Guidance published by BIMCO and ENISA highlight the threats to the marine industry by cyber-attackers and how these can be fought.
Online technology has completely revolutionised international trade over the past few decades and the marine industry is no different. Information technology on-board vessels has transformed the way in which they operate, vastly increasing the accuracy and efficient of a ship's performance.
Yet with these new technologies come new dangers. Ever-greater integration of systems that organisations will use has greatly increased the risk of malicious attackers looking to breach an organisation's or vessel's secure networks.
With the EU's trade in goods by sea at over 50% of the total, it is not difficult to see how such a lucrative market could be a hunting ground for cyber-attackers. Yet in spite of this drastic threat, the European Network and Information Security Agency (ENISA) found from their own study that awareness of cyber security is either very low or non-existent in the maritime sector.
BIMCO have published their Guidelines on Cyber Security Onboard Ships that identifies the main risks and seeks to raise awareness and provide effective responses to these issues.
They identify a range of different individuals or organisations who pose a threat for a variety of reasons:
- Criminals, acting mainly for financial gain by hacking into systems to steal cargo or sell or ransom stolen data.
- Terrorists (including state-sponsored terrorists), looking to disrupt or destroy infrastructures for political gain.
- Activists, who are also looking to attack infrastructures for their own ends. There are others who undertake these kind of attacks just because they can.
These will take the form of untargeted or targeted attacks.
Untargeted attacks, as the name suggests, are random and use software that detects vulnerabilities in a vessel's or company's systems, where they are one of many potential targets. These will include obtaining sensitive information using techniques with which many of us will be familiar, such as phishing or ransomware via e-mail, or creating a fake website or exploiting a genuine website to dupe visitors (water-holing). Another technique used is one not often considered, which is manipulation of individuals such as employees, who can be tricked into giving away sensitive information (often through social media) in order to gain access to secure networks.
Targeted attacks are of a similar nature, though the cyber-attackers will use more sophisticated techniques such as spear-phishing or botnets. They may even tamper with a ship's equipment before it is delivered to an organisation to gain access.
The stages of a typical cyber-attack will involve:
- Survey/Reconnaissance, where an organisation is targeted, either individually or en masse.
- Delivery, where breach is attempted, which includes everything from sending malicious e-mails to hacking into cargo or consignment tracking systems.
- Breach, which will depend on the degree of access the cyber-attackers have and could include making changes that affect a ship's operations such as to ECDIS, or retrieving sensitive data such as crew and passenger lists and management systems.
- Affect, which will depend upon the objects of the cyber-attackers and can include widespread disruption to a ship's operations and systems, which can endanger many lives, or stealing cargo or funds or holding sensitive data to ransom.
Given the risks involved for those in the marine sector, it is crucial that maritime organisations that use online systems (which will be most if not all of them) are trained to identify and mitigate these risks.
The Guidance gives a fuller understanding about how this can be done, but in brief it will involve:
- Identifying the threats and your own vulnerabilities
- Assessing exposure to the risk
- Developing protection and detection measures
- Establishing contingency plans, and
- Adequately responding to cyber security incidents.
It is hoped that by spreading awareness of the vulnerabilities in the marine sector from cyber-attacks, that threats can be diminished and properly mitigated, especially as the industry moves, with the rest of the world, further online.