Cyber pirates terrorising the high seas

Today’s pirates are just as innovative in the tactics and technologies they use as they were in historic times. Where once the likes of Henry Morgan, Captain Kidd and Blackbeard boarded ships and stole cargo, the modern-day pirate relies not on a cutlass but on hacking skills to obtain more ill-gotten gains than Blackbeard could ever have dreamed of.

Pirates’ interest in cyber tools is in part because of the interconnectedness of shipping with the global internet. Today, the world’s 51,000 vessels that carry around 90 per cent of the world’s freight are equipped with modern technologies such as industry 4.0, which are vulnerable to a range of hacking incidents. These incidents include the ghosting of GPS systems, taking over of command-and-control systems, disruption attacks, ransomware and even cyber commercial intelligence gathering.

Today’s digital piracy threats come not only from external adversaries but also from “disgruntled employees who may misuse their privileges to attack a system or exfiltrate important corporate data”, says Prakasha M Ramachandra of Aricent, a global design and engineering company.

However, “there are no official records on the number of cyber-security attacks that have hit the maritime sector, despite the threat being real”, says Andrew Fitzmaurice, chief executive of Templar Executives, a British cyber-security firm. This is because companies are reluctant to report for fear of reputation damage.

However, Scott Bough, executive director of the Centre for Cyber Defence & Forensics, based in Ohio, estimates that, “a successful cyber attack may cost the equivalent of losing one or two ships for a shipping firm”.

Meanwhile, Lloyd’s of London has warned that a serious cyber attack could cost the global economy more than £92bn. The potential economic impact of cyber disruptions or theft on ships, ports, refineries, terminals and support systems could run to hundreds of billions of dollars.

Despite this, Ramachandra states, “many organisations still view cyber security as a cost rather than an enabler to their business. Any investments in cyber-security programmes tend to be reactive.” Nor does it help that it is difficult to calculate the return on investment in proactive isolated cyber-security initiatives. This reluctance leaves organisations open to counting the cost of an attack.

An oil tanker could carry up to $100m-worth of crude, a container ship might be loaded with perishable fruit and vegetables and a vehicle carrier laden with 1,200 luxury cars could be worth around $53m. Valuable cargo, data and communications are the lifeblood of the mercantile sector but, according to David Palmer, executive director of cyber-security consultancy Sequrest, “hacking is random”.

Ramachandra identifies a multiplicity of potential motives: “Some may be political, others are driven by financial gain and others may just be looking to damage an individual’s or a firm’s reputation.”

It is time to understand that most maritime pirates are no longer just sailing the seas looking for vessels to board and rob. Instead, they are sitting at computers in some office thousands of miles away. Yes, even piracy has gone high-tech, and they are looking for vulnerabilities. In fact, instead of the sword or machine gun, they are hacking into merchandise details including bills of lading, to see which vessels are scheduled to carry it. Then, they will send traditional pirates to board the vessel, take the crew hostage and locate what they are looking for via a barcode reader. They will steal what they want and leave, just like when shoplifters go to Tesco or Sainsbury’s.

In the recent past, most ocean-going vessels operated with isolated dedicated industrial control systems with customised network protocols and a virtual absence of security systems within the safety-critical systems. This lack of security did not matter much as long as physical security of the endpoints and communications were good. Threats were uncommon and actioned mainly by disaffected, but knowledgeable, control systems engineers.

Today, things are very different. Vessels are equipped with a whole range of electronic navigation, command-and-control systems interconnected to the global internet via satellite. As Palmer points out, “satellite communication terminals are easy to hack by hackers”. All this, plus the crew’s access to the internet, means that vessels bristle with connected and automated systems making them especially exposed to attack, both internally and externally.

There are many access routes on a vessel for cyber pirates to access, pillage data, and take control of systems. These include all the points where connected devices and systems intersect and interact with employees using employer’s laptops, tablets and mobile phones to share operational manuals and chart updates. These access points radiate via many devices to application groups and onwards to service sectors and locations, affecting supply chains, headquarters, ports, terminals and ships. With greater automation and machines standardising security controls, humans are increasingly being recognised as the weakest link in a company’s security programme.

In fact, according to a recent survey by Futurenautics, over 6,000 active seafarers claimed to have been the victim of a cyber attack because of a lack of cyber-security precautions by staff. This view has been confirmed by a 2017 survey by IHS Fairplay Maritime Cyber-security, in which 74 per cent of 284 respondents believed that their organisation’s biggest vulnerability to cyber attacks lay with staff. These findings imply a lack of training in the basics of internet security and reinforce the case for staff training.

Today, the shipping industry is adopting ever more advanced technology to ensure the safe and punctual arrival of valuable or perishable freight and to protect itself against the increasing numbers and kinds of cyber attacks.  

These attacks, either on or offshore, could be limited to a single vessel, port or terminal or, in an extreme case, affect whole fleets. There are numerous examples of pirates using the ability of hackers to steal cargo, sabotage and valuable data.

At sea, Verizon RISK Team reports in its latest ‘Data Breach Digest 2018’ that pirates have used hackers to steal the cargo of “a global shipping conglomerate” on several occasions. Verizon said the unnamed company, which has been attacked by armed seafaring pirates several times, contacted its cyber specialists after noticing the looters had changed their tactics. Rather than spending days holding boats and crews hostage at gunpoint while they searched through the cargo and waited for a ransom to be paid, the pirates seemed to have inside information.

In 2013, a failed attempt at digital piracy occurred when a Dutch drug ring used a group of Belgian hackers to reroute two tonnes of cocaine and heroin into their waiting arms. These hackers were able to gain remote access to the computers of two different shipping companies. Here, they then rerouted the containers into the port of Antwerp, Belgium, for a convenient pick-up. Instead of the usual transportation company, the drug runners showed up, ready to haul away their prize – worth more than $1.7m. But police caught them before they could carry out their devious plan.

According to cyber-intelligence group Stealthcare, Russian government-affiliated actors launched cyber attacks against Ukrainian government and military targets before and during the attack and seizure of Ukrainian ships and sailors on 25 November 2018. The attacks appeared to be aimed at stealing information that would have applied to planning the operation. Pirates could also take such an action in the future.

A ship’s navigation system is crucial to its operations and the most vulnerable to a cyber attack such as spoofing, because it is based on an electronic chart display and information system (ECDIS), along with inputs from satellite positioning systems such as GPS and from AIS, the automatic identification system used to provide information about vessels to other ships and coastal authorities.

One widely reported example of this kind of disruption occurred in 2017. Here, a master of a ship positioned off the Russian Black Sea port of Novorossiysk, noted that his global positioning system placed his ship over 32km inland, at Gelendzhik Airport. The AIS (automatic identification system) used to track vessels also placed at least another 20 ships at the same airport in this incident.  

Adoption of IoT (Internet of Things) technology coupled with use of weak default passwords, failure to apply software updates and a lack of encryption – what one  industry insider describes as a “crappy IoT kit” – opens the way to a variety of attacks.

Such shortcomings could lie behind the 2017 cyber attack on the world’s biggest container fleet operator, Danish shipping company Maersk. In June 2017, Maersk was the victim of a major cyber-security incident: an attack with NotPetya malware, which forced the company offline for ten days, shutting down several ports and forcing the company to handle 80 per cent of its operations manually. This attack caused a $250-300m impact, and 50,000 devices had to be updated.

Onshore, leading UK shipping broker Clarksons was the victim of a hacking and blackmail incident in November 2017. According to Clarksons, hackers accessed its systems through a single user account demanding a ransom to prevent public release of the information and for the return of stolen information. The company refused, reported the incident, and with the help of external forensic help identified the problematic account and disabled it.

The British government defines cyber security as protecting information systems (hardware, software, and associated infrastructure), the data on them, and the services they provide, from unauthorised access, harm or misuse. This definition includes harm caused intentionally by the operator of the system, or accidentally, because of failing to follow security procedures.

Proactive cyber-security measures include a mix of corporate culture, hardware and software policies and approaches. In the case of shipping, according to Aricent’s Ramachandra, “most shipping companies use a ‘defence-in-depth’ strategy to protect their enterprise applications and infrastructure. Now, however, ships are becoming increasingly IoT and digitally enabled. As a result, they are required to adopt ‘defence-in-detection’ and ‘security-by-design’ strategies, to protect their vessels from cyber crime both when docked in port and at sea.

“Just as with other industries, shipping should adopt best practice standards including the [US] National Institute of Standards and Technology (NIST), International Organisation for Standardisation (ISO), and Payment Card Industry Data Security Standard (PCI DSS). Operationalising these with analytics and automation will help to reduce cyber crime to a significant degree,” says Ramachandra.

Fancy security hardware and software alone will not be not enough to prevent cyber crime. Industry and corporate culture are also crucial to make sure that developers, operations staff and partners work harmoniously together to manage security in central enterprise applications and infrastructure, and in distributed/edge IoT-enabled ships and vessels.

Ramachandra observes that “reducing friction between different security controls enabled by different security products, with a platform that creates organisational memory for security initiatives, can enable firms to cultivate a proactive cyber-security culture”. Essentially, cyber-security products should be standard and coordinated across the industry to embrace ports, terminals, ships and stakeholders.

There is also a cultural issue, as Sequrest’s Palmer explains: “Many ships’ crews are blindsided by modern technology, and all too often dangerously reliant on the accuracy and reliability of command, control and navigation systems.”

He questions whether crews have enough knowledge and experience to understand and manage navigation and control systems if a hacking or an IT failure occurs. The November 2018 collision between a container ship and an anchored oil tanker and the grounding of a US naval frigate in Tokyo Bay are cases in point. These incidents illustrate the importance of training crews in traditional command-and-control navigation skills.

To protect against a cyber attack, owners of vessels are investing in anti-hacking security products from providers such as James Fisher Mimic, Gatehouse Maritime and SRT Marine Systems. These companies produce and market cyber surveillance systems that detect and respond to an incursion or hack and restore the ship’s functions. These security systems packages watch internal and external network traffic with IDS (intrusion detection systems) and protect against entry with IPS (intrusion prevention systems).

Together, these packages increase the security level of the ship’s networks by monitoring, inspecting and scanning traffic for suspicious data. Detection in both systems is based on recognising assigned signatures and identifying ‘interlopers’. This is combined with installation of next-generation firewalls, which feature artificial intelligence and machine-learning capabilities, to recognise patterns and find anomalies to help warn and ward off the effects of a cyber attack.

At a global level the shipping industry’s regulator, the International Maritime Organisation (IMO), is taking cyber threats to the sector very seriously. In June 2017, the IMO’s Maritime Safety Committee adopted Resolution MSC.428 (98) on Maritime Cyber Risk Management in Safety Management Systems. This resolution, for implementation by 1 January 2021, introduces regulatory measures to “make sure that cyber risks are addressed in existing safety management systems (as defined in the International Safety Management (ISM) Code)”.  

New legislation is being drafted and is most likely to contain a requirement that ships are issued with a cyber-security certificate by an approved body or flag or port state. In addition, to raise the compliance rate, vessels without such a certificate could be detained.

For Europe, the EU has taken the first step with introducing the General Data Protection Regulation, which applies to all commercial firms including shipping companies. Under this regulation, it requires shipping companies to be more proactive in their cyber security. This is because they now must make sure data subjects’ consent is not only freely given but also as easy to withdraw as to provide, and they must use secure systems for the storage and processing of data.

In addition, with implementing the EU’s Networks and Information Systems directive, shipowners, as “operators of essential services”, will soon be liable for failing to “take proper and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies”.

Together, these developments illustrate an increasing recognition of the potential and seriousness of maritime cyber-attacks and the priority now being given by the industry and regulators to invest in proactive cyber-security measures.

Since cyber security cannot be expected to be a core competence of the mercantile sector, it would make sense for shipping companies, ports and terminals to get professional advice on the new policies and procedures emerging from the IMO and governments. But also use experts in data protection and cyber-security products and services. This, together with education and training of staff in safe or hygienic internet practices, could well help protect assets both on and offshore.

To sum up, perhaps first it is incumbent upon all actors in the mercantile sector to reach the industry standards of cyber security by proactively adopting security software and hardware and training staff in the safe use of connected devices. Then there is room for the maritime sector to upgrade security hand in hand with advances in technology, digitalisation and satellite communications.

It is undeniable that the challenges and practices in protecting the industry at all levels will prove ever more complex in coming years, but one thing is clear: expecting and being properly prepared for a serious cyber-attack is vital for the industry’s future success.