More than half of all publicly reported cyber incidents in the marine industries sector have been due to war like or terror events – where nation-states or their proxies (i.e. hacking groups with known links to nation states) are the authors of the attack.
Using publicly available information, and by applying detailed analysis and insight, Astaara’s chief cyber officer Bill Egerton found that while terror made up a third of all claims in 2016, this rose to more than half (53%) in 2021.
‘We know through direct experience following conversations with prospective clients and Insureds that nearly every maritime company has had some experience of a cyber incident – most commonly e-crime and the spoofing of invoices,’ said Mr Egerton, who added that it is an Astaara Underwriting judgement that a ship is most vulnerable to a cyber incident arising in the HQ.
‘While the increased level of criminal attacks is to be expected, there has also been a sharp rise in the frequency of attacks or incidents where pecuniary crime does not appear to be the prime motive. Systems are being damaged; sensitive data is being exfiltrated – and while responsibility is not being admitted, there is clear evidence that tools and techniques are being deployed that are known to be used by groups with known links to nation states.
‘We remain alert to the increased risk: the steady growth in both frequency and sophistication of cyber-attacks on head offices ups the likelihood that this will cascade from shore to ship, seeking to exploit vulnerabilities on a ship even if IT and OT networks are ostensibly segregated from each other. Vectors of attack include compromised emails, exploitation of satellite communications, the increased use of remote access for the updating or patching of 3rd party systems on board, the use of unsupported software and imprudent use of USB‐sticks. Continued phishing exposures on board also remain a high risk.’
The sample of reported incidents is small compared to the number of other known but not publicly acknowledged incidents. Of the claims sample analysed the incident losses were typically over $5m. Many of the losses were not subject of insurance claims.
The low volume of publicly acknowledged cyber incidents is itself a cause for concern as it suggests that many enterprises may not be aware they have been subject of such an event, or have not reported them for fear of embarrassment, all of which, in Mr Egerton’s view, makes it easier for online crime to propagate.
The number and frequency of war-like or terror attacks are important to track and comprehend, as the implications are far reaching both for the Insured, and the Insurers. It is common in the insurance market to exclude war / war like or terror events – which means many insureds do not enjoy the cover they think they have bought or have not bought the cover they need.
Attribution, the art of determining the cause and motivation of an event – and therefore determining whether a claim is non-malicious, malicious, terror or an act of war – is a complex and nuanced activity.
State security services may often know to a high degree of certainty from where a cyber-attack originated and the State agency or actors behind it. However, state security organs rarely make public their views on attribution, whether to protect their sources and methods or because it is not in the public interest to reveal such information at the time. Attribution in any case is hard to prove and is rarely accepted by the accused.
‘Many within the maritime community are led to believe that the main cyber threat to their enterprise, by a state actor, is an attempt to take over direct control of a ship or otherwise so-called deception attacks – where GPS or other navigational systems are compromised leading to compromised ship operations,’ added Mr Egerton.
Astaara’s Chief Cyber Officer observed that the reality of state sponsored cyber is in fact outlined in three main types of attack:
‘We have not yet seen any attacks which have the goal of either directly attacking a critical OT system in order to disrupt a vessel’s operations or ‘take control’ of a vessel for its own purposes. We have seen GPS jamming, forcing fishing vessels to return to port,’ he said.
The majority of war‐like events appeared to have the objective of destroying or severely degrading the ability of the organisations affected to operate (for example the NotPetya destruction‐ware attack) or to steal confidential government information or intellectual property.
‘Although there are demonstrations of the theoretical possibility of attacking a vessel through VSAT links into ECDIS systems, it has often proved easier to disrupt a business by using head office as a vector. Most nation state attacks are targeted and follow specific pre‐cursor surveillance activity to identify key vulnerabilities.’
Mr Egerton also commented: ‘The marine community is advancing – the threats and losses of 2017 are unlikely to be repeated in the same way today as companies have learnt hard lessons in respect of user training; improved network defence; more robust segregation of systems; improved incident response; more rigorous testing of systems recovery from offsite encrypted backups; and more widespread mandatory multi-factor authentication on a minimum of critical systems ship and shore.’
Is it reasonable for marine enterprises to be able to defeat or fight their way through a state sponsored attack? Mr Egerton is clear.
‘Yes. In most cases, successful attacks have depended on user error or security failures to get into target systems. While there is little defence against a zero-day attack, it is reasonable to expect that an organisation that does the basics well over a sustained period and demonstrates corporate leadership and commitment to cyber security can mitigate much of the impact of such risks and reduce downstream harm. But this mandate and commitment has to be driven from the top of the organisation.’
Legislative initiatives are now biting – including the IMO 2021 which now requires Safety Management Systems to include cyber risk management. This is not only a ship obligation: the Designation Person Ashore (“DPA”) is an integral element of SMS and therefore head office and shore-side leadership are key to maintaining cyber safe ship operations. Most importantly a trained, aware and well-prepared crew are still the best defence.
In Europe, many in the marine transportation sector are deemed to be Operators of Essential Services, under the Network Information Systems Directive 2016 (EU) (the Network Information Systems Regulations 2018 in the UK). This requires operators of Critical National Infrastructure to adopt better defences to maintain their resilience or face significant fines for system outages; in the US, similar requirements are placed on critical infrastructure operators under the Maritime Transport Security Act 2002 in the US.
Although each nation state has a differing approach to security the intent is clear – the maritime sector must not be compromised by a cyber-attack that leads to a break down in the international supply chain – whomever is behind it, and no matter the frequency of the attacks.
Cyber security not just about technology: it includes the standards, procedures, people, culture, and leadership required to make IT and operational technology systems secure, compliant with applicable regulatory standards and corporately defined risk appetites.