The shipping industry received a wake up call last year in the form of high profile cyber attacks that were as spectacular in scope as they were costly. Last June, the Danish shipping giant Maersk - responsible for 20% of global shipping - was hit as part of the NotPetya outbreak. At this year’s World Economic Forum, it was revealed that this compromise of the Maersk systems required the reload of software on nearly 50,000 computers and cost the company between $250-$300 million. Meanwhile during the same attack, which used a stolen NSA cyber weapon, the costs to FedEx profits were estimated to be $300 million.
Later in the year, London-based Clarkson reported that it had suffered a significant cyber security breach and that sensitive data was being held ransom and the release of it’s information was being threatened. Though Clarkson, Maersk and other companies reportedly refused to pay cyber ransom, many companies (up to 70% by one estimate) feel they have no choice. There are many reasons for this fact but certainly as long as the business of cyber-ransom is profitable, everyone should expect a continuation of even more advanced threats to business operations.
More recently, last month researchers identified a group cyber-criminals most likely based in Africa that are running a fairly persistent business email compromise (BEC) program specifically targeting the global shipping industry. Though the methods employed are not particularly sophisticated in execution, this fact highlights that a dedicated attacker with a moderate amount of ingenuity can be successful against organizations who have not taken proper precautions. Since the attackers in this case have apparently only been successful with attempting to steal up to $4 million, this is one group and the overall picture of BEC losses runs into the billions of dollars annually.
More Challenges Ahead
The worldwide shipping industry is worth over $200 billion per year and the threat of compromise within back office and logistics systems is only the beginning. It is expected that before the decade is over, the first fully automated container ship will be sailing the world’s oceans. While securing systems in offices and at ports present their own challenges, the expanded use of Operational Technology (OT) to automate industrial systems such as those aboard a large automated container ship presents an even more daunting problem. Without proper controls in place one could imagine a new age of piracy where ships have the potential of being hijacked by parties anywhere in the world. A threat actor at the intersection of the proper skills and opportunity could make what seems a far-fetched scenario, a scary and expensive reality in the not too distant future.
Even before the first fully automated ship sets sail, already there have been proven compromises of maritime operational technology. OT such as navigation and communication systems aboard ships has been proven to have been compromised, both in labs as well as “in the wild”. Without a higher focus on securing these vital systems, the future of more automation in the shipping industry carries significant risks.
The high-profile (and expensive) compromises in the shipping industry have gotten the attention of global leaders in the business such as Maersk. While the shipping industry has increased its security focus, it recognizes that even the largest players must bring in outside expertise. Shipping as a business segment is not immune to the fact that internal security strategy and operations can become myopic. Though a strong internal security team is a must, design consulting and monitoring services from companies such as Optium can provide an extra layer of assurance that will save money in the longer term.
Additionally, it is becoming increasingly clear that creating a secure company culture is an imperative for businesses in all industries. The most costly attacks in the shipping industry and elsewhere often begin with malware delivered in an e-mail. However, someone typically has to open an attachment or click a link. Companies should consider employing a service that utilizes a comprehensive security awareness platform to ensure their employees know what is safe and when to start asking questions.