Cyber security – looking to windward
So far, 2018 has not been a good year for cyber security. Recent months have seen reports of numerous instances where critical IT systems have been breached or vulnerabilities exposed. And it’s not just viruses and malware gaining access to personal devices and IT networks via dodgy emails. Fundamental issues with key hardware components has been coming to light.
In October 2017, concerns surfaced about WPA2, the security protocol that underpins Wi-Fi, and the potential of KRACK malware to hack into Wi-Fi networks and eavesdrop on conversations. Meanwhile, vulnerabilities in the chips that underpin all IT systems hit the headlines earlier this year with two bugs known as Meltdown and Spectre being used to access confidential data via microprocessors manufactured by market-leader Intel plus others. Even Intel’s Active Management Technology was demonstrated to be open to attackers by-passing the login process and taking complete control of users’ devices in less than 30 seconds.
This is no blip on a chart. It’s just the tip of an endless battle going on of businesses and consumers against an array of adversaries. Some of these are small scale, looking to make money through scams and ransomware, but others are well-resourced and even state-sponsored, looking to spread confusion, steal data and disrupt vital services. New threats appear every day and its not going to stop. In fact, it’s only going to get worse.
It sounds bad, and it is, but so far the maritime sector does not seem to have been targeted in any specific way. Maersk was notably hit by a Petya ransomware attack last summer that cost it up to $300m in lost revenues, but along with many other companies in Europe and the USA it was collateral damage in an attack that appeared to be aimed at Ukraine. Elsewhere, there have been reports of the manifests for cargo vessels being digitally altered so as to hide the smuggling drugs on board, but these problems have been shore-based and not related to ships’ systems. Stories of vessels being effected have to date been rare, but this may change.
Previously, the big issue in maritime networks IT networks was management of the limited bandwidth available, but with increasing bandwidth capacity, particularly in harbour and close to shore were 4G and data aggregation systems can deliver very high data speeds, the concern now is what is coming onboard rather than how much. This caution extends across all aspects of ships’ IT networks. Personal data and communications are one element, particularly for luxury superyachts and their VIP owners and guests, but command, control and navigation systems add a whole new level of vulnerability with major implications for the safety of all those on board. The weaknesses of the global AIS system have been well-known for some years, but there are fears that hackers’ attentions could spread elsewhere, with the implications for integrated bridge systems and onboard automation being a particular concern.
It’s not all bad news in the cyber wars, however. The fear and disruption caused by ‘black hats’ and other malicious players in this murky world is often aided and abetted by us, their victims. Hackers rely on outdated systems and poor procedures to create vulnerabilities that they then exploit. The IT industry is, by and large, alert and responsive to these threats, often releasing updates and patches within hours to combat the latest threats. However, getting people to download and install them is another matter entirely. The overall level of awareness of the threats is even today very low. Many companies, organisations and individuals run outdated software and hardware with long-recognised flaws that simply cannot be updated. Often the more complex the network, the greater the resistance to change given the cost and complexity. Apparently even the Department of Defence in the USA is still using Windows 95 and 98 in some offices.
The maritime sector is no different. Older vessels and installations are at greatest risk, not least because many crew are still not aware of the issues, in particular the risks posed by their own mobile devices.
Regulation is starting to have an impact across all sectors, with the EU’s GDPR regulations expected to have a positive effect worldwide with their requirements regarding responsibility, training and enhanced security, backed up by the threat of fines. In the maritime world, increasing levels of automation and the integration that comes with it is also concentrating minds on the potentially disastrous consequences of security breaches afloat.
The inescapable fact is that in every area of commerce there will always be vulnerabilities in new software and hardware as they continually evolve, and these will always be found by hackers that are well resourced and persistent. The maritime sector is no exception. Technology can help us, but only if everyone involved is educated in the dangers posed by careless behaviour on both ships’ systems and their own devices, and the simple procedures and protocols that they should apply to prevent unwanted incursions.
It’s not rocket science, and sadly it will probably take some disaster to shock people into action. That’s human nature. In the meantime there is much that can be done. Blaming the technology is not good enough, we must all take responsibility.