Friday, November 10, 2017

Maritime Security is Top Topic as Freight and Tanker Shipping Executives Gather in London

Phish and Ships on the Menu as Two Flag Registers Act on Cyber Crime
Shipping News Feature
UK – WORLDWIDE – This week saw an innovative panel discussion hosted by the Marshall Islands Vessel Registry in the sumptuous surroundings of the Great Hall in the shadow of St Pauls Cathedral. The topic was cyber security, and the event gave many of the great and good in the ocean shipping industry to hear and understand some pertinent, and frankly terrifying, information on a subject which has become the biggest risk to world trade imaginable. Cyber-attacks are the number one threat, not only to the freight and logistics sector, but to any business which stores data electronically, which put simply is all of us.

The discussion was blessed with a quartet of speakers, ably managed by moderator Rear Admiral Kevin Cook, formerly of the US Coast Guard, and all of whom it became rapidly obvious, are experts in their own fields. One may think of cyber-crime as a new offence, and of course relative to traditional illegalities, it surely is. However just as the development of the internet and computers has grown at a breakneck pace, so has the industry bred to corrupt and attack it.

The first speaker at the lectern was Cynthia A Hudson, founder and CEO of HudsonAnalytix Inc., a company based in the US and with European offices all aimed specifically at protecting the interests of ship owners and operators. It operates programmes to identify and protect against vulnerabilities, training staff, protecting assets and preventing losses. She commented:

”Cyber security often only becomes important when there is a loss. Offshore rigs can tilt, vessel ‘standalone’ websites can be hacked with the infiltration masked. These are ‘under water’ items but information technology is not the issue here, your IT staff are only responsible for one facet. Everything connected to the internet can be hacked, and everything is connected to the internet.

“Personal information, confidential data, operational matters are all there, different hacking procedures can include hactivism (politically motivated hacking) and competition in business, but everything at the end of the day is about one thing – money. A hack can impinge on your reputation for business competency whilst all that financial and other information can be traded, money for data sales is here.

“Intruders can now afford to be less competent as security measures are simply not keeping up with attacking measures. It is necessary to know how to appropriately spend the money you have to in order to protect yourselves. First you must understand your own vulnerabilities and prepare for possible infiltration. Remember, penetration tests are only a part of the process – all systems can be penetrated.

“So how does one remain in business following a successful attack? Install appropriate recovery plans and remember you can only buy suitable business recovery insurance if you first know exactly where your vulnerabilities lie.”

Next up to speak was Paul Vlissidis, Technical Director and Senior Advisor to the NCC Group, a company formed in 1999 when the management team bought the business from the now defunct National Computing Centre. Funded by a burgeoning Escrow business the group has strengthened its cyber security interests with a policy of acquisition and international development. With over twenty years history in the field Mr Vlissidis gave a concise breakdown of what is an extremely complex problem, saying:

“Why us? Why this industry when banks and similar organisations are surely more obvious targets? Simply that in the past 2 or 3 years the game has changed, worldwide there are literally billions of devices rendering countless people and organisations vulnerable to the cyber gangs and to extortion.

“So what is the likely impact of an attack? Firstly it is liable to be comparatively low level, such as stopping a vessel’s engine management system, corrupting manifests, installing ransom ware on a ship’s IT systems so it cannot leave port. The Maersk attack cost the company an admitted $300 million, a figure which may increase, and caused by something which was almost certainly a state sponsored incident.

“The attackers have access to sites like Shodan which looks at all the world’s interconnected devices and shows possible opportunities to them. Again, the first priority is a proper threat assessment, many vessels etc. still use old technology which is far more vulnerable to attack. So what would be the impact of this crime? How do you recover? Back-ups as used by the NHS this year when it suffered a massive attack? Isolation of some specific systems?

”That is what companies like ours do, identify and protect against threats. Recognise that these are no longer ‘gangs’, they operate as highly sophisticated businesses, they effectively break the data down into specific areas and into manageable chunks, they can then delegate, even franchise the pieces. Hackers at this level can buy infiltration kits from the internet, and even receive training, web space and support from those higher up the chain of command.”

Had we been attending a security briefing 5 years ago the topic of cybercrime would probably not have featured on the agenda. At that time we were privileged to have spent time discussing the then current threat of Somalian piracy with the predecessor of the next speaker, the late and very much lamented Giles Noakes who passed away earlier this year. Now it was the turn of BIMCO’s Phil Tinsley who has had to, like so many others, grow into a role in a field which is regrettably evolving faster than any would care for. He observed:

”A ship, although an independent unit, can compromise a company’s reputation. A survey shows that malware is the main threat, it can often come aboard carried on a USB stick loaded with movies, or via phishing emails. There are now even league tables of hackers all vying to gain that top spot! The range of potential attackers covers criminals, activists, opportunists and even states.

”The recent case in the Black Sea which saw at least 20 ships with their GPS readings incorrect is believed to be the test of a Russian cyber weapon. Hackers can request the sale of a ship’s cargo and malware can be lodged within the innocuous email enquiry. The Maersk attack saw the destruction of 49,000 laptops, they lost the use of every printer, 1200 applications were inaccessible and 1,000 destroyed completely, whilst file sharing was unavailable.

”BIMCO has published guidelines to assist operators with these problems and the second edition is now available online (link to down load free here). Ships obviously tend to have a ‘bring your own device’ policy, crew members with phones, iPads etc. tending to make them more vulnerable to attacks. On 1 January 2021 we will see the introduction of the latest version of the International Maritime Organization’s (IMO) ISM code, making the addressing of cyber security risks as part of ships’ management systems a mandatory requirement. New vessels must therefore be equipped with up to date software by the time this comes into force.”

The IMO is also upgrading its International Ship and Port Security code (ISPS) which specifically covers cyber security and the discussions continued with Colin Gillespie, Deputy Director (Loss Prevention) for the North of England P&I Association, putting the case as the marine insurance sector sees it. As an ex-mariner steeped in the industry he told the assembly how fantastic shipping is at managing risks, it has to be to survive. After reviewing the situation over some time he decided that the problems are maybe not as daunting as they first appear, just another risk to be managed.

Having said that the scale of this criminality is vast, an estimated half a trillion dollars this year with $2 trillion likely by 2020. Gillespie said most of the threats emanate from human error and, with cyber resilience so important the key is awareness – not at an IT level but initially at board level. Hackers will ‘get in’ so prioritising must start at the top. Cyber risks needed proper assessment making things such as the Tanker Management and Self-Assessment guidelines (7-13), initiated by the Oil Companies International Marine Forum (OCIMF) particularly important.

Insurers will only cover for P&I risks, cyber damage leads to a requirement for business disruption insurance and it is difficult to estimate the level of risk unless the operator is fully conversant with the dangers inherent in their systems. Above all the P&I man stated a point which produced from the audience an amused, yet visibly uncomfortable reaction, the traditional reluctance within the industry to share information.

Help however may be at hand in the form of a project under development by the CSO Alliance, a body which includes both the Marshall Islands Registry and BIMCO in its members, and another in the group, Airbus. This is aimed at building a confidential reporting point to allow companies under attack to record events perhaps anonymously with a view to protecting the herd.

In a group Q&A session all speakers agreed that certain key points deserved special merit. Firstly that necessity for executives to head up the process of uncovering and rectifying risks. They should aim at a two pronged response using both IT and operational teams. There was no need for an IT specialist on every ship, much more important is the need for staff education to prevent attacks.

The panel was asked what such training could consist of and this led to the question, just what is cyber training? All agreed that there is no ‘one size fits all’ answer. The principle form of attack normally came via phishing emails or corrupted items brought on board, and minimising this was a matter of relevant instruction for the crew. Probably 75% of risks could be avoided if this was literally taken on board.

Although there is a cost to scheduled training much is available online for free, it just needs management to ensure it is properly disseminated.

Further to those personally introduced risks maritime telematics are a field in which caution needs to be taken. Vessels swap data with onshore offices all the time and can be a route in for an experienced and determined hacker.

The evening closed when Paul Vlissidis gave the lie to the ‘poacher turned gamekeeper’ theory as applied to hacking.

”We never employ ‘ex’ hackers in our organisation. They tend to have a limited range of knowledge and we want intelligent staff well versed in numerous aspects of the industry. Besides who would? After all they’re still criminals”.

Certainly this is the week for cyber security matters as Israeli group Naval Dome has signed a Memorandum of Understanding with Lloyds Register to establish their own standards and guidelines for maritime cyber defence. The Register will carry out a series of pilot tests using the company’s cyber security software on board a LR-classed vessel. Comments from Itai Sela, Naval Dome CEO, mirrored those of the Marshall Islands Panel when he said:

“The lack of guidelines and standards for creating a more secure maritime environment is the shipping industry’s Achilles’ heel. With human operator error the cause of a significant number of security breaches, the MoU we have signed with Lloyd’s Register will help create a more effective end-to-end solution for cyber defence.”

Photo: The Marshall Islands Register panel (L to R) Colin Gillespie, Phil Tinsley, Paul Vlissidis and Cynthia Hudson.