Lessons to be learned from recent cyber incidents

According to the Allianz Risk Barometer 2018, cyber-crime is considered one of the top five risks in shipping.  Though a new risk, it is the third on the list according to the 31% of the participants, mostly consisted by company managers. This is where we stand at the moment; we know only four paths to implementations in shipping. But do we know how successful are they or even which is the most effective?

The 4 Paths to implementation in shipping

1. Regulation & certification (ISM/ISPS/MLC/SOLAS etc.)
2. Self-Assessment (TMSA, BMSA)
3. Regulation, Framework & Incentivization (OPA 90, OCIMF SIRE)
4. Best Management Practices (Anti-Piracy BMPs)

Best Management Practices actually was a very nice initiative by the industry; it is a very good example why you do not have to expect everything from the IMO. Moreover, let’s don’t forget that ISPS Code has failed! There is not better indication for that, than the raw data. The Code was issued back in December of 2002. However, how many commas or how many words have been revised since then? Zero. That’s why it failed.

Certainly, it is not the regulation per se or the framework, but the framework plus the incentivization Think about going nowadays to the United States without having properly implemented what you had to. For instance, you could not have a tanker without having fully implement what the oil major said. There is a huge incentivization in order to comply! Specifically, if tankers won’t apply an ISGOTT (International Safety Guide for Oil Tankers) guide properly, operators cannot have them vetted and subsequently not be selected by a client. In other words, they will be out of the business.

Thus, what can we learn from the aforesaid paths? There is a huge gap with respect to awareness.

Considering all incidents so far, from attacks recorded in the maritime industry (Saudi Aramco, IRISL, Maersk, Clarkson) until the recent data security breach of Facebook, we certainly need to better prepare for the unknown challenges ahead by applying lessons learned.

Saudi Aramco Case:

One of the computer technicians on Saudi Aramco’s information technology team opened a scam email and clicked on a bad link.

Results

1. In a matter of hours, 35,000 computers were partially wiped or totally destroyed.
2. Without a way to pay them, gasoline tank trucks seeking refills had to be turned away.
3. Saudi Aramco’s ability to supply 10% of the world’s oil was suddenly stopped

Iranian Shipping Line (IRISL) Case:

A targeted attack occurred against Iranian Shipping Line (IRISL) in October 2015

Results

1. Damaged all date related to shipping rates, loading, cargo number, date and location
2. Loss of company’s internal communications network
3. Significant disruptions in operations, severe financial losses

Maersk Case:

At the end of June 2017 MAERSK was subject of a cyber-attack which caused major problems to operations and terminals worldwide. A computer virus, called GoldenEye or Petya, began its spread on Tuesday 27^th June 17 in Ukraine and affected companies in dozens of countries. The virus entered into system as an employ answered an unidentified mail by clicking

Results

1. Several port terminals run by APM, including US, India, Spain, Netherlands, were struggling to revert to normal operations after experiencing massive disruptions.
2. Dry cargo could not be delivered, and no container would be received. Several IT systems were shut down
3. Cost of operations suspension and cargo damages approx 300 m$
4. Cost of systems upgrading, and additional protected measures cannot be calculated yet

Clarkson Plc Case

Clarkson Plc faced a cyber security breach by unauthorized access which was gained via a single and isolated user account.

Results

1. Data & sensitive information lost
2. Company’s share in market fell 2% after announcement of attack

Facebook data leak: A lesson on better data protection

What happened

Between 2013 and 2015: Cambridge Analytica harvested profile data from up to 87 million Facebook users, without those users’ permission, and used that data to build a massive targeted marketing database

• Facebook knew about the harvested data since 2015, but supposedly did nothing to protect users.
• Following the discovery, in March 2018, Facebook apologized amid public outcry and fallen stock prices.
• However, Facebook user data, according to Mark Zuckerberg’s statement, was acquired within the rules imposed by Facebook.

Facts

• Facebook has more than 2.2 billion monthly active users and up to 65 business pages.
• Even though more than 100 countries have already passed data protection laws of varying robustness, data protection standards are not global.

Human Errors

1. Seafarer plugged mobile phone for charging in ECDIS USB port or other USB port
2. Seafarer plugged computer in ER network socket shutting down M/E to find out that he interfered with M/E Automation
3. Unintentional GPS disruption lasting for over 7 hours, caused by a common car GPS jammer
4. Malware infection, undiscovered for many months
5. Agent asking for payment in a new bank account and when payment is being affected to found out that this is an invalid account

What are the Lessons to be learned?

1. There can be NO zero Cyber Risks environment
2. Humans remain the weakest link in the cyber security chain
3. If it can happen to global organisations it may well happen to smaller scale ones
4. Non-Reporting of incidents does not help
5. Non-Testing Cyber Capabilities does not help
6. As data considered the new oil we need more legislation on the full supply chain…
7. We have to prepare for the unknown challenges

Cyber Security Challenges Ahead

1. Growth of the cyber risk footprint
2. Rate of technological development ahead in non exploited areas and new innovations
3. Regulators are way back of the technological developments
4. We need to apply lessons learned from the past, other industries & our own (Y2K, AIS, ECDIS etc.)
5. Mindset seems to be the biggest obstacle towards Cyber Hygiene
6. Resistance to change is of human nature

Those who do not remember the past are condemned to repeat it.

George Santayana

Non-reporting of this kind of incidents and not testing of cyber capabilities do not help in tackling the issue. Mindset seems to be the biggest obstacle towards cyber hygiene; overall the resistance to change is of human nature

Above text is an edited article of Apostolos Belokas’s presentation during the 2018 SAFETY4SEA Cyber Masterclass

You may view his video presentation by clicking here.

About Apostolos Belokas

Apostolos is a Maritime Safety, Quality & Environmental Expert, Consultant, Trainer and Project Manager with more than a 20-year background in shipping as Technical, Marine, Safety & Training Superintendent and Consultant. He entered the industry back in early 90’s as Engineering Superintendent with a leading ship manager operating a mixed fleet of bulk and oil/chemical tankers. He then shifted to regulatory compliance and QHSE as superintendent and later as a Consultant and Trainer. Apostolos has successfully completed a wide range of QHSE projects including 250+ management system projects (ISM/ISO 9001-14001-18001/TMSA/MLC), 500 vessel and office audits to various standards and he has trained more than 8,000 people in a wide variety of QHSE subjects. He has also presented and chaired to more than 40 conferences. He holds Mechanical Engineering Bachelor and Master’s specialising in Energy & Environment and Master’s Degree in Maritime Business and Business Administration (MBA), all of them awarded with distinction. Apostolos is the Managing Director of SQE MARINE, SQE ACADEMY and Managing Editor of SAFETY4SEA.