Across numerous industries, from government information systems to banking and video game consoles, hackers have continually adapted their methods to fit their target.
And incidents in recent years, such as the hacking of a port’s systems in Antwerp, Belgium, to locate containers holding smuggled drugs, and hackers shutting down a floating rig off the coast of Africa by tilting it, show that the maritime domain is not immune to this phenomenon.
Enter international shipping association BIMCO’s annual conference. Aron Frank Sørensen, BIMCO chief technical officer, calls the conference a “natural extension” of the Industry Guidelines on Cyber Security – guidelines presented by BIMCO and other associations that aim to develop a coherent structure of cyber defence, including minimising the risk of a cyber attack through user access management, protecting on-board systems, developing contingency plans and managing incidents if they do occur.
Gauging the risk
“It is hard to say how much a ship is at risk, as every ship and trade is different,” Sørensen says. “But commercial ships store different information about cargo, seafarers and passengers, and there are safety and environment-critical systems on board.
“We do not believe attacking a ship will stop world trade. A ship is an independent unit and a cyber attack may compromise safety of that ship, the marine environment and to some extent, the business continuity of the owner,” he adds. “Traditionally ships have been isolated from the digital world ashore. That is changing now.”
According to Marco Balduzzi, part of the threat research team at anti-virus company Trend Micro , one area of vulnerability is the marine Automatic Identification System (AIS), which, he says, is “known to be easily ‘spoofable'”.
One of the company’s studies claims that an attacker with a VHF radio could identify weaknesses in AIS and then gain access to data, even impersonating and shutting down communications. Balduzzi recommends correlating data with other sources, such as radar, to help mitigate this.
A cyber attack by drug traffickers at the Belgian port of Antwerp has focused attention on security.
Moreover, maritime security company CyberKeel says it has discovered 16 security gaps in the online defence systems of some of the world’s largest container carriers.
However, it is not purely navigation systems such as AIS that pose a problem, but also the internal cyber threat and who has access to information. “A significant factor contributing to successful cyber attacks is the exploitation of vulnerabilities created knowingly or accidentally by users,” says Sørensen. “This comes in many forms, such as calling crew members and tricking them into divulging information.”
Looking into the cause
For Security Association for the Maritime Industry (SAMI) CEO Peter Cook, part of the issue is what he terms the industry’s “reticence” to investigate new technology and all that comes with it. “A year ago [July 2014], we ran our first cyber security event and we came away from that saying ‘is it culture, or is it technology?'” he says.
“There was a lot of reticence because many of the people that are being expected to deal with this are a bit like me, they are grey hairs. Grey hairs are scared of technology because it’s new to us. How many grey hairs are using Facebook? Not nearly as many as youngsters.” He adds that this means people stay “at arm’s length”, which prevents them from embracing it.
Meanwhile, there is growing desire for increased bandwidth on ships. Cook believes addressing this challenge will require deep thought: “There is going to be that information going backwards and forwards, and again that is more exposure…I think you only need a good imagination to work out [what the consequences could be].”
However, while the industry may be slow in welcoming technological change, hackers are not. Persistently evolving, hackers are changing their methods and probing different vulnerabilities. Sørensen describes this as an “ongoing game”, adding that, as cyber attacks become more sophisticated, so the solutions addressing them must change too.
Balduzzi calls the evolving nature of cyber attacks as a “severe” problem. “I personally believe that criminals will continue abusing this technology, as we have already seen in the past,” he adds. “More and more, any sort of device out there [that] has some software and digital protocol implemented [could be at risk].”
He adds: “In general, I think that in the near future we will see more and more threats related to ‘non-conventional’ technology, what most of us call IoT [Internet of Things].”
Finding a solution
Big shipping companies such as Maersk Line have outlined that they do consider cyber attacks to be a risk, and Sørensen believes there has been growing awareness over the years. “Due to the remoteness of ships, traditionally, some companies may have seen this as a non-important issue, however the awareness and knowledge about cyber issues is growing,” he says.
Cook believes that education is pivotal in ensuring this continues to happen: “It takes a long time for culture to be embraced and there has to be a reason for you to do it. It’s the culture that we’ve got to change. It’s the human interaction that is key.”
Looking at the industry guidelines, presented at the Maritime Safety Committee in June, the document recommends establishing why cyber security practices are necessary and outlining how personal email, software and social media should be used. It adds layers of guidelines on protecting confidential information and restricting access.
It also highlights the importance of a contingency plan – something Cook speaks passionately about. “I think understanding the problem is number one,” he explains. “Number two is then educating your crew about it, number three is formulating procedures that are practical and will work, and number four is ensuring those procedures are utilised and practising your business contingency plan.”
One idea floated has been that ships take cyber security experts on board, but Cook says this would be hard to implement given the tens of thousands of commercial ships operating at sea.
Despite some of the pessimism surrounding the ability of ships and owners to thwart a cyber attack, the BIMCO conference and SAMI’s Cyber Security Workshop – held in September with the International Marine Contractors Association – do point to a more cyber-savvy industry beginning to emerge, or one that is at least starting to appreciate the scale of the problem.
Cook says: “I think ten years ago people would have looked at me and said ‘no, [a cyber attack] won’t happen.’ But it is, it has, and it will.”