11 Feb 2022

Western ports cyber-attack another warning to upgrade resilience

Maritime cyber security specialists urge members to opt for targeted training as attacks are more likely to happen and more sophisticated than expected

The first days of February brought yet another reminder of the growing risk of cyber-attack in the maritime sector. Major oil terminals in some of Western Europe’s biggest ports, including the strategic Amsterdam-Rotterdam-Antwerp oil hub, were hit by what experts said looked like a possible ransomware strike against fuel supply companies Oiltanking and Mabanaft, both of which declared force majeure. The attack reportedly paralysed loading and unloading operations at a number of key terminals in the Netherlands, Belgium and Germany, with oil giant Shell among those forced to re-route supplies.

The last 12 months have seen a number of high-profile attacks on key maritime and oil supply infrastructure – and it’s a given that more will have taken place but have been kept off the radar. In May 2021, for example, the cybercriminal gang DarkSide reportedly extorted nearly US$5 million from a pipeline operator after a cyber-attack on the 2.5 million barrel per day US East Coast Colonial Pipeline, forcing some states to declare an emergency as supplies of diesel, petrol and jet fuel ran short. Months later, South African port operator Transnet declared force majeure after a ransomware attack crippled its IT systems and disrupted container operations at a number of its ports, including Durban, Cape Town, and Port Elizabeth. 

OT wide open

February’s attack in Europe was another clear warning of how vulnerable strategic maritime infrastructure and shipping are to the activities of criminals and state sponsored actors with malicious intent. As well as “standard” cyber threats targeting IT systems, such as ransomware and data exfiltration, the maritime industries also have Operational Technology (OT) systems that leave them open to attack with serious real-world consequences, including loss of human life, damage to the marine environment and mass disruption to international trade.

Indeed, a 2019 report from the Cyber Risk Management (CyRiM) project, the Singapore-based public-private initiative that assesses cyber risks, which includes Lloyd’s and major insurers as founding members, warned that a cyberattack on 15 ports in Asia could run up losses of US$110 billion. The report’s imagined “Shen attack” depicts a plausible scenario in which a computer virus is carried by ships and scrambles the cargo database records at major ports, leading to severe disruption. The now infamous Ever Given incident in 2021, while not the result of a cyber-attack, highlighted just how much disruption can be caused when global maritime trade can’t function as normal. Ever Given’s misadventure in the Suez Canal was a headline-making incident that underscored the dark mutterings of cyber experts who have long been warning about the risks of malware control of navigation systems or how GNSS jamming and GNSS and AIS spoofing could see vessels unintentionally stray into disputed waters with the potential to trigger international incidents

Training and awareness

According to maritime cyber specialist Professor Kevin Jones, Executive Dean at the University of Plymouth and a member of the IMarEST’s Maritime Cyber Risk Management Special Interest Group, the industry is “more vulnerable than most” to cyber-attack, with ransomware, malware control of systems and data exfiltration among the biggest risks.

When it comes to mitigating those risks, the training and awareness of staff and crew is seen as critical yet too often the training delivered is off-the-shelf and ill-equipped to address the unique risks and challenges of the marine environment. It doesn’t help that the industry has been late to recognise the threat and new IMO regulations are largely seen as an awareness-raising exercise rather than rules with real bite.

“Organisations always underestimate the likelihood of being targeted and the sophistication of the attackers,” says Professor Jones. “I don’t think there are any existing standards that are suitable for the sector, so each member should be developing a plan to ensure sufficient cyber-awareness and working with industry bodies to develop meaningful training and standards for the sector.”

Aybars Oruc, a PhD candidate at the Norwegian University of Science and Technology specialising in maritime cyber security and a fellow member of the Maritime Cyber Risk Management Special Interest Group, agrees that current training is not up to the job. “I attend a lot of trainings,” says Oruc, “and many of them are standard cyber security training, focusing on phishing, malware etc. Ship-specific attacks with scenarios should be explained.”

Both members urge all IMarEST members to go above and beyond the baseline requirements of the IMO and to invest in thorough ship-specific training and scenarios so that should hostile actors breach cyber defences, the response is both swift and effective.

Catch up on webinars such as Aybars Oruc’s State Sponsored Cyber Attack Claims in the Maritime Industry presented at the INEC 2020 on IMarEST TV.

To become a member of the IMarEST’s Maritime Cyber Risk Management Special Interest Group, log into your My IMarEST account, click on My Special Interest Groups and then tick the boxes of the SIGs you’d like to join. You can also join the group on Nexus, our networking platform.

AMY