When cargo destined for marine transit leaves the factory to be shipped around the world in containers, how much of the data associated with that payload is covered by ‘need to know’ or ‘dare to share’? Is the information security balance configured correctly to prevent loss, disruption, theft and fraud whilst optimising efficient end-to-end logistics?
Statistics suggest 90% of worldwide trade travels by sea and this is set to increase. As companies in the maritime industry move into the digital age more and more of their ships, ports and rigs will be connected to computer networks and the internet. The Maritime and Energy sectors are turning to technology to increase productivity and reduce cost and delivery schedules. As the shipping world adapts to keep up with the technological changes, the crews are getting smaller but the ships get bigger and are therefore relying on automation and remote monitoring. As shipping companies become more reliant on technology, the number of devices increases and the security surrounding those devices isn’t being addressed. Looking at the Maritime sector there isn’t a lot of evidence of breaches. Is that because there are none? Because wind of a breach would be catastrophic to the reputation and brand of the company? Or is it because these companies aren’t yet aware they have been breached?
Taking a step back, how do you know if you’ve been breached if you aren’t able to identify what your vulnerabilities are? Within the Maritime and Energy sectors researchers have identified three key vulnerabilities:
Researchers from the University of Texas demonstrated in July 2013 that it was possible to change a ships direction by hacking their GPS signal to dupe its on-board navigation systems. A technology blogger commented that if someone wanted to place an Iranian ship in US waters carrying nuclear missiles, this could be done by hacking into the GPS on-board.
– Marine AIS (Automatic Identification System)
An attacker with a $100 VHF radio could exploit weaknesses in AIS which transmits data (e.g. vessels’ identity, type, position, heading and speed to shore stations). The attacker can also tamper with the data, impersonate port authorities, communicate with the ship or effectively shut down communications between ships and with ports.
Although AIS could potentially be abused by hackers, evidence has shown that maritime companies are abusing the AIS as well. An Israeli firm that collects and analyses AIS data found that 100 ships transmit incorrect locations via AIS every day. Ships may want to conceal their location for security or financial reasons (e.g. fishing boats operating outside assigned waters or smuggling) and gives ships the ability to conceal certain voyages. AIS vulnerabilities aren’t talked about extensively for reasons you can imagine.
– Electronic chart display/Information system (ECDIS)
Flaws have been found in ECDIS software that would allow an attacker to access and modify files and charts on board or on shore. If exploited, these vulnerabilities could cause serious environmental and financial damage and ultimately even loss of life.
As most of these technologies were developed long before the internet, half of the problem lies with the implementation and security surrounding these technologies. Industry needs to address these vulnerabilities to ensure an unaddressed time bomb doesn’t explode.
It is important to ensure an organisation has a universal view of the risks as well as the vulnerabilities. These Cyber risks are generic across all sectors as hackers and criminals are always looking for valuable information to exploit or steal.
A hacker managed to tilt a floating oil rig to one side off the coast of Africa forcing it to shut down. It took over a week to identify the cause and fix the issue mainly because there were no Cyber Security skills on board. Another group of hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers and made off with their smuggled drugs and deleted any record of the activities.
People are consistently the weakest link. The best technology in the world will be vulnerable if the people using it aren’t trained and aware of the risks. Similarly, the most capable workforce will be restricted without an appropriate level of technology enabling them. It takes one click of a button to take down an entire network or system and social engineering and sophisticated phishing attacks make it very difficult to decipher a malicious attack. These techniques lead to compromised systems and information breaches.
Investigations into rigs and ships have found computers and control systems riddled with viruses. In one particular instance, it took 19 days to rid a drilling rig on the way from South Korea to Brazil of malware (malicious software), which brought the vessel systems to a standstill.
So what can companies in the maritime industry do to tackle this threat?
- The culture of an organisation is key to ensuring positive information security behaviour.
- People and organisations need to understand the risks and threats to information, so education and awareness is vital to reducing information risk.
Why would you invest in securing your company against these types of threats? If an organisation is aware of the risks to their information and ensure controls are in place as protection, smaller crews will be more effective as they will have confidence in the technology. Investing in Cyber resilience will lead to an information transformation within the business. It will drive efficiencies and optimise revenue and manpower, which will enable the organisation to run a leaner and better operation.