During the 2019 SMART4SEA Conference, Isidoros Monogioudis, Senior Security Architect, Digital Shadows, presented the current landscape surrounding maritime cyber threat.
Surprisingly enough I realized that cyber security is a real issue in the maritime sector. It has the attraction that is needed for the maritime sector, but for some reason it doesn’t have the appropriate investment. We have to convince the shipowners that maybe it’s not the direct issue for profitability, but it is something that we need to invest in order to be profitable with the new technologies that will be applied.
I just want to highlight two real attack vectors, as Golden Gallon and Dark Overlord, which actually represent targeted attacks against maritime sectors, in a different way that introduced what has not happened by not Petya and other cyber attacks like ransomware that are not targeted.
The point here is that yes, we have targeted attacks against maritime sector, not very common but it’s really going to get increased. Why? Because the exposure is getting bigger and bigger. What is actually the attack surface?
We can divide the attack surface in two big areas:
- Threat to maritime vessels;
- Threat to the wider sector.
We differentiate vessels because vessels are the top priority for every ship owner. This is the asset that makes money to the shipowner. So, we have to address the cyber threats to each vessel accordingly and properly. Even if at the end, all we need to do is to transfer the expertise and the knowledge from the traditional cyber defense or cyber security area to the ship’s network and the ship’s ecosystem.
Decision making process, performance monitoring and connectivity, everything is related with cyber risk and cyber security. We can say a few words about who is behind the cyber risk. Who is actually the one that may pose a threat, a danger to our assets?
-Activists’ motivations are:
- Reputational damage;
- Disruption of operations.
Business interruption is a key function that needs to be not interrupted.
Objectives:
- Destruction of data;
- Publication of safety data;
- Media attention;
- Denial of access to the targeted service or system.
-Criminals’ motivations are:
- Financial gain
- Commercial espionage
- Industrial espionage
Objectives:
- Selling stolen data
- Ransoming stolen data
- Ransoming system operability
- Arranging fraudulent transportation of cargo
- Gathering intelligence for more sophisticated crime, exact cargo location, ship transportation and handling plans
-Opportunists’ motivation is:
- The challenge
Objectives:
- Getting through cyber security defences
- Financial gain
-States, State sponsored organisations, Terrorists’ motivations are:
- Political gain
- Espionage
Objectives:
- Gaining knowledge
- Disruption to economies and critical national infrastructure
There are different areas, different objectives, not always the common ones for activists.
- Criminals
Cyber crime is increasing more and more. Indeed, the cyber crime is here. It makes profit from other operations, but it is not far away the time when cyber crime will make money out form shipping companies.
- Opportunists
Those are guys that by luck, randomly, may have access or find a vulnerability to a shipping company to cause damage because they happen to be there.
- States, Sponsored organizations, terrorists
This is something that really has to be a concern because the truth is even with no Petya there is an attribution claiming that it is a state sponsor action and that’s why the ‘chocolate company by the US’ doesn’t have a compensation from the insurance company because the insurance company claims that not petya was an act of was. Even with cyber insurance we have to be very careful.
- Regulations
Why is it a threat actor? It’s not a real threat actor but cyber security regulations will have ‘teeth’, so it has the nature of something that intimidates the shipping sector and because we have IMO that has been a lot of times presented that by 2020 there are some things to be addressed for cyber security.
There is a broad range of reasons to hack a ship. Another aspect is that we can have Extortion; The thrill; To cause genuine harm; Insider information.
Information from connected devices and components, which is more and more increasing exposure related with the shipping industry, can be processed correlated with the different apps in cyber domain and provide information useful not only for offensive operations but for defensive.
This is why the threat intelligence as an area tries to address in a cyber security framework.
There’s no need for SCADA expertise. To hack a SCADA system you don’t need a specific education, you need tools that are already available and all you need to do is to find the right information to do the hacking activity.
The current state of threat for shipping companies is the guys with the guns. The future will be instead of guns also use laptops, computer components to hack things.
We can start finding information easily. AIS and navigation systems are publicly available so this is the starting point for an adversary when they want to find information to target a company.
According to the BIMCO guidelines, the onboard connected systems are a good start for someone to identify where to start from in terms of digital exposure on the shipping industry.
These are the common vulnerabilities that can be found on onboard systems.
- Obsolete and unsupported operating systems;
- Outdated or missing antivirus software and protection from malware;
- Inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords;
- Shipboard computer networks, which lack boundary protection measures and segmentation of networks;
- Safety critical equipment or systems always connected with the shore side
- Inadequate access controls for third parties including contractors and service providers.
What are the threats to the wider maritime sector? We all know the size of the laws. We all learned that now they address all vulnerabilities in a central and very organized way. The Maersk attack wasn’t a targeted one. The No Petya attack which is most likely a state sponsor attack, how it affected and impacted Maersk and the port of LA. Now what are the cyber security quick wins?
Starting from onboard, cyber protection starts with Network Segmentation; it is something that it should be an architectural principle for the IT systems onboard. We have seen a lot different solutions applied with sensors, with performance monitoring and every kind of similar digitized solution. The point is that we need to segment networks in a way all the need-to-know-access is granted to every user and focus on security monitoring, not only performance monitoring. We have also to apply and deploy the right sensors for security monitoring. For every tool, for every solution that is already digitized on the ship.
Defense in depths is the next step; We have to think that cyber defense and cyber security is a multi-layered approach. There is no multi-goal solution, you cannot find something that does everything that protects you from everything.
What is more, you should have in mind that cyber security is a complexed issue and needs expertise. It’s not a single firewall. It’s not an antivirus.
Incident Handling is very critical. Most of use forget or miss to address incident response. We focus on cyber security, on protection. We focus on defense proactively and forget if it happens to suffer from security breach what will be next.
In conclusion, the threat is real and the risk is high. Maritime digital exposure is getting bigger. In this regard, you need to secure your assets from cyber risk as you secure your assets from physical risk. The future is “compliant” so either way you have to enforce.
Above text is an edited version of Mr. Isidoros Monogioudis’ presentation during the 2019 SMART4SEA Conference.
View his presentation herebelow:
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.
About Isidoros Monogioudis, Senior Security Architect, Digital Shadows
Isidoros Monogioudis is a Senior Security Architect at Digital Shadows, a Digital Risk monitoring and Cyber Threat Intelligence Company. Isidoros started as an IT and Systems administrator 20 years ago and since 2008 is focused on cyber security and cyber defense. Prior to Digital Shadows he was a Greek military officer member of the Cyber Defense Directorate where he got involved in several projects and cyber operations. He has an extensive experience in Incident handling, Penetration testing, Log management, Incident detection and response. Part of his work as an officer was also the plan, preparation and execution of Cyber Defense Exercises at national and international level (NATO, EU). Currently he is involved in cyber security research, testing, analysing and evaluating new cyber threats and attack vectors. At the same time he is responsible for the internal security architecture implementing security controls and solutions for the company’s protection.
