Managing the Cyber risk to the global shipping industry Part I
Threats to cargo handling systems and terminal operation systems (TOS)
On October 16, 2013, Europol announced it had exposed a network of drug traffickers who recruited hackers to breach IT systems in the port of Antwerp, Belgium. The purpose of the breach was to allow hackers to access secure data giving them the location and security details of containers (that contained smuggled drugs worth billions of dollars), allowing the traffickers to send in truck drivers to steal the cargo before the legitimate owner arrived. The operation (which took place over a two-year period) went undetected by the port authorities and shipping companies involved. It was apparently uncovered with the recent arrests of members of the “Silk Road” website who sold drugs on the DarkNet in the U.S. The investigation was carried out by a team from Europol that in a related series of raids managed to confiscate containers holding cocaine and heroin worth hundreds of millions of dollars. The breach of the port and shipping companies’ computer systems began with a spear-phishing attack, i.e. sending innocent-looking emails with malicious contents to employees of transportation companies working in the port of Antwerp. When the ring members saw that this channel had become blocked by enhanced IT security, they physically broke into the companies’ offices and installed KVM (keyboard, video and mouse) switches to enable remote access to the computer systems. The KVM switches were assembled and prepared in a professional manner and included miniature PCs concealed inside electrical power strips, external hard drives, as well as keyloggers disguised as USB keyboard port converters. Although some of this equipment was designed simply to steal login credentials, the hackers appear to have used wireless cards to study and possibly control the logistics systems in real time. The group then sent its drivers to the port and provided them with all the necessary certificates and release codes to retrieve the containers. In July 2014 the security company TrapX exposed The Zombie Zero campaign: a supply-chain attack targeted at robotics manufacturers as well as shipping and logistics firms, compromising systems for more than a year. Weaponised malware was pre-installed on handheld scanners and software at a Chinese supplier’s factory, then sent to seven shipping and logistics firms and one manufacturing company, in order to infiltrate their corporate ERP servers and steal financial data. The “highly sophisticated” malware was embedded in the Windows XP operating system installed on the scanner and also on the Chinese manufacturer’s support website. TrapX said the handheld scanner in question is used by “many shipping and logistic companies around the world” to check items being loaded on and off vehicles such as ships, trucks or planes.
Conclusion
It is not difficult to understand that the global shipping industry faces an extremely complex cybersecurity challenges. So how can we go about managing this risk? Here are some pointers: Relaying on Regulation? Not a sound policy: The IMO’s Maritime Safety Committee (MSC) 94th session, held on November 2014, discussed the adoption of a proposal to develop voluntary guidelines on cyber security practices to protect and enhance the resiliency of cyber systems supporting the operations of ports, vessels, marine facilities and other elements of the maritime transportation system
(see )
In addition, The U.S. Coast Guard held a meeting in Washington, DC in January 2015 to receive comments on the development of cybersecurity assessment methods for vessels and facilities regulated by the Coast Guard. This meeting provided an opportunity for the public to comment on development of security assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities that could cause or contribute to a Transportation Security Incident. The Coast Guard will consider these (public and all other public comments, made until April 2015) in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure. ()
However, as we’ve witnessed with other industries with regards to Cybersecurity, waiting for the regulator to release standards, or indeed- adhering to these standards provides very like assurance against cyber threats. For instance, the huge retailer “Target” was PCI DDS (credit card information security standard) compliant when hit by POS malware which managed to steal millions of credit card details). Self-reliance by adopting a holistic approach So what can a shipping company do to protect itself and manage this immense risk to business operations? First, it needs to adopt a holistic approach. It needs to ensure it define its assets, identify relevant threats, conduct proper risk assessment and build its security program accordingly. It then needs to constantly monitor its security controls (not an easy task, given that the “assets” are mobile and deployed around the globe and have a centralized risk management and operations center.
Only by doing so one can provide the slightest chance of mitigating (or at least) managing this threat.
Summary and a word of criticism
The shipping industry has always known how to factor risks into the daily business operation. In fact, it is this very industry that initiated the birth of the modern insurance corporates (born to offset some of the inherent risks of shipping). The industry has proven resilient to natural disasters, regulatory changes, piracy and technology changes. It is odd that this industry seems to look the other way when faced with this new type of risk. Sure, cybersecurity may not be the first item on the agenda of ship owners and shipping companies, but as the risks mount this industry needs to take a brave approach and tackle this threat head on, and prevail, like it always had.
Our modern way of living pretty much depends on it…
To read about this, please view the original article on Cytegic’s blog here.
About Cytegic
Cy-te-gic /pronounced: sʌɪ-ˈtē-jik/ adjective: A plan of action or strategy designed to achieve a long-term and overall successful Cyber Security Posture Optimization – “That firm made a wise Cytegic decision”.
Cytegic develops a full suite of cyber management and decision-support products that enable to monitor, measure and manage organizational cyber-security resources.
Cytegic helps organization to identify threat trends, assess organizational readiness, and optimize resource allocation to mitigate risk for business assets.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.