Shipping’s cyber defences fail attack test
No evidence the cyber attacks on CMA CGM and the IMO were linked, but the incidents come just months ahead of a new requirement for owners to address cyber risk through safety management systems
As the IMO and CMA CGM conduct investigations into cyber attacks on their systems, the focus is on the cost — financial and reputational — of failing to adequately prepare to repel tech-savvy criminals
THERE is no evidence that the cyber attacks on CMA CGM and the International Maritime Organization are linked, although the possibility is being considered, according to a source at the London-based United Nations agency.
Investigations by both organisations into the cause and the extent of the attacks are ongoing.
But severe disruption appears to be extensive in both instances, with access to all of the French carrier’s ecommerce websites still suspended after at least four days.
The IMO’s main website is also still down, and it is believed that the agency is still without web-based services.
Ironically, the incidents come just months ahead of new IMO resolution which enters into force next January, requiring shipping companies to address cyber risks in safety management systems.
“Given the news from CMA CGM in the same week, whether that is merely a coincidence will certainly be open to speculation,” said one senior IMO official. “We do not have any evidence of linkage at this point though,” he said.
This is not the first time the UN agency has been attacked, but this is the most serious.
“Our cyber security systems have thwarted or limited a number of previous attacks on our systems,” the official said. “But this appears to have been the most serious attack we have encountered, although we are still in the assessment phase with respect to its impacts.”
The UN has been trying to tighten up its cyber security across its agencies since 2012, when an internal audit first revealed an “unacceptable level of risk” in its IT systems. While multiple programmes and upgrades have been deployed in the years since, the majority of UN websites and applications failed to pass the required standard as recently as 2018.
Meanwhile, insurers and lawyers have warned that owners need to be aware that they will not usually be covered by hull and machinery policies, most of which include an explicit exclusion clause, with insurers simply needing to show that system vulnerability was exploited with malicious intent.
Typical wording is on the lines of: “In no case shall this insurance cover loss, damage, liability or expense directly or indirectly caused by or contributed to by or arising from the use or operation, as a means for inflicting harm of any computer, computer system, computer software program, malicious code, computer virus or process or any other electronic system.”
But there is an expansion in specialist cyber insurance wordings, and this will probably become an increasing focus of the industry, according to Paul Dean, global head of shipping at law firm HFW.
There are also legal requirements for shipowners to exercise due diligence before and at the beginning of the voyage to ensure that vessels are seaworthy and cargo worthy.
The trouble is that on the question of cyber risk, there is no universally accepted level of required due diligence, Mr Dean added.
“In the event of a breach, it will ultimately be up to the courts to decide whether an owner has complied with their obligations.”
P&I club West of England said the nature of cyber attacks is rapidly evolving, and it is imperative for shipping companies to follow best practice guidance to minimise their risks.
West provided seed capital for marine cyber consultancy Astaara, which offers what it claims to be the only specialist marine cyber cover product in the market.
Astaara chief executive Rob Dorey said that the cyber threat to shipping had undergone revolution in recent months. Increased connectivity and complexity is now enabling sophisticated criminals to exploit this marine IT infrastructure, to an extent that is putting lives in danger.
While bridge systems, as well as cargo handling and power control systems, are particularly at risk, attacks on poorly protected land-based offices can also have huge impact, he said.
“A hit on the head office can affect ships, and vice versa. Unless you’ve got the right policies, procedures and technologies in place, and your people are trained properly, these incidents will leave you heavily out of pocket.”
Control Risks intelligence analyst Felix Manig said the IMO, like CMA CGM, was likely targeted by cyber criminals rather than “state-linked espionage units” because of the attack’s high visibility.
Mr Manig said the week’s incidents were not surprising given the rise in attacks since 2017 as cyber criminals exploited shipping’s sensitivity to downtime and disruption for financial gain.
He added that the costliest cyber attacks had so far targeted onshore IT systems, which stood the best chance of “rattling supply chains globally”, and companies should pay equal attention to security on and offshore.
He said use of “proactive measures” like decoy data sets, assets and systems, active monitoring for misuse of web and email domains, and sharing of incident information would make attacks more difficult.
Dryad Global chief executive Phil Diacon said shipping was still slow to adopt technologies and relied heavily on emails to distribute documents such as bills of lading.
“The habitual use of emails with frankly enormous ‘CC’ lists is systemically prone to errors and omissions that mean information and personal data can easily end up in the wrong hands,” he said.
Once leaked, such information could be used to target malware on an industrial scale. Electronic barriers were effective, but humans remained the weak spot.
Mr Diacon advocated “upstream monitoring” of the dark web and wider email traffic analysis so companies could see what information was being traded and respond appropriately.
“The financial and reputational consequence can be enormous and chief financial officers are starting to realise that this threat does not lie just with chief technology officers,” he said.
Svante Einarsson, team leader for DNV GL’s maritime cyber security advisory services, said that awareness of the industry and the willingness to invest in protection against the potential impact of cyber threats has grown significantly from five years ago, when it was very limited.
“I never really have to persuade anyone anymore,” he said.
But the perception of the risk is still not uniform across the industry. Mr Einarsson explained that while around half of the business is convinced cyber security is mainly an IT problem, the remainder realises that it also has potential implications for operations or control systems.
In any case, though protective actions and policies are increasing, incidents like these will continue to happen, due the ever-expanding use of digital systems and interconnectedness on board ships and on shore.