Today's Pirate Count on Connectivity
Coastal nations all continuously undertake surveillance of their maritime domains to measure and dynamically assess the risk of threats such as smuggling, piracy, pollution and terrorism. They invest in resources and action plans to rapidly react to any incidents that may unfortunately transpire.
But when it comes to the threat of cyber-attacks on vulnerable vessels that are either already within their waters or on route to them there is a definite need for wider and more inclusive consideration to prevent such threats from impacting their own maritime domains. The rapid adoption of new operational technologies and an increased dependence on networked cyber structures opens the possibility of cyberattacks that could threaten the economy, crew safety, the environment, or national security. We can confidently say digital hostility in today's connected world is going to get more and more sophisticated with time.
We live in a deeply integrated environment - whether we like it or not. All it takes is one infected person to fly into a city on an airplane with a hundred and ninety-nine other unsuspecting passengers to unwittingly start an epidemic in that city. We have seen this with Avian flu, SARS and the Zika virus.
Cyber risks are no different, hence the use of the same words - virus/anti-virus, infected - when talking about cyber hygiene of infrastructure.
DARKER MEANINGS
Under the IMO SOLAS regulations, ships transmit their location at
regular intervals using AIS. If a ship moves out of range of receivers,
the transmitted signals will not be detected. It used to be commonly
assumed that if there was a long period of AIS silence in a good
coverage area then this could be indicative of a ship having switched
off its AIS transmitter to covertly carry out illegal activities.
These days, a ship going "dark" could also be a sure sign of cyber-attack.
This potential offers rich pickings to the enterprising hacker, pirate and thief. Load theft, smuggling of stowaways, human trafficking, drug running, illicit arms trading, and even the crippling or sinking a vessel are very real threats - all that can be managed from thousands of miles away merely using a computer connected to the internet and equipped with the correct mix of software. Some call it a boom era for the dark web
Satcoms, mobile data and wi-fi through to propulsion and loading systems can all be comprised by a hacker – inflicting financial losses and causing safety compromises. Besides these, there are a multitude of other entry points; for example, today's crew, or more specifically their personal devices that they bring on board, are the potential source of many cyber intrusions. The crew bring their own devices on board and access the ships' systems or network. Although this may be both beneficial and economical for ships, these privately-owned devices cannot be completely managed to ensure compliance with cyber security norms. This significantly increases cyber vulnerabilities and the risk of exposure.
Besides owned devices, there are typically tens of vendors involved in the connected systems on ships, from providers of desktop PCs, to satcoms for Internet, electronic charting systems (ECDIS), MMI, control systems, radar systems and many other control systems. This in itself brings about a risk-enhanced situation since each vendor/manufacturer could introduce their own peculiar vulnerabilities.
The average technology user is not well versed in matters of cyber risks and security. As the crew connect their own device - that might have been exposed to some viruses, spyware or similar cyber threats - to the ship's network, this will compromise the ship's network and all the devices connected to it. The consequences for infecting the ship's network are limitless and quite severe. Ship's communications may be compromised, manipulated or forged, and can ultimately be used in many ways to cyber-attack a ship and endanger the cargo or crew.
WAKE-UP CALL
Despite the evident threat the industry at large has its head in
the sand. The following expert comments can help to induce a'sense
of reality.
"There are no official records on the number of cyber- security attacks that have hit the maritime sector, despite the threat being real," says Andrew Fitzmaurice, chief executive of a reputed British cyber-security outfit. This is because companies are reluctant to report for fear of reputation damage. However, what they may fail to understand is that once they are found to be an easy target for cyberattacks and they do not take serious action to guard against it, cyber attackers will keep targeting them as their vulnerabilities are known. Ultimately, the end result for these companies will be a grave financial and clientele loss.
Scott Bough, executive director of the Centre for Cyber Defence & Forensics, based in Ohio, estimates that "a successful cyber-attack may cost the equivalent of losing one or two ships for a shipping firm".
Despite knowing the facts and the prevailing scenario, many in the industry still view cyber security as a cost rather than an enabler to their business. Consequently, any investments in cyber-security initiatives tend to be entirely reactive. Nor does it help that it is difficult to calculate the return on investment in proactive isolated cyber-security initiatives. This reluctance leaves businesses open to counting the cost of an attack. The cost invested in cyber security is quite insignificant compared with the cost of damage inflicted on a vessel that falls victim to a cyberattack.
People need to understand that while they or their company may not be the intended target of a hack attack, the sheer interconnectivity that has become the backbone of today's business may ensure that they are passive victims, nonetheless.
As Prakasha M Ramachandra, employee of a global design and engineering company, puts it: "It is time to understand that most maritime pirates are no longer just sailing the seas looking for vessels to board and rob. Instead, they are sitting at computers in offices thousands of miles away. Yes, even piracy has gone high-tech, and they are looking for vulnerabilities. In fact, instead of the sword or machine gun, they are hacking into merchandise details including bills of lading, to see which vessels are scheduled to carry it. Then, they will send traditional pirates to board the vessel, take the crew hostage and locate what they are looking for via a barcode reader."
"We can confidently say digital hostility in today's connected to world is going to get more and more sophisticated with time"
SEEK HELP
Since cyber security cannot be expected to be a core competence
of a shipping company, it makes sense for shipping companies, ports
and terminals to seek professional advice on the new policies and
procedures emerging from the IMO and governments. They could also
consult experts in data protection and cyber-security products and
services. This, together with education and training of staff in
safe or hygienic cyber practices, could well help protect assets
both on and offshore. it is very important for people in the maritime
industry to alter their view on how fast the digital eco-system
is changing and embrace the fact that technological advancement
has changed the status quo approach of "sustaining outdated technology".
It is now critical and essential that all actors in the merchant shipping sector reach industry standards of cyber security by proactively adopting security software and hardware and training staff in the safe use of connected devices.
About the Author
Captain Zarir S. Irani
An OCIMF-accredited OVID inspector and eCMID auditor, Regional Director of the International Institute of Marine Surveying (IIMS) as well as member of the IIMS Board of Directors. He is also Regional Director of the Antigua and Barbuda Maritime Flag Registry, and Director of Constellation Marine Services. Pradeep Luthria is a senior technology management professional with global experience. His domain areas are oil and gas, shipping, logistics, ports and free zones. He is a senior cyber security consultant of Vulnerability Audits.
Mr. Pradeep Luthria
Pradeep Luthria is a senior technology management professional and a senior cyber security consultant of Vulnerability Audits. Vulnerabilityaudits.com is a global service. provider of cyber security/forensics and cyber vulnerability assessments for shipping, logistics, ports and terminals.