Shipping is increasingly digitalised and interconnected. As traditional maritime operations are replaced with autonomous and computerised processes, cyber security vulnerabilities become more prevalent, noted Standard Club, discussing in a recent podcast, how to face the associated challenges.
In particular, speaking on the Standard Club’s Alongside podcast, Daniel Ng, the CEO of CyberOwl, a firm that supports the maritime industry manage cyber risks and compliance, explained that the vast majority of attacks come from small ransomware.
Rather than being large, James Bond-style shutdowns of computer equipment that grind vessels to a halt, Ng explained that the risks facing the maritime industry from cyber-attacks are typically quite small from criminals ‘trying to make a quick buck from a shipping company’. So far, no attack has led to the collision of a vessel or grounding due to loss of control, but that doesn’t mean concerns are any less on the radar for shipping owners.
While cyber-attacks don’t tend to lead to tragedy, they can significantly impact income and revenue stream from delays arising from a cyber-attack. A means through which owners, operators, shipowners, charterers and traders can protect themselves through Strike & Delay cyber cover protects. One example of serious disruption occurred in February when CyberOwl were particularly vigilant due to the increasingly unstable international situation.
‘On eight vessels across two different customers, and to eight very different types of vessels, we found evidence of some malware that was designed to get itself on board the vessel and onto a computer,’ Ng said. The virus, designed to give the attacker complete control of the machine, spread its way across the whole network in two vessels.
Operational Technology (OT) includes navigation systems, engine control systems, or ballast and water treatment systems on board the vessel, and therefore under threat from this particular virus. While attacks on Information Technology (IT) can mean a loss in data and information, third-party gaining access to OT means a potential loss of vessel operations and safety.
‘Whether that is replacing the files on the machine shutting it down, stealthily trying to copy information off the back of the machine or simply executing a new command or process on that machine, this particular piece of malware was designed to do that’, Ng said.The malware Ng’s team identified is called ‘Plug X’, mostly infamous for political espionage cases rather than commercial or ransom activity.
However, given the controls put in place with these customers, there was no evidence of any takeover in the vessel systems.
So, what have we learned from that, in terms of typical things on board for cybersecurity for onboard systems? The first is often separation of what is the more traditional IT on board the vessel and the operational technology is happening, and where it’s happening, it has a good layer of control,
Ng explained.
Another issue illuminated by the event is that these ‘attacks’ can often be collateral damage from broader and less targeted programs.’We call this the ‘spray and pray’ approach, where the perpetrator just releases it out, hopes it takes hold of some computer,’ he said. This can present a problem for insurers as the origins of cyber-attacks remain shrouded in mystery and their origins unknown.
Aside from ships, cyber-attacks can likewise hit onshore infrastructure, which can in turn lead to vessel delays at a port.
The first phase of cleaning up following an attack, Ng said, takes place roughly within the first 24 hours, depending on how severe the incident is. After that, the primary focus is on stopping the attack’s spread and ensuring the vessels’ operations are safe. After that, the second phase is all around restoring, rebooting, getting business back on track and continuing to operate, Finally, collecting evidence to understand where the vulnerabilities were in the first place.
