Following speculation that a cyberattack may have been the cause of a collision between a US warship and oil tanker back in 2017, government advisors warned that there was potential for cybercriminals to sink cruise ships.
In the three years since, attacks launched against the maritime industry have grown by more than 900%, according to maritime cybersecurity company Naval Dome. However, rather than sinking ships, attacks against the industry have largely focused on gaining access to data and extorting money.
“The cruise industry is a rich target for cybercriminals, due to the amount of customer information and financial data they have on hand,” Prevailion CEO Karim Hijazi explains.
Looking at the wider hospitality sector, it is clear why cruise operators may be a target for cybercriminals, as well as why it is imperative that efforts are made to stop them. In 2018, Marriott announced a breach involving one of their reservation systems, from which hundreds of millions of customer records, including credit card information, had been stolen. For failing to protect the personal data of its guests, Marriott was handed a £99.2m fine by the UK data regulator.
The cruise industry has already had its fair share of incidents in 2020 alone. In March, for instance, a breached database belonging to Norwegian Cruise Line, which contained more than 24,000 unique records connected to its travel agent partner portal, was discovered on the dark web by cybersecurity firm DynaRisk.
That same month, Carnival Corporation confirmed that staff on board two of its cruise ships had fallen victim to phishing emails. The following month, MSC confirmed that a malware attack was the cause of a recent network outage at its headquarters.
Then in August, Carnival Corporation once again fell victim to cybercriminals. The operator announced via an SEC filing that it had detected a ransomware attack, which had accessed and encrypted one of its brand’s information technology systems, and downloaded some of the company’s data files.
A typical threat
In March DynaRisk found a breached database belonging to Norwegian Cruise Line. Credit: Christian Ferrer (via Wikimedia Commons).
According to Michael K. Hamilton, CISO, president and founder of CI Security, ransomware attacks designed to extort targets are the “number one threat right now”, owing to the fact that launching such attacks has become significantly easier and cheaper in recent years.
The rise of ransomware-as-a-service (RaaS) – where ransomware is offered alongside additional functionality, flexibility and support – is enabling inexperienced attackers to carry out complex attacks. Likewise, with many of these services offered for a cut of the profits rather than an upfront fee, the initial outlay has also been reduced, making such attacks more attractive to low-level cybercriminals.
Coupled with this rising threat are concerns that many are failing to put adequate protections in place to protect against it. Following the Carnival breach, Prevailion reported that its Apex platform, which monitors malware C2 activity, had discovered signs of banking trojan-turned-credential stealing malware Ramnit on the company’s network back in February.
Despite claiming to have made several attempts to warn Carnival’s network security team, the activity continued for four months, making more than 46,000 connections to the attackers’ command-and-control servers.
“When trojans have a long dwell time in an organisation’s network, that is bad news, because the risks – and potential damages – can significantly increase,” Hijazi explains. “For every day that goes by where the trojan is not intercepted and remediated by the company, the risk of exploitation increases.”
“Common” lapses in cybersecurity
Unfortunately, it is “very common” for the company’s warnings to go unanswered – not just by cruise operators, but across many industries.
“Many companies simply under-prioritise cybersecurity,” Hijazi says. “Until their systems are jacked by ransomware and they have no choice but to deal with it, they may put off fixing obvious problems in their network because they don’t want the expense, or the disruption to their network.”
Likewise, Hijazi believes that there is an over-reliance on basic cybersecurity measures, such as antivirus and firewalls. Subsequently, if these tools fail to detect an infection, the victim is led to believe that warnings from firms like Prevalion are false.
“But that is simply not the case,” Hijazi explains. “Our company specialises in tracking sophisticated criminal groups – they could be nation-state hackers, contractors/freelancers for nation-states, or organised [criminals]. These threat actors are very good at bypassing those security tools, and they use advanced exploitation techniques to sneak in, set a backdoor and avoid detection.”
Covid-19 has exacerbated the threat
Recent attacks could possibly be linked to the Covid-19 pandemic. With offices closed, most have been forced to work from home on unsecured networks, offering little defence against attackers.
“Because many are working from home networks that are not secured, using devices that may not be under management and which are used for non-business use, cruise lines now ‘own’ that threat surface as well,” Hamilton explains. “Remote workers are now the ‘unlocked window’ that are now routinely leading to compromised enterprise networks.”
Unsurprisingly, Interpol reported in August that the pandemic had prompted a rise in cyberattacks. However, rather than focusing on individuals and small businesses, attackers have shifted their focus to major corporations, governments and critical infrastructure, in the hopes of exploiting vulnerabilities created by the pandemic.
“Every industry is experiencing an uptick in probing, especially against new network infrastructure that was quickly deployed to accommodate a distributed workforce,” Hamilton says.
While this threat will ease as businesses adjust to this new way of working, or as employees return to the office, Covid-19 will introduce extra incentive for attackers to target cruise lines as the industry resumes operations.
In August, MSC Cruises introduced a new health and safety protocol in order to become the first major cruise line to return to sea since the March shutdown. However, with this came additional health screenings, as well as additional data to collect and process.
“We introduced a new health and safety protocol in August, following approval from a range of European authorities, which allowed us to become the first major cruise line to return to sea following the industry’s global shutdown in March as a result of the pandemic ashore,” Theodora Dragan, data protection officer for MSC Cruises, confirms.
“We are now processing large amounts of additional personal health data to ensure that only people who have tested negative on Covid-19 tests – something that every guest has to undergo at the check-in area of a cruise terminal as one of the protocol’s measures – are allowed on board.”
Taking steps for the cruise sector to improve cybersecurity
Despite Covid-19 forcing businesses to make difficult financial decisions, Dragan insists that MSC Cruises remains “vigilant and fully committed” to its security targets.
“Cutting privacy and security spending, as we see it, is like deciding you no longer need a lock on your front door when it should be the last decision you make if you want to protect your house,” Dragan says.
While the pandemic may force budget changes, it is vital that cruise operators maintain their cybersecurity spending in order to protect against the growing threat. In fact, experts believe that rather than cutting budgets, the cruise industry needs to make cybersecurity a priority.
“The cruise industry needs to better prioritise cybersecurity and take enhanced measures to protect its networks and stored data,” Hijazi says.
“Preventive controls are failing,” Hamilton says. “Minimising the impact of these foreseeable events is dependent on detection and response.”
The industry must look beyond preventive measures and implement a layered approach that not only defends against intrusion, but detects when a breach happens, and limits the damage caused.
Robust cybersecurity measures, Hijazi says, should include anti-viruses and firewalls, maintaining updates and patches across all servers and endpoints, vetting partners and vendors and limiting network access, employee access control and whitelisting.
Other measures, he adds, include active monitoring to detect intrusions and malware beaconing, as well as continual penetration testing to uncover vulnerabilities. Incident response and network segmentation capabilities should also be put in place to control the damage and effectively deal with a breach if it happens.
A proactive approach
While cybersecurity typically improves in the wake of an attack, businesses must be proactive in dealing with cyberattacks before a breach occurs.
“Companies shouldn’t wait for a data breach or ransomware attack before shoring up their networks,” Hijazi warns. “They should be more proactive from the start, and not allow any vulnerabilities in their network to go unaddressed.”
With technology now playing a significant role in the cruise experience, and an even greater amount of customer data likely to be collected and stored as the industry recovers from Covid-19, it is imperative that adequate protections are in place — particularly given the impact that a breach could have on finances and customer trust during what is already a difficult time.
“Being entrusted by thousands of guests and crew with personal data means it is absolutely crucial that [the industry] is adequately protected,” Dragan insists.