In this day and age where automation, digitization and integration are vital driving factors in the shipping and maritime industry, the sector has become more susceptible to cyberthreats and cyberattacks. Experts have called cyberattacks against ships, including tankers, “a very modern form of piracy”.
Cyberattacks have not abated since four years ago when a single code crippled Danish shipping giant Maersk. Its operations in four different countries were halted, causing worldwide disruption and delays which lasted weeks.
Maersk was badly hit as a part of a global cyberattack named NotPetya on June 27, 2017, affecting all of its business units, including container shipping, oil tankers, port and tugboat operations, drilling services, and oil and gas production.
NotPetya had infected Maersk’s computer systems, destroying all end-user devices, including thousands of laptops, print capabilities and servers. The malware caused the company to suffer financial losses of up to US$300 million, despite its rapid response and recovery.
Another such threat is phishing, described by Interpol as “the most prevalent” cyber threat for stealing credentials. Over the years, phishing has pivoted towards other forms of cybercrime, such as data breach.
While such a threat is not new, cases of phishing have not seen a downward trend. According to data from the international consortium Anti-Phishing Working Group (APWG), 146,994 cases of phishing sites were detected in the second quarter of 2020. In its data, the logistics or shipping sector accounted for three per cent of the total number of cases.
A threat hiding in plain sight
International Association of Independent Tanker Owners (INTERTANKO) marine director Phillip Belcher said many in the industry have been “slow to recognize” the risks and dangers of cyberattacks.
“We think that we’re too small (of a company), or that there’s nothing to steal. Many of these such attacks happen time and again, involving malware, and money being syphoned off.”
Belcher was a panelist at the ‘Webinar on Economic Security, Cyber Domain, and Technology: Vulnerabilities and Prospects for Cooperation in the Indo-Pacific’, organized by the Maritime Institute of Malaysia (MIMA) on June 17, which was attended by Maritime Fairtrade.
The shipping and tanker industry, he said, should all be working under the assumption that they will be susceptible to a successful and penetrating cyberattack. He added that companies are not able to detect an attack until something has gravely failed.
If companies can remotely control their ships and tankers, said Belcher, then cyber criminals can also hack the systems and deny control, giving an example from the 1997 action thriller movie, “Speed 2: Cruise Control”.
“A company can control pumps and valves from London, control main engines and fuel supply from Hamburg, while the ship is in the high seas.
“This is particularly relevant when you think of places like the Melaka Straits and Singapore, where even a temporary loss of control could result in significant strategic and environmental damage,” he added.
Plan, prepare, practice
Belcher suggested that the main approach to gain better control over such cyberattacks is to thoroughly assess risks, develop protection measures and contingency plans, while continuously monitoring all equipment, including vetting through authority and access into it.
“We’re good at recognizing catastrophic failure, but terrible at recognizing slow changes and deviations,” Belcher said, pointing out that systems such as GPS and GNSS themselves were susceptible to slow failure.
But while cyberattacks paralyze a ship’s operations, taking back control is still a possibility. Belcher added that seafarers can take manual control, pulling plugs and relying on backup systems, including basic engine mapping controls which some engine systems still have.
This, however, is laborious, and requires patience and preparational planning, he said. However, the training is essential for companies and seafarers alike to identify errors and problems, and quickly figure out how to spring back from an attack.
“It may take a while, but it can be done. A loss of control of a ship, for somewhere like the Great Barrier Reef or even the Melaka Straits, can escalate to real-world damage, not just monetary loss.
“And we would probably not be able to detect the attack until something has failed. So, we have to plan, prepare, and practice. We should not be working in a vacuum. Work together and utilize traditional methods of checking,” Belcher said.
Ensuring a coordinated information flow
Meanwhile, INTERTANKO country manager for Southeast Asia Elfian Harun highlighted that more needed to be done to secure cybersecurity infrastructure and digital operation security at sea, including a streamlined and transparent reporting system and information flow.
He said while the International Maritime Organization (IMO) can issue rules and guidelines, each country is independent with its own set of laws and thus cannot be compelled to follow any regulations.
Elfian said that in many cases, the master on a ship may not even be familiar with who to report to if they have issues. A standard international reporting protocol and coordination is therefore crucial, he said, to ensure a fast and smooth information flow process.
“What we can do is to ensure that these rules or guidance are applied across all member states, making it easier for ships in the private sector to then navigate.
“There should also be one single point of contact, enabling single information flow which will go right through the industry and to the governments.”