SHIPPING is learning that it is just as vulnerable to cyber attacks as other big industries. The four biggest container lines have all experienced such events, the most recent being CMA CGM undergoing a cyber assault in the past month.

These are probably the areas that staff who cover this remit will get asked about and how they can prepare their responses:

Broad vulnerability

Most companies could be subjected to a similar cyber assault. The liklihood, though, would of course hinge on what cyber security measures were in force. Gauging the probability entails learning a little bit of background detail about the cyber assault on CMA CGM.

Publicly available information tells us that CMA CGM was hit with the RagnarLocker ransomware. If this is true, this was a targeted attack. It tells us it was not an opportunistic one.

Criminals that use RagnarLocker tend to surveil the target before deploying the malware.

These types of criminal also tend to steal confidential data. This can then be used as extortion material. This gives the perpetrators two means of making a financial gain. They can issue a ransom demand in return for decrypting the files on infected systems. The other option is extortion in return for not releasing the data they have stolen.

There are various means that can be used to deliver the RagnarLocker malware (including embedded into files in a phishing email), but this malware has most commonly been delivered through remote management systems, such as through Windows’ Remote Desktop Protocol. RagnarLocker malware tends to be deployed as a virtual machine and hidden in a relatively large file. This helps to evade detection.

So long as there are robust identity and access management systems and protocols in place relating to remote access to computers, then it is very possible your company would have blocked the delivery of the malware.

Detecting such an attack would also be assisted by reviewing your firewall logs, antivirus logs or rules-based intrusion detection systems for suspicious behaviour.

If your company is carrying out anomalous behaviour monitoring of networks and endpoints then this would also be likely to flag up the perpetrators’ reconnaissance, data theft and attempted virtual machine installation activity before the malware went into effect.

Measuring damage capability

The fastest way to work out whether your company is vulnerable is to do two things:

First, make a list of all the IT services that would critically impact the business if they went down for two weeks.

Two weeks is an important milestone because it would likely take that long to regain minimum service levels.

It would be a good idea to concentrate on the vital services. For example, it may be possible for manual work to replace the functionality of onboard shipmanagement or financial management software for a couple of weeks. However, something like customer service portals and shipmanagement software may be key to generating revenue, delivering operations and preserving a company's reputation.

Second, jot down a list of all the key pieces of data that would be of detriment to your company if they were released to the public.

Onboard IT system vulnerability

The IT systems used on vessels could be vulnerable to RagnarLocker. Remote access to computers is very common, but it is not common to find robust identity and access controls. This would allow a RagnarLocker miscreant to exploit their preferred delivery method of the malware.

When considering the vulnerability of vessel operational technology systems, the type of system used will be key.

Given that we know RagnarLocker targets Windows machines. There are critical onboard operational technology systems that incorporate Windows machines. For example, bridge and cargo systems often use Windows machines.

Linux systems, though, predominate. This means they will not be affected by RagnarLocker malware.

However, this does not make such operational technology systems impenetrable. Take, for example, Lilocked or Tycoon ransomware, which specifically targets Linux machines. Consider also Ekans and Megacortex. These things hone in on industrial control systems.

Flag and port state directives

There have not been any specific comments related to the CMA CGM cyber attack from any of the various maritime agencies. However, developments in the US are worth noting:

The US Coast Guard has published several cybersecurity-specific Marine Safety Information Bulletins recently. These warn of malicious email spoofing incidents, including impersonation of US Coast Guard email addresses on September 30 of this year.

On October 1, 2020 US Treasury Department issued an advisory saying that companies finding themselves involved in talks with ransomware extortionists could face big fines from the US federal government if the miscreants are in jurisdictions operating under economic sanctions.

Suppliers’ systems

Not many people consider supply chain cyber risk, but it is in fact essential that the management team probe this area.

The spotlight needs to be placed on supplier web-based systems that your company’s operations rely on for critical function. These tend to be either cloud-delivered services or systems that depend critically on the availability of data integrations.

It is possible the IT team will be unaware of some of these “shadow IT” applications if they were not directly involved in buying or providing access to such systems.

Common supplier applications to consider include: e-commerce web portals, enterprise resource planning, cargo tracking portals, crew management software, shipmanagement software, procurement systems and vessel-reporting systems.

What is more, shipping operations make great use of emails and Excel spreadsheets, making mail servers and document management systems critical to day-to-day work.