Advances in broadband and the move towards ‘Big Data’ will leave the maritime industry vulnerable to cyber-crime unless it develops better awareness and adopts security best practice, warns ESC Global Security’s head of cyber security division, Joseph Carson.
He says: “There is the potential for a major cyber-attack on the maritime industry to significantly disrupt food and energy supplies given that shipping transports 90 per cent of the world’s global trade. Certainly there is the possibility for AIS, GNSS, ENC and ECDIS charts to disappear from bridge screens or be modified, but the issue today is that most adversaries want to obtain data for financial gain or criminal activities.”
He says that payment systems, for example, can be easily attacked using phishing scams to raise fake invoices or even to change shipping manifests to transport illicit goods, drugs and weapons.
Professional Security’s September 2014 print issue reported a seminar by the Security Association for the Maritime Industry (SAMI) in London seminar on maritime cyber-security, that heard how ports and shipping are at risk from a ‘cyber-storm’; even cyber-hijack.
Echoing comments made by World Economic Forum managing director Espen Barth Eide at Nor-Shipping last week, that “every conflict we see in the future will be a cyber-conflict,” Carson says that while the threat is indeed a real one, greater computer literacy and security awareness can reduce the risk of maritime cyber-crime by as much as 25pc.
“The biggest risk is from human operators not understanding how to deal with or identify a possible security breach. Almost 70pc of malware is manually shared through social media, so awareness and continuous training can have a tangible impact.”
Carson points out that the maritime industry is operating computer systems that “remain unpatched” for long periods, but continuous updating can prevent vulnerabilities in software from being exposed and used by adversaries. He says that about 99pc of all cyber-security breaches are from known vulnerabilities with the common vulnerabilities and exposures (CVE) listed in the National Vulnerability Database. “About 90pc of these breaches, however, have patches [software updates] available containing the required security fixes,” he says.
While security awareness and greater computer literacy can mitigate the risk, Carson says: “No one has really established best practice guidelines that specifically targets maritime industry cyber threats. We need to act in concert so that the International Maritime Organisation (IMO) has the information required to implement measures that will ultimately safeguard the maritime industry from cyber-crime and protect very sensitive data.
“Cyberspace was once just a way to communicate but now pretty much everything depends on it; trillions of dollars pass through cyberspace each year. Our critical infrastructures for energy, healthcare, banking, transportation and water are dependent on how well we protect and secure the systems and the data that controls them.”
About the firm
Estonia-based ESCGS has security personnel serving on the vessels of over 26 flag states and has successfully protected over 1000 vessel transits in high risk areas. Meeting all the requirements laid down by the International Maritime Organisation in Resolution MSC.349 (92), which entered into force in January 2015, ESCGS is an ISO 28000/28007 certified security company with a focus on armed protection of vessels, including tankers (LNG, crude oil, jet fuel), super yachts, dredgers, submersibles, drill ships, general cargo vessels, bulk carriers, container ships, heavy lifts, FPSOs and tugboats.
