Keeping data safe and systems protected is a key challenge for global companies. Yet, many companies are not prepared for an attack on their infrastructure. We have spoken to shipping and cyber security expert Lars Jensen of Improsec about the state of cyber security in global shipping and logistics. He explains why the next attack in the industry is not a question of ‘if’ but ‘when’.
Imagine hackers infiltrate a ship’s system, steer it at full steam into the port of Hamburg to create chaos and destruction. According to Lars Jensen, this scenario may be compelling for a Hollywood movie, but is highly unlikely to be taking place in the real world. A realistic attack on a shipping company does not have to look spectacular from the outside in order to bring about great damage and financial losses. A more likely scenario of an attack on a vessel is that the ship’s systems are shut down by a virus. “A capable crew will still be able to maneuver the ship and bring it to port safely”, explains Lars Jensen. “But the ship becomes commercially unavailable for several days or even weeks, leading to hundreds of thousands of dollars in lost revenue.”
The fact that the four largest carriers have all been attacked within the last three years highlights the vulnerability of the shipping industry. On shore, shipping companies are just as vulnerable as other multinational companies. “The decentralized setup of shipping and logistics companies with a network of subsidiaries and agents that all have access to a company’s servers offers a very broad attack surface”, says Lars Jensen. Therefore, the expert recommends that cyber security should be part of any company’s business contingency plan.
Why do shipping companies become targets?
There are generally two types of attackers. First, state sponsored actors who are using cyber attacks for political ends. Shipping companies may become collateral damage in a quarrel between two states. In 2017, a cyber attack forced Maersk to halt all operations for several days causing over USD300 million in financial losses for the shipping company. It was caused by the NotPetya Malware that mainly targeted the state of Ukraine. Many other global companies were affected by it as well.
For the second type of attackers, cyber attacks are a business model. Criminals use ransomware to coerce companies into paying large sums after their systems have been infiltrated. In these situations, the companies have to make a quick decision: Do they pay the criminals whatever they are asking in Bitcoins, or do they risk even greater financial damage by not complying? And there is bad news for shipping companies: “Anyone can become the target of cyber criminals”, explains Lars Jensen. “There is no way to make your system 100 percent safe. And when a company has been attacked, that does not necessarily mean that they did something wrong. The question is, how well prepared is the company to deal with the consequences?”
Jensen uses a simple example. You cannot build a functional house that is 100 percent fire-proof. But you can design your house in a way that once a fire breaks out, you prevent its spread by installing fire doors and fire-resistant materials. Any company’s IT system should be set up so that malware or viruses will not shut down the entire system. At the same time, companies should update their systems regularly and create backups.
What can companies do to protect their systems?
Cyber criminals are very resourceful, after all, extorting money from companies is their business. Yet, since most attacks are performed using known methods, there are simple steps companies can take to reduce the likelihood of being attacked. Jensen: “Protecting a system is not rocket science. With fairly simple changes and measures, you can eliminate 90 percent of a systems vulnerabilities.” Companies should also not underestimate the element of human error and behavior. Basic guidelines for employees can already decrease the chances of an attack:
Criminals have automated bots that search the internet for weaknesses. All it needs is a small hole in the system for it to be penetrated. Since an attack cannot be prevented completely, one goal of a security strategy must be to fix major vulnerabilities and make an attack as difficult as possible. A company should avoid being the weakest prey for cyber predators.
Where should companies start?
Looking at the level of preparedness in the shipping industry, Lars Jensen recommends companies get their systems ready for potential attacks. Most companies have capable IT administrators who are great at setting up a well-working IT system. But administrators are not necessarily security experts. “You don’t go out and buy an expensive alarm system for your house, only to find out that the front door is wide open”, explains Jensen. “Companies should hire a security consultant who will be able to find the main weaknesses in their systems and then start thinking about where to invest.”
Shipping and logistics companies must develop an awareness when it comes to the possibility of becoming a target. Jensen: “The general attitude of the industry is to deny that there is a viable threat. Once a company has been attacked, the knee-jerk reaction is to cover it up as much as possible.” The IMO 2021 guidelines for vessel safety management are creating more attention for the problem. Jensen recommends that companies use the guidelines as a starting point to improve their overall level of preparedness, instead of using it as a box they can ignore once it has been ticked.