Is the shipping industry’s most valuable commodity also its biggest risk?
As one of the world’s oldest industries, the shipping industry has capitalised on its capability to move assets around the world for thousands of years. Whether for trade, military or tourism, there are more than 50,000 ships world-wide that currently navigate our waters and facilitate both thriving economies and promote nation state security.
Know your risks and implement security measures
Our recent maritime report has explored the cyber security challenges that the maritime industry is facing now and will likely face in the future. With the increasing trend of attackers turning their attention to ships and shipping operations, more needs to be done to identify cyber risks at sea and mitigate them - a method to begin this process is to perform a risk assessment. Traditionally, a business might perform a risk-assessment periodically, say on a yearly basis, to identify what security risks need addressing, and follow this with implementing the right measures to protect against these risks occurring.
But what happens when your risk profile is constantly changing? All variables such as a ship’s cargo, employees and geography can change drastically within 24 hours as a ship makes its journey across the world and participates in trading. The main inputs to assessing risk are therefore constantly changing, significantly more than your standard business who needs to implement cyber security measures – so how is it feasible to have confidence that ships are implementing the right security in such a unique situation?
What are the key changing risk factors?
We have identified the main factors impacting cyber security that are associated with the constant movement of trade ships as follows:
- Route: A ship relies on multiple navigation technologies to get it safely from point A to point B without damaging it, its cargo or risking life onboard. But what if malware could ever so slightly change measurements over time, à la Stuxnet. This would have little impact in the Pacific; but in the Panama Strait it would be catastrophic and the perfect attack for criminals to launch in order to then loot a ship.
- Cargo: A ship will be carrying multiple cargos of different market value during its route and over time. These cargos may also have different value to different territories and groups. Cargo systems can be compromised providing intelligence to criminals who can subsequently target specific cargo ships and resell on the black market. For example, pharmaceuticals would be an attractive target due their high value on the black market.
- Piracy: There are certain areas of the world which may be at higher risk of attack from piracy, such as the seas that border Eastern Africa. Not only could the cargo training systems be tracked to identify when ships are carrying precious cargo like gold; we understand that pirates could also manipulate systems and spoof the position of ships in distress. This would result in a longer period of time for them to carry out their physical attacks.
- Ports and business operations: Shipping staff may engage with multiple ports and succumb to various operational processes each time, notably payment and administration regarding docking. Threat groups have been known to track ships and spoof emails to shipping companies to request payment for their upcoming or previous docking. This has resulted in ships losing money as they have been unable to distinguish what is the legitimate process for these payments – made harder when a ship uses many ports over a short period of time.
Should one prepare for the worst-case scenario and build in military style security?
No, not necessarily as that would be expensive and inefficient.
Military vessels have a solution. They will assess each mission and prepare for the possibilities both on route and protecting what they have on board. The risks will depend on their location and the possible adversaries there along with their capabilities. Only by understanding this can they provide a degree of security assurance for their mission.
However, standard cargo ships cannot justify military grade security measures. Using a ship that was built to withstand war to distribute bananas around the world is not economically efficient. Even if that ship occasionally transports gold and pharmaceuticals that may justify cyber-attack from any adversaries.
How do we address the risks of movement?
There is no simple answer at this stage – it requires shipping stakeholders to appreciate that to achieve security there is a need for cultural change and new risk management processes. Embedding processes that ensure risks are identified regularly will help, as well as always being aware that the named risk factors will change with the ships journey.
In relation to our four main risk factors, we suggest the following as a start:
- Protecting the route: improve security training provided to captains and navigation staff so they can identify areas of over-reliance on navigation technology. They will then be able to help implement safeguards in the navigation processes. There may also be a requirement in future for technology teams to implement integrity checking data solutions for critical navigation systems.
- Protecting the cargo: improve prevention and detection controls. An example would be to implement security monitoring capabilities for cargo systems and suitable workflows to initiate when a security alert is triggered (such as external access to the systems).
- Protecting from piracy: operational staff will need to identify these geographical areas in advance and be at heightened awareness. Additional measures to assure security could be regular “location check-ins" over another medium to verify technical navigation data provided to control rooms. Further training could be provided to stakeholders in how to respond to piracy through simulations and coaching. Utilise threat intelligence to understand where and how attacks like this could happen by tracking groups, their motives and approaches.
- Protecting port and business operations: increase security awareness and improve maturity of security through maritime businesses. Remove the reliance on security being simply “technology solutions implemented out-of-the-box" or a dedicated person such as the Cyber Security Officer (CySO) on board ships. Instead, review both cyber security strategy and business processes to identify where improvements can be made to close security gaps.
For more information on the cyber security challenges the maritime industry is facing and our recommendations to address them, please read our report here.