“Only when the tide goes out do you discover who has been swimming naked.” While Warren Buffett was famously referring to business fundamentals in the face of a tricky economic climate, there are important lessons for cyber risk management.
In February earlier this year, as Russia was launching its campaign against Ukraine, the security analyst team at CyberOwl were on heightened alert for nation state cyber activity across the fleets of vessels we monitored. On eight vessels that had our newly deployed technology, we immediately detected malware that was closely associated with political espionage.
The malware was designed to provide the attacker remote access to the affected system, followed by full admin control of the machine without permission or authorisation. This includes the ability to manipulate files, execute or change processes, and spread locally – pretty much full command and control of the affected machines.
The shoreside team, crew and ship owners were completely oblivious. The malware had evaded advanced antivirus software in place on some of the affected machines. The stealthy nature meant that there were no anomalies that crew nor visitors had spotted with the naked eye.
To make matters worse, the malware had found its way onto both vessel information technology (IT) and operational technology (OT), which controls critical vessel systems. Vessel OT systems are often wrongly assumed to be ‘air-gapped’ from the internet and therefore impervious to spreading malware. Clearly in this case, that wasn’t true.
It is unclear how long the malware had been sitting on the affected machines, awaiting an internet connection, so the attacker could assert control. Control of the OT systems at the wrong place, at the wrong time, could have led to a serious safety incident.
In the case of all these eight vessels, the serious safety incident never happened. Fortunately, the relevant shipowners had put in place the people, processes and technologies to capture early signs of cyber risks, prioritise them for urgency and address them systematically. These resources and processes were drilled repeatedly to ensure there was the minimum required muscle memory for dealing with such incidents.
So, when CyberOwl uncovered the malware on each of the eight vessels, there was a seamless process in place at each shipowner to work with their crew to remove the malware, work with their vendors to restore systems and carry on with minimal disruption to operations.
This is what best practice cyber readiness looks like.
Unfortunately, this isn’t common across the majority of the shipping sector. The vast majority of owners / operators are more reactive rather than prepared to handle cyber risk incidents of any severity.
The fact is discovering malware or cyber-attacks on shipping systems is not exactly a rarity. In a recent report that CyberOwl commissioned, involving a survey of around 200 shipping professionals, 36 per cent believe their organisation had been a victim of a cyber-attack in the last three years. 3 per cent of those affected resulted in ransom payments with an average of US$3.1 million. By contrast, the average ship operator spent less than US$100,000 per annum on cybersecurity in the last 12 months.
Put another way, for every $1 the cyber criminals gained in ransom, the affected ship operator spent an average of only three cents on cyber risk management.
This paints a very different picture to the investments the maritime sector is willing to make to mitigate piracy risk. For every US$1 pirates steal or extort in Africa, for example, US$524 is spent on counter-piracy measures[1].
Given the maritime trends of increasing connectivity, digitisation, the increasing threat landscape – as well as the potential for loss of life, cargo and operational disruption – this doesn’t add up. It points to a great disconnect between the risks that shipping operators are exposed to and the protections they currently have in place.
For further details on the incident above, the great disconnects in cyber risk management in shipping and key recommendations for the sector, CyberOwl commissioned an independent report in collaboration with Thetius and HFW. You can find a copy here.
[1] See the report of a study by Stable Seas, a transnational maritime security research organisation.
