In qualifying cyber incidents, there are two principal types: The first is a cyber safety incident when systems, software and human interaction - as well lack of competency - combines with poorly managed systems and equipment protection. The second is a cyber security incident when an asset is targeted, voluntarily accessed by an unauthorized person with intrusive or criminal intent.
The following is an example of a cyber safety incident. In 2013, in the Gulf of Mexico: an offshore worker, having loaded media files at home on a thumb drive, brought the drive on board a drilling unit (a MODU) and used it, plugging the thumb drive into an onboard computer to download media files. The following day, when resuming work, malware that had been loaded during the download hit the MODU’s network and disabled the signal sent to the DP systems leading the unit to drift off position, causing an emergency shutdown of the well with serious and direct implications for operations.
The subsequent root cause analysis clearly identified a lack of awareness of the staff and, even though the incident happened in 2013, a recent survey still indicates that more than 41% of shipping company personnel place the responsibility of cyber security on the shoulders of the Master when, in fact, it needs to be shared by everyone in the organization.
Meanwhile, the first cyber security incident worth noting is one we have all heard about - the incident in 2017 when Maersk was hit by ransomware. Ship safety was not impacted per se, but all paperwork related to cargo logistics was affected and prevented the release of containers in terminals. Maersk communicated openly about the attack and its impact and, in their estimation, they incurred a US$ 300 million loss as a consequence. They also had to flash more than 4,000 servers and nearly 50,000 computers while 2,500 applications needed to be reinstalled across their systems.
Another cyber security incident was another ransomware attack against COSCO in July 2018. COSCO was quicker to respond than Maersk, probably because they benefited from the experience of the Maersk incident. They were hit by this ransomware in the Port of Long Beach and within two days the ransomware had spread to the UK, Turkey, Panama - and beyond. They had to shut down all their communication systems in all these countries and they had to run their operation using Google and Yahoo accounts.
These two hacks were definitely for profit. Both were ransomware, so the attacker had a financial objective when hitting these two companies. The following two events were not financial.
In 2018, malware targeted Schneider Electric safety instrumented systems. The impact was quite limited but the incident is worth noticing because the objective was not financial. The objective was to cause some damage in a manner related to terrorism.
The last one and most recent is that of the Stena Impero. The ship was detained by Iranian authorities for entering their territorial waters. It was assessed that the vessel had received a spoof GPS signal causing navigational error - the motive was not financial but political.
The above is just a review of a few incidents that are representative of what's happening. DHL publishes a yearly ‘Resilience360’ report and, in the 2018 edition, they cite the US National Counterintelligence and Security Agency declaring 2017 as a watershed year in terms of cybersecurity incidents, citing an increase of 400% in the number of incidents reported and more than half of all organizations worldwide have, reportedly, been the targets of such attacks. It's even grimmer than that in Asia where more than 70% of the industrial control systems in Southeast Asia are the targets of cyber-attacks every year.
So, what’s the reality for your ships? The design life of a ship is 25 years. The average age for vessel today is in the 10 to 15 years range. That puts the average ship and all its operating system in a design which is basically based on Windows NT - the support of which ceased in 2014. Meanwhile they are exposed to connections coming from a 2019 to 2020 environment: software, network connections, systems, platforms and so on.
And, even though everybody is interested in the cyber performance of the systems, with the objective of improving safety, reducing the environmental impact or improving the OPEX and the fleet optimization, the processes that are being used to achieve these are all definitely 2019 technology. Not those of 2014 or before. But they are being applied to ships and operating systems designed and built around 2010. So definitely the cyber performance that we see as a goal, and where the return on investment is expected, strongly relies and depends on cyber safety and cybersecurity. This may be overlooked when cyber security investment decisions are made.
If there is no immediate return on cyber security investment, one can seek support into the regulatory compliance. There are regulatory bodies issuing guidelines and recommendation in terms of cybersecurity, but as it was pretty obvious from the panels this morning, cybersecurity is a concern but they have bigger concern coming. IMO 2020 for example.
What is the motivation for a hacker to penetrate a vessel system? Cyber-crime has become a real business model. It's not only about ransomware but it's also about crypto mining. Crypto mining alone has generated 2.5 billion dollar in revenue for hackers in the first half of 2018. The Iranian situation highlights also political reasons. Eco-terrorism can be also considered at a certain point - and lots of information is manipulated. Shipping does not always have a good role in that, as illustrated by the hoax on how the world’s 15 biggest ships create as much pollution as all the cars in the world that circulates the Internet since 2009 in one form or another.
Being able to detect-prevent or avoid intrusion is one thing but the vocabulary which is being used by IACS and by other bodies is now about resilience. It's not only about being protected; it's also about having a recovery plan and something in place in case something happens. And that's a tricky game; the more you put protection in place, the more you become a trophy in the eyes of a potential intruder. So the more you protect the more you become at risk and that's a new chicken-and-egg problem. So you have to be ready to recover when something happens. Because eventually something will happen.
IACS has issued recommendations to help ship owners and ship managers prevent cyber events. These recommendations cover the establishment of software inventory, management of software and system and grade, physical security of the local controls to having a local control when the systems are connected remotely and also having contingency plans onboard available to recover anything happening when the ship is out of reach for remote connections.
In order to help ship owners and ship operators comply with cyber industry requirements and best practice, BV has developed a set of cyber rules (NR659). By applying the first level of these rules, shipowners and operators qualify for a “Cyber Managed” class notation certifying that an initial cyber risk assessment has been performed; that mitigation measures have been implemented; relevant cybersecurity documentation (repository, policies, etc.) have been developed; and that staff have been trained to establish cyber policies. It's basically a certification that cyber security and more broadly cyber resilience is properly managed onboard.
Above text is an edited version of Mr. Floury’s presentation during the 2019 SAFETY4SEA Singapore Forum.
You may view his video presentation herebelow
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Jerome Floury, Project Manager, Digitalization and Innovation, Bureau Veritas
Jerome holds a Master in mechanics from the “universite de Poitiers (france)” followed by a Post-master degree in material science from “Universite technologique de Compiegne-Ecole d’architecture de Versailles” and eventually a Post-master degree in Naval architecture obtained from “Ecole d’architecture de Nantes”
Jerome joined the Bureau Veritas Singapore’ Offshore Centre in July 2011 after 8 years in the Head office’ technical direction and has since been assigned as project manager for various offshore projects in the South Asia zone.
Since 2015, Jerome is also the South Asia representative for Asset Integrity Management services, promoting and supporting the development of our Asset Integrity Management offer and projects all across Asia.
In addition the above, Jerome is also acting as Digitalisation & Innovation Manager for Marine & Offshore South Asia Zone, defining and driving the digital and innovation related initiatives, and eventually implementing the selected digital/innovation projects.