Cybercrime 101: Your ship probably has been hacked already

You have either been hacked … or you just don’t know you have been hacked.

I predict that the first catastrophic maritime cyberincident will not be the result of a direct attack on a specific piece of safety-critical equipment. It will be the result of an infection on a random PC — perhaps a virus sent in an unassuming email to a crewmember whose PC is connected to the vessel’s internal “super highway,” transmitting the infection internally while it lies dormant. CryptoLocker or ransomware software (used by thousands of hackers) is easily available to download on the “dark Web,” and while neither of these may necessarily attack the equipment they infect, they can lie dormant and infect connected equipment when no one expects it. You have been warned!

“Cyberattack” is the current buzzword. Though some see cyberattacks as an industry killer and even as the potential cause of the next world war, others believe them to be simply a myth. So where does the maritime industry stand in all of this?

In the main, but certainly not universally, the maritime industry has a dismal record in its slow and painful transition from paper and analog methods of shipping to new innovative technologies when compared to industry rivals like aviation. But why is this and how could it affect maritime cybersecurity? Or have some seafarers not even evolved enough to be talking about it yet, let alone implementing new cyberprocedures on board? We have all met “that” captain who is nervous about “the machines on his ship.”

While the maritime industry doesn’t seem to have been strategically targeted in terms of the vessels themselves, there is now plenty of talk about “accidental” or naive seafarers accepting a generic phishing email that goes on to attack their computers.

Major corporations like Google and Yahoo have released statements stating they were deliberately hacked. The question is what will be first for the maritime industry: the deliberate or strategic hacking of an individual ship, or the shipping corporation as a whole? There has been a call for cyberspecialists to come and give answers to the potentially very real dangers facing the industry that could not only damage reputations but cause disruption to trade worth billions of dollars. Not all is lost, though, as long as we can move the industry forward to cope with the digital world we live in today.

Cybersecurity was a hot topic in 2016. However, now we are in 2017, and the seafaring community is becoming more aware of what can potentially happen. There is a real threat of cyberactivists starting to gain and change sensitive shipping data from our onboard equipment — such as changing a vessel’s route to cause a grounding, or gaining access to digitally controlled engine rooms and causing an alarm mute while an engine fails or even catches fire due to a “manual” overload by the hacker.

With more and more companies looking for insight into how to stop attacks from occurring, the main area of concern is the lack of security awareness by both companies and employees as they have been taken aback by the swift rise in the industry’s threat level from almost non-existent just a few years ago to today’s high alert. It is expected that shipping companies and independent vessels could be next on the list for major cybercrime activity as it is as yet mainly unexplored territory for hackers who are only now starting to realize its huge potential as a target. Attacks now have the capability to obtain sensitive ECDIS, AIS and GPS data (to name but a few), so it is vital that the correct procedures and processes are in place to stop the worst from happening.

The scary part is that 51 percent of U.S. adults suffered some kind of data security incident between December 2015 and December 2016. In 2015 there were 781 reported major company data breaches in the U.S. alone due to cyberattacks, which combined cost companies $400 billion. These are only the reported data breaches; sadly, there is often an element of “sweeping under the carpet” in all industries. This total will continue to rise if the maritime industry — where the proportion of those of digital native age is far lower — does not adapt to ever-changing technology and its latent major security threats. Overall, the predicted cost of cyberattacks in 2019 is estimated at a colossal $2.1 trillion.

The issue, alongside a lack of awareness by employees and users of operating systems, is the development speed of technology. This digital age of supercomputers, 4-D printing and nanotechnology is like no other and is proving to be self-accelerating — in other words, one technology is put into operation while the next generation, more powerful and innovative, is being produced, thereby creating an always expanding, developing and aggressive cycle. But, due to the speed of production, this process can lead to an unstable, unsecure and untrusted platform, as it is not able to keep up with ever-changing threats. After years of this development, technology companies are starting to adapt to the issue by developing and applying weekly software updates that try to manage security flaws within the software, while changes to future developments can help manage the constantly increasing cybercrime threat until the next global threat takes place or takes over.

Some maritime software manufacturers have used a physical security method of “locking out” their systems in order to intercept physical security threats altogether. However, this ironically increases the complication of applying security software updates. This restriction can complicate a shipping company’s decision to have an integrated bridge system due to issues with syncing and communication between different software manufacturers. If only specialized engineers and trained software technicians are allowed to apply updates, this can cause additional issues as well. Restrictions like these could mean that your system is 80 percent more susceptible to cyberthreats.

First off, the solution is simple — but it will cost you, which no one likes unless it’s necessary. Only some companies feel that cybersecurity is important enough to invest in it. Nevertheless, you will watch multiple companies become complacent and unconcerned about the real threat in the water until it becomes a reality and the organization comes grinding to a halt. In reality, if you spend as much on coffee as you do on cybersecurity measures, you will be hacked. It is alleged that almost every company in the world has already been hacked or, if not, will be soon. The director of the FBI, James Comey, had the following to say on Chinese hackers: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”

This is the world as it is and therefore we need to change with it, not be 10 steps behind. First, we know the industry is struggling from sector to sector, but cyberattacks will only make this worse. So, the first move is ensuring education in cybersecurity awareness, preferably starting from the top and working down so that the entire seafaring community can spot a cyberattack and know what action to take in response. Experienced educational companies exist that offer in-depth, classroom-based courses on the subject of cybersecurity.

Countless companies are missing the correct procedures when it comes to security. A robust IT security policy is highly recommended, as this allows employees and users of all IT equipment to be clear as to how company data and information should be used on IT equipment. It’s not just small companies that struggle in this war against cyberactivists; large corporations are also at a major risk, primarily due to not having a dedicated IT and security team. It is recommended that a company appoints a cybersecurity chief to implement and respond to all cybersecurity-related issues or system flaws that may be found. This is so one person has ultimate responsibility for implementing and maintaining all cybersecurity measures within the company, thus ensuring consistency of approach.

Cybersecurity attacks are incorrectly thought of as attacks that occur just over the Internet due to the wrong security measures being taken. However, lack of physical security also can be a major factor in the cause of industry-changing attacks. During the 20th century, a majority of attacks occurred due to people not taking the correct measures to keep IT equipment safe — another reason why everyone must be aware of what’s coming. It really is as easy as someone coming into your reception area and asking you to print off a copy of their CV from a USB stick that is actually infected with multiple viruses. 

In summary, cybersecurity isn’t an issue we can ignore. Cyberattacks may not be directly threatening our vessels yet, but this will come in time when cybersecurity vulnerabilities are noticed by any cybercrime activists who want to damage the industry or cause major damage to infrastructure or even human life. It can be averted. Many, if not all, shipping companies have some form of internal network server that allows for all of their computers to communicate and send files between them, and therefore also connect to the Internet. Without the proper procedures in place, it could be all too easy for anyone to infect an auxiliary piece of equipment that connects to the “primary.” Think of the random software updates that happen every day, for example, to an engine room sensor test or to the bridge’s digital anemometer. These may not appear safety-critical, but they are connected to safety-critical systems. We often concentrate and develop robust procedures purely for the few safety-critical pieces of equipment, but attacks can and will take place on tertiary systems that are connected to it.

George Ward is involved in project support at U.K.-based ECDIS Ltd. 

By Professional Mariner Staff