Introduction to Maritime Cybersecurity
December 1, 2018
It seemed like just another routine day:
An 80,000-ton tanker was at an Asian port. One of the crew had brought a USB stick on board with some paperwork that needed to be printed. That was how the malware got into the ship’s computers in the first instance. But it was when a second crewmember went to update the ship’s ECDIS before sailing, also via USB, that the navigation systems were infected. Departure was delayed, and an investigation launched.
Not a good day for this crew.
The Bottom Line
As the use of computers in maritime grows, the opportunity for malicious code to cross over from your office computers to ship’s operational systems increases. It’s already happening often enough to see regular stories in major news outlets.
And, there’s every reason to expect it will continue to happen more frequently and with greater severity. The basic patterns, tools, and techniques of these cyber-attacks are well-established across a variety of industries either to steal money or cause disruption. In the maritime environment, it could leave you dead in the water with lost revenue, big repair bills, strangers asking questions, and possibly a lawsuit.
Operational disruption is your major cyber risk. Your minor cyber risk, both onboard and off, is the frustration and expense of dealing with personal computers infected with ransomware, or other malicious code. You could lose your invoices, Bills of Lading, payroll records, and so on.
It’s probably going to get worse for the maritime industry. As ship’s controls become more connected to online systems, the cyber risks to navigation, safety, and your business will only grow.
Here’s one future you might see: Your ship is navigating among several autonomous ships operated by computers according to International Regulations for Preventing Collisions at Sea (COLREGS). But the autonomous vessels start acting on bogus commands sent by cyber-attackers because the navigation system wasn’t built to only respond to legitimate orders. You could have a very bad day and many months recovering from a major accident.
The Here and Now
OK, back to the present. Why is all this cyber-stuff happening now? Maritime cybersecurity is about 20 years behind mainstream cybersecurity, but the adversaries are 20 years smarter and constantly innovating. If you think cybersecurity is annoying, take a deep breath because you do have options.
Here’s my suggestion: rather than react only when provoked, you could lean into this new risk.
Why? Because cyber risk isn’t all downside. It’s also an opportunity: Staying in business when your competitors can’t, when you all were cyber-attacked simultaneously. Think about NotPetya, the data destroying crypto worm that caused more than $300 million in lost profits to Maersk in 2017.
At first, it looked like NotPetya was a type of ransomware. But evidence now suggests that NotPetya was in fact a weapon of state-sponsored cyber warfare whose goal was to delete all the data on the computers it accessed. The attack was designed around a flaw in Microsoft Windows that was discovered and weaponized by the US National Security Agency (NSA) into an exploit called “Eternal Blue”.
The attack was released when a compromised update to M.E. Doc – a Ukrainian tax preparation program – was automatically distributed to all its users. But the exploit code was so virulent, that it quickly spread beyond the Ukrainian borders, across Europe, and around the world.
Small package shippers FedEx and DHL were both hit by NotPetya. Yet as FedEx’s operations ground to a halt for days, DHL kept its doors open and the packages flowing. The result for DHL was long-term increases in volume, market share, revenue, and profits. All because DHL didn’t call in sick when the nasty computer virus showed up. You could say DHL had good cyber resilience.
Thriving as a Cyber Risk Manager
From the opening story, you can see you have three groups to deal with:
• Cyber attackers (either criminals, like the author of the bank robbing Zeus malware, or soldiers, like those who released NotPetya).
• Insiders, who are malicious, careless, or manipulated into doing the wrong things.
• Outside stakeholders, like investors and regulators.
Although each one is different, you need a plan to deal with all three. Before we talk about cyber risk mitigations, let’s take a closer look at each one.
Organized crime is targeting everyone on the Internet. Back in 2010, at the offices of “The Smile Zone,” a pediatric dentist located in Springfield, Missouri, a lot of money was stolen.
Prior to the theft, deep inside the computer on which the dentist was doing electronic banking, someone was watching, silently. Day after day, a nameless, faceless criminal was taking detailed notes on the boring routines of the dentists’ electronic payments and account reconciliations. Until, one day, the thief struck and wired more than $200,000 from the dentist’s checking account at Great Southern Bank to off-shore accounts controlled by the criminals.
The money was never recovered.
Cyber criminals will target anyone, big or small. Criminals like the Russian Evgeniy M. Bogachev, also known as “Lucky12345” or as I refer to him, the “millennial mobster.” Bogachev has a $3 million bounty on his head by the FBI. He wrote malicious software, called Zeus, to steal more than $100 million from US banks alone and his electronic gang is suspected of being behind “The Smile Zone” attack and countless others.
Cyber criminals usually strike by tricking you into clicking on a malicious link in an email or opening an infected file attachment. This is called a phishing attack. And when you are targeted by name, it’s called a spear phishing or whaling attack.
Our government is almost helpless to do anything about it. So, we are on our own for at least the next 10-15 years. Until the institutions that protect us from every day physical attacks (like gun-toting bank branch robbers) can figure out how to operate effectively in cyberspace.
Fast forward to 2016, and both the CFO and CEO of FACC Operations (an Austrian maker of spare parts for Boeing and Airbus) are fired over the loss of $54 million due to a successful spear phishing attack. And in 2018, the City of Atlanta had to sign emergency contracts worth $5 million, in less than 8 weeks, as part of their intense effort to restore the many online services that were shut down by a highly effective ransomware attack.
Whether in cooperation with government intelligence services, or going it alone, it’s like Al Capone figured out how to use the Internet just as well as Amazon does. And he now bullies and steals from us on a scale never before possible. Like the Carbanak gang that has stolen more than $1.2 billion from banks and ordinary people all over the world in just five years.
Online criminals and cyber warriors are hard to defend against. But here’s a leading cause of cyber failure that you have some influence over.
In the 2016 “Cyber Security Intelligence Index”, IBM found that 60 percent of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent. And one-quarter involved “inadvertent actors”. These are people who were either manipulated into doing something they should not have done, or they made mistakes or a critical error.
From misaddressed emails to stolen mobile devices, these “inadvertent actors” can cause a lot of damage. The riskiest of these insiders are well-meaning systems administrators, whose complete access to company infrastructure can turn a small mistake into a catastrophe.
Here’s one high-profile example: The CEO of Equifax blamed the company’s 2017 data breach of more than 147 million consumers on human error. In short, someone at Equifax failed to install a critical security patch on an internet-facing server.
Many errors are caused by social engineering. This is a type of attack designed to manipulate a person’s emotions in order to successfully pull off a scam. People are often tricked into opening innocent looking web links or email file attachments.
Malicious insiders include employees, former employees, contractors or business partners. In Verizon’s 2018 “Data Breach Investigations Report” we see that malicious insiders are often driven by financial gain, such as filing fraudulent federal tax returns or opening lines of credit in other people’s names.
Malicious insiders are also driven by fun or curiosity when they look up the personal records of celebrities or family members. Sometimes people cut corners out of a strong desire for convenience. And some malicious insiders just have a grudge against your organization.
An insider could take revenge by leaving malicious software running on your organization’s computer systems. This is also called a “logic bomb”.
You can’t stop outsiders from attacking you, but you do have leverage over insiders. A positive attitude toward your people, and fair treatment, can reduce the risk of betrayal. But you also need to set and enforce cybersecurity policies with your staff. And ensure strong contractual requirements with 3rd parties.
As we’ve seen, cyber threats have never been greater. And, will continue to increase for years to come.
Recognizing this “new normal”, the US government said that putting the majority of our resources into prevention isn’t a viable strategy anymore. Instead, we need to practice “reasonable cybersecurity”.
The Federal Trade Commission says an organization must practice “reasonable security measures” as compared to:
• An entity of similar size and sophistication,
• And, given the type, amount, and methods of data collected.
Do otherwise and the FTC may charge you with unfair or deceptive acts. Now, following this definition, the FTC won’t compare the cybersecurity of a small shipping company to a bank, but to other shippers of its size.
To further define “reasonable”, the FTC points to the NIST Cybersecurity Framework, which at a high level says you need to:
• Identify your digital assets and cyber risks,
• Protect your digital assets from incidents,
• Detect incidents promptly,
• Quickly respond to incidents,
• And, effectively recover from incidents.
Now, let’s look at two examples where the FTC charged organizations with having unreasonable cybersecurity.
The first example relates to the Protect function: Twitter had given almost all of its employees administrative control over its core system. And, the FTC charged that by providing administrative access to so many employees, Twitter increased the risk that a compromise of any one of its employees’ credentials could result in a serious breach.
In its case against Wyndham Worldwide Corporation, the FTC said the company failed to follow proper incident response procedures. As a result, intruders were able to gain access to the company’s computer network on three separate occasions over a 21-month period. These cyber-attacks lead to the compromise of more than 619,000 payment card account numbers and $10.6 million in fraud.
By the way, typical FTC consequences for unreasonable cybersecurity includes:
• Orders to correct illegal practices,
• Plus 20 years of close oversight of their cybersecurity program,
• And, $40,000 fines for each new violation.
Everyone on your team needs to practice good cyber hygiene daily as they go about their work. And management needs to practice reasonable cybersecurity with good record keeping. Here are some basic first steps you can take.
You can’t reliably detect all phishing attacks, which is unfortunate because it’s the leading cyber-attack. Even though you shouldn’t open email attachments or click links you didn’t expect to receive, in our fast-paced world that’s not always possible. So, it’s likely that you’ll become the victim sooner or later when a piece of malicious code drops onto your computer. That means you have to raise your shields a bit higher.
Personal Cyber Hygiene Checklist
Here’s a prioritized checklist of the most effective ways to guard against cyber-attacks today. Please realize this list is not “set it and forget it.” It will change as the adversary improves their tools and tactics. Start at the top and work your way down. Give this list to your friends, family, and co-workers:
1. Use non-administrator account for daily tasks such as email and web browsing. This step alone will neutralize over 90 percent of all malicious code that finds its way onto your computer.
2. Turn on two-factor authentication at every website that contains your money (banking, QuickBooks) or valuable data (Dropbox). See twofactorauth.org for more details.
3. Set a six-digit PIN with your mobile phone carrier to prevent theft of your phone number, which leads to loss of control over your online accounts.
4. Use a high-quality password manager to store strong, unique passwords for each Internet account. Either 1Password or LastPass are good choices.
5. Backup all your data: One local copy plus another copy with a cloud service provider.
6. Run the latest version of Windows and other operating systems.
7. Frequently install software updates.
8. Never pay ransom to get back control of your data or systems. Doing so only encourages more cyber-attacks, which hurts our business community.
9. Be suspicious whenever anyone asks you to do something online with money. Verify (by phone or in-person) all electronic funds transfer instructions prior to acting on them.
Onboard Cyber Hygiene Checklist
Be sure to routinely protect your computer-based navigation and other equipment onboard your ship from malicious code infection. Here are a few tips to get you started:
1. Change all default user ID and passwords on all your equipment, including Electronic Chart Display (ECDIS). Cyber-attackers are counting on you to not do this!
2. Block the USB ports on ECDIS and other devices so no one accidentally infects it by connecting USB drives, mobile phones, etc.
3. When making updates to ECDIS charts and other devices:
a. Start by using a non-administrator account, on a known-clean computer.
b. Download the updates from the Internet and save them onto a dedicated USB drive.
c. Check the USB drive for malware or viruses.
d. Assuming you’ve detected no trouble, then update the ECDIS or other device.
If you want to dig into this more, here are some good sources:
The Guidelines on Cyber Security Onboard Ships (ver. 2.0)
MSC-FAL.1-Circ.3 - Guidelines On Maritime Cyber Risk Management
NIST Cybersecurity Framework (ver. 1.1):
Kip Boyle (@KipBoyle) is a 20-year information security expert. A former Chief Information Security Officer (CISO) for several heavily regulated companies, he previously worked at Expeditors International, United Parcel Service, and was the Wide Area Network Security Director for the Air Force’s F22 “Raptor” Program.