetrate every company’s or organisation’s systems.

This situation begs the following question: what are the actions that a company in the shipping industry should take to protect itself from a potential cyber-attack?

The very fact of DCSA’s existence is evidence that the maritime sector is developing its security systems and is working collaboratively to meet cybersecurity challenges through standardisation and other means.

“It is vital that vessel owners, operators and masters understand and implement appropriate and proportionate measures to address the resilience and cybersecurity issues that arise,” said DCSA in its report.

In its guide, DCSA emphasises that the risk assessment is one of the most crucial aspects of cybersecurity and explains, “this is because the process should formally identify the information assets which are important to the company in achieving its business aims, the criticality of those assets, the threats against them and any vulnerabilities that those assets are exposed to.”

The potential threats should have already been identified in the Ship Security Assessment (SSA) and mitigated via the Ship Security Plan (SSP). However, it is necessary to understand the likely impact of these threats to the cybersecurity of the ship and ship’s systems, notes DCSA.

When considering threat scenarios and types of undesired event, the company should include incidents from ransomware, to geotagging on social media, to the impact of natural disasters. The risk assessment should consider the nature of harm that may be caused to the ship, shipboard personnel, passengers, other assets and personnel; and/or the benefits the ship exists to deliver, be they societal, environmental and/or commercial. The cybersecurity risk will depend on the likelihood that a threat actor can exploit one or more vulnerabilities and cause the nature of harm identified.

In addition, the companies have to develop specific protection measures, which include "defence in depth and in breadt", as it is mentioned in the latest version of "The Guidelines on Cyber Security Onboard Ships", produced and supported by several maritime and shipping organisations, such as BIMCO, International Chamber of Shipping (ICS) and World Shipping Council (WSC).

The publication explains that this defence in depth approach encourages a combination of:

• physical security of the ship in accordance with the ship security plan (SSP)
• protection of networks, including effective segmentation
• intrusion detection
• use of firewall
• periodic vulnerability scanning and testing
• software whitelisting
• access and user controls
• configuration and change management controls
• appropriate procedures regarding the use of removable media and password policies
• personnel’s cyber security awareness and understanding of the risk to themselves and the industry
• understanding and familiarity with appropriate procedures, including incident response.

Company policies and procedures should help ensure that cybersecurity is considered within the overall approach to safety and security risk management, according to the guidelines of the report, which said, “The complexity and potential persistence of cyber threats means that a ‘defence in depth’ approach should be considered. Equipment and data protected by layers of protection measures are more resilient to cyber incidents.”

Furthermore, the shipping bodies that produced the publication added that “defence in breadth” is used to prevent any vulnerabilities in one system from being used to circumvent the protection measures of another system. Additionally, they explained that “When developing integration between systems, a trust boundary model should be considered, whereby systems are grouped into those between which trust is implicit (for example user workstations), and those between which trust should be explicit (between bridge computers and corporate networks). For large or complex networks, threat modelling should be considered as an activity to understand where technical controls should be implemented between systems in order to support a defence in breadth approach.”

However, onboard ships where levels of integration between IT and OT systems may be high, defence in depth only works if technical and procedural protection measures are applied in layers across all vulnerable and integrated systems, noted the report.

“Defence in depth and defence in breadth are complementary approaches, which, when implemented together, provide the foundation of a holistic response to the management of cyber risks,” concluded the maritime and shipping organisations in their publication.

Daniel Ng believes that at the moment, ransomware and denial of service attacks are still the most common “threat of the day”, but the threats are evolving and will continue to evolve. “It is no longer a secret that a cyberattack on a shipping / logistics business is massively disruptive and could therefore be very lucrative for a bad actor.”

Equally important with the protection measures and a central part of cyber risk management is the detection systems of intrusions and infections. It is obvious that if the companies cannot recognise the signs of a cyberattack and cannot understand that they are in danger, they will not put in effect their protection measures on time and the potential damage could be critical.

Ng agrees that the lack of visibility is an important problem. “Many organisations that are critical in the shipping supply chain do not have systems or processes in place to help them even identify that they are in fact under cyberattack,” he argues and continues, “unless there is a very obvious ransom note, they often do not even know the cause is related to a cyber intrusion until there is significant business interruption.”

This identification difficulty leads to erroneous response activities, addressing the symptom, but not the problem, according to Ng who also noted that the processes to alert the rest of the supply chain about the business interruptions are not put into effect on time.

A baseline of network operations and expected data flows for users and systems should be established and managed, so that cyber incident alert thresholds can be established, according to ICS guidelines, while the key to this will be the definition of roles and responsibilities for detection to help ensure accountability.

Among the choices of a company to enhance its detection capabilities is the implementation of an Intrusion Detection System (IDS) or an Intrusion Prevention System (IPS) into its network or as part of the firewall. Some of the systems’ main functions include identifying threats/malicious activity and code, and then logging, reporting, and attempting to block the activity. Additionally, scanning software that can automatically detect and address the presence of malware in systems onboard should be kept up to date and managed.

The non-regulatory agency of the United States Department of Commerce, National Institute of Standards and Technology (NIST) has made a comprehensive overview of cyber incident response levels.

Phase 1, Preparation

• Determine the critical components on the ship, their prioritisation and location
• Ensure regular back-up as appropriate of all relevant data
• Identify single points of failure and define work arounds as necessary
• Create an incident response plan and rehearse it regularly.

Phase 2, Detection and analysis

• How the incident occurred
• Which IT and/or OT systems were affected and how
• The extent to which the commercial and/or operational data is affected
• To what extent any threat to IT and OT systems remains

Phase 3, Containment and eradication

Containing the outbreak of an incident is a time-critical exercise. Where possible, NIST suggests the removal of the device from the network. Where this is not possible, then it is important to quarantine the device from its VLAN (Virtual Local Area Network) or LAN (Local Area Network) and to ensure that boundary controls are operational between networks, according to the institute. Furthermore:

• Check the firewall rules have not changed.
• Ensure that anti-virus and anti-malware definitions are up to date.
• Take a full disk image of any impacted systems.
• Consider taking memory dumps (RAM image).

Phase 4, Post-Incident recovery:

• Recover systems and data.
• Investigate the incident.
• Prevent a re-occurrence.

Moreover, Danied Ng considers digital trust as an important part, as well. Questions such as “How do I know I am getting the right information or (payment) instruction from the right supplier for the right transaction?” are of high importance, according to Ng who pointed out that “if we design solutions to this now in the early stages of digitalisation, there is a real opportunity to improve cybersecurity from the current status quo of brittle and vulnerable email chains.”

As we have mentioned in earlier stories of Container News’ Digital Series, shipping is a stable sector, which is not used to frequent and drastic changes. This philosophy gives the industry the chance of being able to learn the lessons of other sectors which have already tried new innovations and pilot projects.

Especially in digitalisation, there is a plenty of other sectors that are more advanced than the maritime sector. “Because digitalisation in shipping and logistics is still nascent, it really is not too late or difficult to progress secure digitalisation by design, if the sector can come together and work collaboratively. In a very competitive supply chain with slim margins, we should not be competing on cybersecurity.” Commented Daniel Ng.

Source: Container News