Maritime Cyber Risks – What is real, what is fiction?

April 9th 2015

Lars JensenCEO

CyberKeel

CyberKeel

Current state of affairs

• The level of cyber security currently is at a very low level in the maritime industry

• State-of-the-art firewall and anti-virus software is ineffective in keeping out dedicated attacks

• Social engineering tactics work very well

• When we ask about cyber security protection, almost all answer in terms of their technology to keep intruders out. Very few can answer the questions: “How do you detect the ones who are already inside?” and “How do we operate given the knowledge that we may at any time be compromised?”

©2015 CyberKeel

But is there a problem – in reality?

©2015 CyberKeel

A carrier losing track of all containers

CyberKeel recently released a whitepaper as well a new monthly newsletter focused specifically on cyber threats. Key focus: what is real and what is fiction.

2011: Cyber attack on Iranian container carrier IRISL

Attacks damages all data related to:- Rates- Cargo number- Date- Place

Compounding the problem was a simultaneous elimination of the company’s internal communication network

©2015 CyberKeel

A brief look at actual maritime incidents

• Stealing money through man-in-the-middle attack

• Smuggling drugs and deleting containers from a port

• Zombie Zero: Using barcode scanners to gain entry to financial systems

• Icefog: backdoor access to Japanese and Korean companies (extract documents, gain email access, obtain passwords)

• Bypassing Australian customs

• Destabilization of drilling platform

• Shutting down a drilling platform by malware infection

• Complete compromise and spoofing of AIS

• GPS Jamming

• Manipulation of ECDIS data

• Remote navigation of an 80 million dollar yacht using 3000 USD worth of equipment

• Facebook as pirate intelligence source

©2015 CyberKeel

Helpful examples from other industries

• Shamoon attack on Saudi Aramco – wiping all computers

• Stuxnet virus targeting industrial control systems in Iran which were not online

• Successful hacking of cars

©2015 CyberKeel

Current security is low

CyberKeel evaluated the top-50 container carriers’ websites in Q4 2014

• 37 of 50 appear completely open to simple attacks towards back-end systems

• 6 allow harvesting of usernames• 8 carriers, controlling 38% of global trade, allow “password” as a

password to access sensitive eCommerce applications• 2 carriers allow “x” as password• Spoof domains are in place vis-à-vis 10 out of top-20 carriers

©2015 CyberKeel

Current security is low

CyberKeel evaluated a range of maritime companies for “misspelled” domain names in Q1 2015

• A large range of companies we seen to be potential targets• A few examples just for illustration:

• gearbulk.com -> gearrbulk.com• arkasbunker.com -> arkasbunkers.com• monjasa.com -> m0njasa.com

10 out of top-20 container carriers had such “misspelled” domains

Further testing shows that 18 out of the top-20 container carriers have nt prevented simple click-jacking via iFrame attacks – an attack particularly suitable for exploiting misspelled domain names

©2015 CyberKeel

Current security is low

Organizational issues, and understanding, is a major bottleneck

• Often IT departments are only in charge of land-based IT systems – a technical organization is in charge of vessel IT

• Awareness of the implications that a vessel – and its equipment ! – has to be considered as being just accessible as any landbased computer being online

• When chartering vessels, the operating company is often see not to have specific cyber security requirements

• The usage of agencies, many of which are 3rd party, leads to multiple entries into the company’s back-end systems with limited control over cyber security aspects

• Physical security officers are often unaware of the role they need to take in terms of cyber security

• Non-IT staff have a very low level of awareness in relation to cyber risk behavior

• Awareness that theft of information is a key element in fraud

©2015 CyberKeel

Who are the attackers?

3 main groupings:

• Criminals• Motive: make money• Current prime tools: steal money through fraud, facilitate smuggling, ransomware

• Hacktivists• Motive: make a political statement, create destruction• Current prime tools: destroy/impede infrastructure, publicize sensitive information, take over

communication channels

• Governments (or government affiliated entities)• Motive: Espionage, create the ability to influence critical infrastructure• Current prime tools: APT attacks aimed at remaining undetected

©2015 CyberKeel

What should be done?

• Increase awareness of the realistic threat picture

• Maritime companies need to develop contingency plans as well as counter-measure plans

• Improved training & awareness at all levels from board and C-Level to regular staff

• Development of industry-wise cyber security standards

• Establishment of a trusted environment in which maritime companies can share cyber attack information

If you cannot answer the question: “How do you detect the unauthorized people within your system” you have a problem !

©2015 CyberKeel