IMB: Shipping Is ‘Next Playground for Hackers’

 

The International Maritime Bureau is warning that the global shipping and supply chain could become the ‘next playground for hackers’ and is calling on the maritime sector to remain vigilant amid an increased threat of cyber-attacks.

“Recent events have shown that systems managing the movement of goods need to be strengthened against the threat of cyber-attacks,” the IMB said in a statement this week. “It is vital that lessons learnt from other industrial sectors are applied quickly to close down cyber vulnerabilities in shipping and the supply chain.”

The IMB says the threat of cyber-attacks on the maritime sector has intensified in the past few months, with cyber security experts and the media warning of the dangers posed by criminals targeting carriers, ports, terminals and other transport operators. IMB argues that while IT systems have become more sophisticated in their ability to protect against fraud and theft, at the same time this has left systems more vulnerable to cyber criminals.

Speaking at the TOC Container Supply Chain Europe Conference in London recently, TT Club’s insurance claims expert Mike Yarwood said, “We see incidents which at first appear to be a petty break-in at office facilities. The damage appears minimal – nothing is physically removed.”

While on the surface these incident may appear minor, Yarwood warns that these petty break-in’s can actually be the beginnings of a major security breach. He adds: “More thorough post incident investigations however reveal that the ‘thieves’ were actually installing spyware within the operator’s IT network.”

Yarwood said that more commonly targets are individuals’ personal devices where cyber security is less adequate, highlighting hackers use of social networks to track truck drivers and operational personnel to ascertain routing and overnight parking patterns.

“In instances discovered to date, there has been an apparent focus on specific individual containers in attempts to track the units through the supply chain to the destination port. Such systematic tracking is coupled with compromising the terminal’s IT systems to gain access to, or generate release codes for specific containers. Criminals are known to have targeted containers with illegal drugs in this way; however such methods also have greater scope in facilitating high value cargo thefts and human trafficking,” Yarwood revealed.

The IMB says that while it is difficult to get hold of exact numbers and statistics, the risks should not be underestimated.

In June, the US Government Accountability Office released a stinging report warning of possible threats to U.S. ports. In the report, the GAO called out actions taken by the Department of Homeland Security and two component agencies, the US Coast Guard and Federal Emergency Management Agency, as well as other federal agencies, that their efforts to address cyber security in the maritime port environment have been limited.

KPMG warns that hackers are the new open sea pirates, according to IMB. Wil Rockall a director in the organisation’s cyber security team highlights that the cyber security of maritime control systems are controlled by engineers and not chief information security officers (CISOs) or chief information officers (CIOs). Lacking security controls, these systems are vulnerable to hackers.

“Most ports and terminals are managed by industrial control systems which have, until very recently, been left out of the CIO’s scope. Historically, this security has not been managed by company CISOs and maritime control systems are very similar.

“As a consequence, the improvements that many companies have made to their corporate cyber security to address the change in the threat landscape over the past three to five years have not been replicated in these environments. Instead engineers have often been left to implement and manage these systems – people who focus normally on optimising processes efficiency and safety, not cyber and security risks. It has meant that many companies and their clients are sailing into uncharted waters when they come to try and manage these risks,” he said.

Rockall added; “We have found that one of the main blockers in improving this is a real translation problem when corporate IT security teams attempt to impose their standards on industrial control systems or maritime control systems. KPMG’s work with the operator of one of the largest fleets of crude oil and oil products tankers and liquefied natural gas carriers in the world, found that bridging that gap and coming up with pragmatic solutions to improve industrial control systems security without compromising process efficiency or safety, are vital to the success of industrial control systems cyber risk management.”