Advancement in broadband technologies and the move towards ‘Big Data’ will leave the maritime industry vulnerable to cyber-crime unless it develops a better awareness of ICT security and adopts security best practice, warns ESC Global Security’s head of cyber security division, Joseph Carson.
“There is the potential for a major cyber-attack on the maritime industry to significantly disrupt food and energy supplies given that shipping transports 90% of the world’s global trade. Certainly there is the possibility for AIS, GNSS, ENC and ECDIS charts to disappear from bridge screens or be modified, but the issue today is that most adversaries want to obtain data for financial gain or criminal activities.”
He says that payment systems, for example, can be easily attacked using phishing scams to raise fake invoices or even to change shipping manifests in order to transport illicit goods, drugs and weapons.
Echoing comments made by World Economic Forum managing director Espen Barth Eide at Nor-Shipping last week, that “every conflict we see in the future will be a cyber-conflict,” Carson says that while the threat is indeed a real one, greater computer literacy and security awareness can reduce the risk of maritime cyber-crime by as much as 25%.
“The biggest risk is from human operators not understanding how to deal with or identify a possible security breach. Almost 70% of malware is manually shared through social media, so awareness and continuous training can have a tangible impact.”
Carson points out that the maritime industry is operating computer systems that “remain unpatched” for long periods, but continuous updating can prevent vulnerabilities in software from being exposed and used by adversaries.
“Approximately 99% of all cyber-security breaches are from known vulnerabilities with the common vulnerabilities and exposures (CVE) listed in the National Vulnerability Database. About 90% of these breaches, however, have patches [software updates] available containing the required security fixes,” he says.
Whilst security awareness and greater computer literacy can mitigate the risk, Carson says: “No one has really established best practice guidelines that specifically targets maritime industry cyber threats. We need to act in concert so that the International Maritime Organisation has the information required to implement measures that will ultimately safeguard the maritime industry from cyber-crime and protect very sensitive data.
“Cyberspace was once just a way to communicate but now pretty much everything depends on it; trillions of dollars pass through cyberspace each year. Our critical infrastructures for energy, healthcare, banking, transportation and water are dependent on how well we protect and secure the systems and the data that controls them.”