Shipping got off lightly in first cyber security attacks, say legal experts

Maritime law firm Ince & Co told Riviera Maritime Media that shipping has been slow to acknowledge the risks posed by cyber security threats – particularly from a business standpoint.

Cyber attacks against large organisations and businesses have made headlines in recent months after millions was lost in attacks from viruses such as WannaCry and NotPetya. Among its other victims, the NotPetya virus took down the operations of container shipping giant Maersk in late June, reportedly costing the company up to US$300M.

However, shipping has got off relatively lightly thus far according to Ince & Co’s Hong Kong partner and cyber security representative Rory Macfarlane.

“If you looked at the cyber attacks earlier in the year, the WannaCry and NotPetya attacks, luckily for shipping, they weren’t massively affected by those. [Attackers] tended to focus on other sectors and other areas. The fact that Maersk was caught in that attack is not great for Maersk, but it was useful for the greater shipping market,” Mr Macfarlane said.

He continued “If a blue-chip operator the size of Maersk, with principle resources and cyber security firmly in mind could be caught in an attack, then I think it brings home the message that anyone could be caught.”

Mr Macfarlane said that media focus on terrorist or pirate cyber attacks on a vessel – and the potential for disastrous consequences – had led shipowners to be slow in showing concern around the incessant, low-level attacks directed at business operations.

“One of the reasons that shipping has been slightly slower to acknowledge the risk that cyber presents to their everyday business is that focus on the ship,” Mr Macfarlane said. “But… the majority of cyber attacks are focused on the shore-based operations.”

“The endless, day-to-day attacks that are happening as we speak against the business because of digitalisation and connectivity are equally affecting [shipowners and operators], and they’re much more likely to suffer a breach there or suffer a loss there. And they may have overlooked that, I think.”

However, Ince & Co’s London-based partner and cyber security representative Simon Cooper said that – while the shipping industry perceived the cyber risk somewhat narrowly as being primarily concerned with data – there was a growing awareness stemming from development of cyber security regulations by industry bodies.

“In about 2016, we began to see global shipping organisations like IMO take an interest in cyber risk and begin to redraw their guidelines to require the shipowners and operators to take a broader interest in it as well.”

With the converging increase in risk and rising regulatory awareness of the impacts of cyber crime, Ince & Co said it is well positioned to assist shipping businesses with getting their cyber affairs in order.

The sooner the better, according to Mr Macfarlane, who cited an increase in liability along with business risk as a primary reason why businesses should move ahead of IMO cyber regulations set to come into force in January 2021.

The cyber health check product Ince & Co are offering was developed after it was approached by the cyber security division of the Navigant consultancy group.

According to Mr Macfarlane and Mr Cooper, the partnership resulted in a product that is essentially a review against good practice. Ince & Co look for holes in contracts to maximise protection from liability, check the proper insurance policies are in place and then report back its findings, while Navigant focus on improving cyber security infrastructure.

These infrastructure needs are overseen by former assistant director of the FBI John Boles, who currently works as cyber security director for Navigant. Mr Boles served in the FBI for over 20 years, where he managed the organisation’s cyber operations and investigations after an extended stint overseeing FBI programmes in Ukraine. At Riviera’s European Maritime Cyber Risk Management Summit in June, he told Marine Electronics and Communications that Maersk should have avoided the cyber attack it suffered from the NotPetya virus by updating its software with security fixes from manufacturer Microsoft.

“This infection could have been avoided by applying the Microsoft security update …. With WannaCry, the patch was issued before the outbreak began. Companies who patched and updated were protected.”

As to why Maersk didn’t have the protections in place, the group spoke of the vast and ever-changing landscape of cyber threats. It said that companies rarely have the budget or ability to hire the manpower and expertise required to create their own cyber security apparatus, and that it makes sense to contract that out to external experts – likening it to a check-up at the doctor’s office. However, Mr Macfarlane said there’s no such thing as a cure-all for cyber threats.

“You’re never going to be 100% secure. If you’re being attacked by a nation-state actor, who is focused on getting at you, there’s only so much you can do,” Mr Macfarlane said. “But if you’re – like most companies – trying to protect yourself from the common cyber criminal, then, like any criminal, they’re looking for the easy win. If your system’s relatively robust, then they’re just going to move on to the next guy.”

As to how the group see threats evolving, Mr Cooper said there is a growth in targeting company vulnerabilities using social engineering attack vectors that often involve tricking people into breaking security procedures and that maritime companies will need to work together to fight the threat.

“I think social engineering is going to be where a lot of these mistakes are made,” Mr Cooper said. “One of the issues is that often attacks are not reported. One of the reasons for that is attackers come in and ask for a relatively low level of ransom and it’s much easier for the victim to just pay that, get rid of it, get over it and move on. One of the things I think the maritime sector is keen to develop is a system where operators can talk to each other and share information about what’s happening to them.”

One potential method for bringing added transparency to cyber attacks would be through a register or database of cyber incidents. However, the database could itself be a threat, offering information to cyber criminals. And the shipping industry’s history of secretive practices pose another potential hurdle in getting groups to work collaboratively.

“Understandably, nobody wants to wash their dirty laundry in public and, indeed, shipowners have been a little reticent about sharing,” Mr Macfarlane said.

Mr Macfarlane and Mr Cooper agreed that the industry was still in the very early stages of determining and implementing a system-wide solution for fighting cyber threats. In short, they said, the systems to counter attacks would be forced to evolve to meet a constantly-shifting threat.

“[Attacks] are becoming more sophisticated. Now, they’re multi-vector and involve the IT approach with the social engineering approach. And that’s how they get in.”


Leave a Reply