Container ship operators can learn lessons from Maersk’s 2017 cyber attack and exceed upcoming IMO mandatory requirements
The 2017 NotPetya malware attack AP Møller-Maersk faced in June 2017 took out most of the group’s IT capabilities, caused an estimated US$250M of revenue damage and exposed Maersk’s vulnerabilities and liabilities.
Chief information security officer Andy Powell explained how Maersk implemented the lessons it learned as a result of this attack at Riviera Maritime Media’s Maritime Cyber Risk Management Forum in London on 25 June.
He said the group took nine days to recover activity levels after suffering collateral damage from the state-backed cyber warfare. And this was only because Maersk had an offline backup in Lagos due to Nigeria suffering power outages.
Mr Powell warned other shipping companies about relying on online-based backup as these can also be targeted in attacks. “There is no such thing as online backup anymore; offline backup and a regime to ensure offline backups work is absolutely critical,” he said.
Maersk’s financial impact from NotPetya was from lost revenue as container ships remained idle and terminals were closed, and the extraordinary operational costs and expenditure on additional IT capabilities to rebuild endpoints from scratch.
“At one point during those nine days, it was an extinction-level event,” exclaimed Mr Powell.
More than 40,000 endpoints were taken out, along with 3,000 servers and more than 1,000 applications rendered totally unrecoverable, he said.
Following this attack, Maersk learned how “to recover our systems rapidly and effectively and build up our defences to prevent these attacks,” Mr Powell said in a video interview at the forum. Maersk has invested time and money to prevent most cyber attacks, although companies are unlikely to prevent a state-sponsored attack getting through defences.
Therefore, shipping lines need to plan how to contain and recover from attacks.
“We took a critical top-down analysis of our key applications,” said Mr Powell. “We looked at the risk and worked backwards – looking at what could take out the whole company and developing ways to mitigate these attacks first.”
Maersk then reviewed and upgraded old and vulnerable applications. Following that, Maersk focused on privileged access accounts, which cyber attackers will try to take over. “We mended privileged access to ensure that cannot happen again,” said Mr Powell.
Maersk also compartmentalised its networks “to ensure an attack is contained wherever it occurs” and prevent it spreading within the company. “We invested a significant amount of effort to bring up our defences,” said Mr Powell.
“What I would like to see in maritime is what we have learned being applied across the sector,” he added.
Mr Powell emphasised five key operating principles Maersk implemented in the wake of the attack:
IMO regulation requirements
Regulatory compliance is on the minds of container ship operators as they have until 2021 to prepare for IMO’s mandatory requirements for cyber risk management to be included in safety management systems (SMS).
In June, IMO’s Maritime Safety Committee (MSC) confirmed guidelines on how ship operators and owners should comply with the MSC.428(98) resolution on maritime cyber risk management in an SMS.
The committee endorsed the third version of the Industry Guidelines on Cyber Security on Board Ships that raise the understanding and awareness of cyber risk management. This includes guidance on how to comply with the MSC resolution. However, during the MSC 101 sessions inconsistencies in implementing MSC.428(98) were discussed. In response, MSC 101 encouraged maritime administrations to include cyber risks in safety management systems.
MSC 101 confirmed there was no need for shipowners to prepare a separate cyber security management system from that of the safety management system. But ship operators should comply with cyber risk management elements already in SOLAS chapter XI-2 and part A of the ISPS Code.
Container ship operators should go beyond compliance and understand the consequences of a cyber attack from a business perspective, said Lloyd’s Register’s cyber security product manager Elisa Cassi. An incident recovery strategy must be deployed alongside technology to protect critical assets, she said at the Maritime Cyber Risk Forum. The business consequences of a breach need to be considered along with the technical ramifications.
“Of course there is risk, but as long as you are prepared to face it by deploying good protection capabilities and having an incident response plan in place, then you are in a good place,” Ms Cassi said.
Vulnerable business-critical applications need to be identified. “It is not just about technology, but understanding strategically where the data is and how that can be protected,” she said.
“Ultimately, a truly cyber resilient shipping organisation is one that gains intelligence on evolving cyber threats to inform decisions and plans, going beyond the minimum needed to achieve compliance,” said Ms Cassi.
LR has granted its first Digital AL3 Safe Security descriptive note to a shipbuilder constructing ultra-large container ships. This confirms the remote monitoring and smart ship solution is securely protected from cyber threats.
The Digital Safe descriptive note confirms essential systems for ship operations have been assessed in accordance with LR’s Digital Ships ShipRight procedure. This notation is required when systems have remote access to onboard operational data for analysis, decision-making and control.
LR’s Security descriptive note means systems with digitally enabled functions have suitable resilience measures to protect against cyber attacks. AL3 means the systems have digital access for autonomous or remote monitoring and control, but onboard decision making is required and onboard override is possible.
Daewoo Shipbuilding & Marine Engineering (DSME) received approval in principle from LR for its smart ship solution (DS4) for new container ships.
DS4 is a fleet monitoring smart ECDIS and surveillance system to mitigate the risk of collisions and cyber intrusions. LR granted the descriptive note confirming DS4’s compliance with its digital ships requirements.
“We look forward to installing DS4 on board several ultra-large container ships currently under construction,” says DSME senior executive vice president Odin Kwon. DSME worked with bridge systems supplier Marineworks on DS4.
Cyber Owl chief executive Daniel Ng says container terminal operators should merge physical and cyber security to tackle elements that fall between the two. These include personnel behaviour, cyber attacks on connected physical systems or connected port facilities and cargo systems.
He says converging security operations ensure cyber-physical risks are appropriately managed, and gave an example of an intruder in the terminal accessing a terminal to extract key information.
If physical and cyber security were combined, the unsecure USB connection on the terminal would be detected along with the physical intrusion. A combined response would be terminal access denial and a security team swiftly sent to the infected terminal to apprehend the intruder.
Cornerstones of cyber security
Safeguarding critical business assets against cyber risks depends, according to Lloyd’s Register’s cyber security product manager Elisa Cassi, on three cornerstones:
Cornerstone 1: Threat-intelligence assessment
The cyber security landscape is rapidly changing and the insights gained as little as five years’ ago are of less value as threat actors adjust their approaches in response to advances made by security professionals and technical defenders. Regular threat intelligence and assessment activities allow a shipowner to view their organisation through the eyes of a potential attacker, to perceive their attack surface in detail, and to assess the real-world threats to their business.
Cornerstone 2: Crisis-management cyber attack simulation
With knowledge of the attack surface and adversaries already in hand, owners can take steps to safely, effectively and efficiently ensure they are prepared to respond by using a simulated cyber attack known as a ‘red team’ exercise. Such exercises allow a company to define and simulate real-world attack scenarios using the same tactics, techniques, and procedures as a genuine threat actor. They also help determine the level of assurance and ability needed to effectively detect and respond to a genuine cyber attack and educate defence teams about effective responses within a controlled and forgiving environment.
Cornerstone 3: Define a cyber security strategy
An effective cyber security strategy completes the foundation of a secure technological and organisational infrastructure. Designing a cyber security strategy is a complex task for most firms as the strategy must be robust and responsive enough to address a dynamic operational environment. Security professionals can work to create a cyber security strategy to create operational efficiencies, maximum return on technology investments, and assured data and asset protection into the future.
How you can keep cyber awareness tangible and evolving
Vulnerabilities to cyber threats on vessels and companies need to be constantly monitored by shipowners, enabling them to deploy appropriate protection and establish a response to threats most likely to be encountered.
Norwegian Hull Club head of loss prevention and emergency response Morten Aalen said risk awareness and analysis should focus on tangible threats.
An exercise was conducted by his organisation and NYA International on board 2014-built, Norway-flagged vehicle carrier Höegh Jacksonville in July 2018.
“The aim was to better understand the specific nature and impact of a potential cyber attack against a vessel at sea,” says Mr Aalen. “And to look into the method in which a shipping company could conduct a self-assessment.”
He concluded a hacker is unlikely to attempt to remotely command the ship because of the complexity of this operation. However, vessels such as Höegh Jacksonville could “be targeted by sophisticated criminal groups intercepting discharge manifests” which is increasingly common on shore, says Mr Aalen.
He also thinks shipowners should consider their office cyber security as “the threat against corporate offices is increasing particularly as cyber defences are reported as being insufficient.”
Mr Aalen says cyber security awareness should evolve with the response to current threats helping to identity future threats and vulnerabilities. Cyber security awareness should include: