State-backed cyber warfare concerns grow
The threat of rogue states — or criminals acting for them — cannot be ignored; but since states and criminals use mostly the same cyber tools, the damage they can do can be limited
The Russian invasion of Ukraine has led to warnings of more spoofing, jamming and other state-backed cyber perils, though criminal ransomware is still the biggest source of attacks. To protect itself from both threats, shipping must cover the basics
THE threat of state-backed cyber attacks has returned with Russia’s invasion of Ukraine — but how bad is it?
The conflict has already led to spoofing and satellite jamming in the Black Sea region and more attacks expected. The Nato Shipping Centre and US Maritime Administration issuing warnings to the shipping industry as the prevalence of things such as distributed denial of service attacks, known as DDoS attacks, and ransomware is expected to grow.
The infamous NotPetya ransomware incident, known to shipping as the Maersk cyber attack, began as a Russian assault on Ukraine that spiralled out of control. The escalating tensions carry a risk of more cyber warfare, as well as the conventional sort.
Risk Intelligence analyst Kristian Bischoff said Russia would use cyber tools to secure manoeuvring space — to know where its ships were, while keeping that knowledge from its foes.
Cyber insurer Astaara chief cyber officer Bill Egerton said while there is little good data on incidents, he has seen a sharp rise in cyber attacks with a war-like or terror character, and with a motive other than financial gain.
“Systems are being damaged, sensitive data is being exfiltrated and, while responsibility is not being admitted, there is clear evidence that tools and techniques are being deployed that are known to be used by groups with known links to nation states,” he wrote in February.
Attack vectors included compromised emails, exploitation of satellite communications, the use of remote access for updating third-party IT systems on board, using unsupported software, and improper use of USB sticks.
Mr Egerton told Lloyd’s List that shipping companies are a target both for the value of their ships and cargo for ransoms, but also for their crucial role in supply chains.
“You can affect economies significantly by undermining confidence in their marine infrastructure, whether it’s the ports, the terminals, the ships, the logistics train,” he said.
He pointed to attacks on Daewoo Shipbuilding & Marine Engineering last year, and on Iran’s Shahid Rajaee port terminal in 2020, as having “a fingerprint which is more than just your average drive-by shooting”.
CyberOwl chief executive Daniel Ng said while his customers are increasingly concerned about the possibility of war, he estimated 95% of attacks were still “opportunistic criminal activity, rather than nation state”.
However, he said the massing of ships could hurt navigation in the Black Sea, since a GPS signal weakens if it is spread between many ships in the same area, and priority is given to warships.
“As we start getting more of a build-up… there’s always the risk of a spoofing or jamming capability, but also a bit more basically, there is just an increased risk of disconnection,” Mr Ng said.
Allianz global cyber experts leader Rishi Baviskar said targeted attacks were harder to detect. Attackers could wait for years before striking and did not advertise their presence by demanding money.
Mr Egerton said while attacks on operational technology are reported to have increased in recent years, a company’s head office can often be more vulnerable than its ships.
“If you want to attack an engine management system, you’ve got to know your onions,” he said. “But if you want to attack an IT system, you can buy a kit off the dark web and have a go and see where you get.”
Yet while state-backed attacks can cost companies millions, their powers to harm ships should not be mythologised. A ship with a jammed or spoofed satnav can still navigate the old-fashioned way if needed.
Not all attacks cripple their targets either; some seek only to steal processing power to mine Bitcoin without the target’s knowledge.
Mr Bischoff said there were limits to what cyber can do in war and its threat was often overhyped.
Last year, reports said Iran had worked out how to hack ballast tanks to let in so much water as to tip over the vessel. Yet Mr Bischoff said driving it full steam ahead then pulling a sharp U-turn would do the same trick — and, at any rate, Iran was “capable of punching holes in ships whenever they want” with missiles.
States could cause more harm by disrupting port operations than interfering with ship movements, he added.
While the other weapons available to nation states far outclass those available to criminals, cyber attackers use mostly the same tools. Mr Bischoff noted that a criminal cyber attack shut down South Africa’s port of Durban in July 2021.
“The interesting thing is that whether or not it’s a criminal or a state, the outcome will be the same,” he said.
This means the threat is wide-ranging, but also limited. Even NotPetya exploited known vulnerabilities and was delivered through an update from an otherwise trustworthy supplier.
And, while a company may not be able to do much about a targeted attack by a foreign spy service, such services are less likely than criminals to target shipping companies unconnected to national conflicts.
As with the pandemic, there is a risk of new cyber variants emerging, against which the community has no protection. Yet like the coronavirus, the same protective measures work for most of the viruses circulating in that community.
“By doing the basics properly, you get a lot of protection,” Mr Egerton said.
Shipping wakes up
Shipping’s cyber awareness is improving slowly, helped by the IMO2021 call for ships to plan for it in their safety management systems and by the steady increase in incidents as companies learn vigilance the hard way.
Flag state authorities like the US Coast Guard have actively enforced the new IMO requirement. The International Association of Classification Societies is looking at how to harmonise different responses to it.
Governments are becoming less tolerant of breaches, especially of personal data. However, they need to be better at advising on best practice, to stop companies that skimp on security from distorting the market with artificially low prices.
Owners are also looking at how much to insure against cyber risks. And they are increasingly mulling whether to separate their cyber-security operations from the rest of their IT departments, so the former can better police the latter.
Mr Ng said the industry is talking about the topic differently than even a year ago: “People are just waking up to the idea that they’ve got to do something about it.”
However, there is a gap between those on shore and at sea: 83% of shore-side employees feel close to ready for an incident, but just 37% of seafarers feel the same, a survey of 200 companies found.
It found the average cost of cyber attacks to operators was about $1.8m a year — including costs of paying ransoms, mediation, and bringing hacked systems back online — while companies spent just $100,000 a year on cyber security.
Mr Egerton said companies find it hard to calibrate how much to pay because of the perceived disparity between the risk and return of cyber security.
Cyber risk remained an alien concept to most people. Human factors like improper use of personal devices could run a coach and horses through security policies, he added.
The only safe option was for companies to assume they would be hit, work out how much they could lose, and how much they were willing to invest to reduce that amount. Good cyber defence is not a one-off purchase, but a change in how companies do business.
Mr Baviskar said crew training, including scenario testing, was important — as was segmenting a company’s IT operations to diffuse the risk.
And better “cyber hygiene” did not mean upgrading everything at once. Companies should protect their crown jewels first and review their cyber security regularly, he said.
“We’ve seen companies moving towards that. But again, if you want to save some losses, you have to invest money and time.”