Can your Port weather the perfect Cyber Storm?23 Nov 2020 | Urs Mosimann
The World Economic Forum cites cyber-attacks on critical infrastructure, including the transport sector as the world’s fifth-highest risk overall and the second most concerning risk for doing business in 2020 due to both a high likelihood and expected impact.
The last three years have seen all four of the world’s largest shipping companies (APM-Maersk 2017, COSCO 2018, MSC 2020, CMA CGM 2020) hit by cyber-attacks. No other industry sector has seen its Big Four suffering major cyber incidents in such short order.
Previously the sector was mostly the victim of untargeted attacks. For example, Maersk became collateral damage of an attack intended to disrupt the Ukrainian energy sector, getting infected by the NotPetya malware used.
These incidents put the sector in the crosshairs of criminal threat actors, who realised that it might be an easy target for ransomware attacks (COSCO, CMA CGM). Other criminal groups are exploiting weaknesses in port data protection. Examples include Cyber Pirates looking for ship manifests and container ID numbers to target and capture ships carrying containers with high-value goods like electronics and jewellery. Or the Spear-Phishing Drug Dealers that compromised the Port of Antwerp’s IT Systems between 2011 and 2013 changing records to arrange pickup of drugs hidden in shipping containers.
Recently, particularly with the changing geopolitical situation in the Middle East, we are seeing intensified threats coming from state actors. National critical infrastructure is on the top of their target lists for obvious reasons. Compounded by years of underinvestment in cybersecurity in the region, this has led to a situation where Digital14 sees two types of corporate and government IT systems: those known to have been hacked and those that don’t yet know that they have been hacked. I may be overstating the issue, but not by far. The average time to identify and contain a breach in the Middle East was 369 days in 2020, 34% higher than the global average (IBM).
Against the backdrop of this evolving threat landscape, the maritime sector is undergoing a major transformation driven by digitisation and automation. The complex flows of goods, documents and money between Exporters, Freight Forwarders, Ports & Terminals, Ocean Carriers, Customs and Authorities, and Importers are rapidly being interconnected and digitised. The assets along the supply chain are also getting more and more connected, automated and remotely monitored. This greatly increases the attack surface available to cyber threat actors.
The potentials for efficiency gains through digitisation are huge in the sector. Traditionally, a simple shipment of refrigerated goods from East Africa to Europe can go through nearly 30 people and organisations, including more than 200 different interactions and communications among them. The cost of paperwork alone is estimated to account for around 15% of total shipping costs (Forbes), and this is before accounting for the cost of delays, which are frequently caused by errors in or mishandling of documentation.
To address these issues, and realise the potential for efficiency gains and generate additional value, Port Community Systems (PCS) are becoming integrated into ecosystem platforms to create so-called Single Window Trade Platforms. Shipping companies are also investing in blockchain-enabled digital shipping platforms to accelerate the transformation to provide greater trust, transparency and collaboration across supply chains.
At the operational level offshore, in the terminals and extending into the hinterland, the physical assets are also becoming more automated and connected. Automation is driving efficiency from ships to quay cranes, terminal trucks, stacking, truck loading and gates. All of the equipment is remotely monitored and enables real-time tracking of shipments, including sensors for temperature, humidity, light and shock exposure, etc. This introduction of the Internet of Things (IoT) and Industrial Internet of Things (IIoT) increases the complexity and Internet accessibility never seen before.
Integration through digitisation, and the resulting converging layers of information and operational technology, make it inherently vulnerable to cyber threats. So, the maritime sector is steadily becoming a more attractive target while at the same time running the risk of becoming more vulnerable. Together these trends are combining to create the perfect cyber storm.
Figure 1: Growing Attack Surface in Maritime Sector
So how can you make sure you are prepared to weather this storm and build cyber resilience? I propose six areas of focus:
Cyber Risk Management is a strategic and operational imperative that must be managed at the C-Suite level. Companies need to realise the absolute necessity of having a Chief Information Security Officer (CISO) responsible for security and able to translate the risks into language that the other members of the C-suite understand and bring objectivity into discussions about budgets, resource allocation, risk mitigation and business decisions. Information security has become too vital and too specialised to be performed on a part-time basis. We have reached a tipping point where security cannot be an afterthought; it has to be incorporated into the business decisions a company is making.
Your people are your most significant risk, but can also be your strongest line of defence. Underinvest in your staff, their training and capabilities, and you will more likely suffer a breach. The most comprehensive ISMS and the best security technology will only go so far if the people tasked to execute, configure and monitor it do not have the necessary capabilities. And if your users do not have the awareness and training to avoid unsafe behaviour, threat actors will circumvent your defences with ease. And with both technology and the threat landscape evolving at an increasing pace, it is crucial to have a solid, comprehensive and constantly adapting education and training program in place that is tailored to the various relevant functional areas and the user base at large.
Getting the basics right will prevent the majority of untargeted attacks. It will also discourage most cybercriminals, to look for easier targets elsewhere. Cyber essentials will protect small to medium-sized entities from such types of attacks. This includes:
However, depending on your size and criticality, you will have to deploy higher-level controls that reduce the impact of targeted attacks by sophisticated adversaries leveraging advanced capabilities, especially Advanced Persistent Threat (APT) actors. These include:
Figure 2: Beyond Cyber Essentials
Each entity has to make their own assessment of their organisational risk posture, exposure and appetite. Whatever you choose, you have to make sure you invest appropriately. The cost of a single major breach may likely eclipse the cost of your cybersecurity program for multiple years if caught unprepared.
Operational Technology (OT), such as Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, and Industrial IoT are being exposed directly to outside risks via remote monitoring, WiFi-enabled controllers and USB devices to update software. Legacy OT systems are often running on decades-old technology, including outdated operating systems and middleware. This makes them an easy target which has led to growing interest from threat actors. Events in which Threat Actors targeted Industrial Control Systems (ICS) increased over 20x from 2018 to 2019 (SecurityIntelligence). Most of the observed attacks centred around using a combination of known vulnerabilities within SCADA and ICS components. There is a growing availability of exploit kits on easily searchable sites on the internet for legacy ICS technology.
To combat these risks, OT networks security management needs to be brought up to par with IT security management programs. The starting point is visibility: It is essential to understand the environment and its connections to design appropriate security architecture, map the entire attack surface, identify attack vectors and locate blind spots. Based on such a comprehensive network, vulnerability and threat model, the appropriate controls can then be put in place, including passive monitoring and real-time anomaly detection.
The tactics and tools of threat actors are rapidly evolving. Hackers change their tactics far faster and more easily than we can update our defences. Three hundred fifty thousand new malware samples are produced every day (DataProt). And so-called ‘crypting’ services test them against all AV products in the market and obfuscate them until the malware is found to be completely undetectable by all of them. The bad guys call this state “fully undetectable,” or “FUD” for short. As a result, on average, antivirus software is only 25% successful at detecting new malware (DataProt). Therefore AV products that rely solely on signatures are relatively useless in isolation.
We, therefore, need detection along all phases of the cybersecurity kill chain, not just the exploitation. From reconnaissance (e.g. suspicious IP addresses) to techniques for privilege escalation and lateral movement all the way to exfiltration. We need actionable intelligence to be fed into the organization, and we need to share industry- and region-specific threat intelligence in real-time and collaborate across the maritime ecosystem. Only united will we succeed.
There is no 100% protection against cyber-attacks. Even after applying all the best practices highlighted above, most companies will experience a breach at some point in time. The impact of the attack will depend on how quickly you can contain it, respond and recover. In the aftermath, most businesses will see a reduction in their operational abilities, downtime, reputation, and revenue. It is, therefore, imperative to have adequate business continuity management and disaster recovery plans and to fully test them regularly. Prepare for the worst, while hoping never having to demonstrate your proficiency other than in a drill.
The cyber threat landscape is as unforgiving as the sea. And the duty of care is neither optional nor negotiable. With the above areas in good shape, your IT/OT ‘ship’ will be seaworthy.
Connect with us