Cyber attacks are the new reality,the only question is ‘when.’ The key challenge for Indian firms is that most view cyber security as an “IT issue”. India ranks third globally as a source of malicious activities and its enterprises are the sixth most targeted by cyber criminals. It is high time that shipping industry should wake up to this reality.
On June 27th, Ukraine came under the biggest cyber attack in its history, which spread to Europe and then to the coast of North and South America and beyond. In the process it affected many industries from banking to power to port sector. Meanwhile, EXIM trade at Nhava Sheva on June 28th woke up to a nasty surprise and this time it had nothing to with long queues or operational issues there, rather APM Terminals Mumbai was forced to interrupt services as it was dealing with a world-wide unleash of cyber attacks on Maersk and its Group companies including APM Terminals.
It is not the first time port and shipping sector had come under cyber attack. Lars Jensen, CEO, CyberKeel, reminded, “The threat is significant, and has been severe for several years. At CyberKeel we have warned about such attacks, but the general state of affairs with the maritime sector is a low level of cyber security.” In fact the Maritime Safety Committee (MSC) of International Maritime Organization (IMO) was very much aware of vulnerability of maritime sector. IMO said, “The 98th session of MSC adopted a resolution on maritime cyber risk management. In essence the resolution adopted at the MSC said that cyber risk should be included in International Safety Management (ISM) documentation by the year 2021…. The main point of the resolution is to clarify the situation and provide a deadline so that for port state control purposes, the cyber threat should be included by a certain date.”
What went wrong!
Petya cyber attack on APM Terminals gathered much more attention and quick response from the government thanks to the widespread coverage that its predecessor, WannaCry ransomware had attained. Industry experts have been critical of the situation and stressed that port and shipping sector have been late entrants in coming onboard IT platforms. Dr. Sandeep K. Shukla, Head, Department of Computer Science and Engineering, Poonam and Prabhu Goel Chair Professor, IIT, Kanpur putting his perspective, said, “The attack was on the European system but then due to connectivity it crawled through the system. We need to stop being dependent on the FDI and foreign technology especially in the critical infrastructure. If we did our entire port IT system ourselves, we could still be vulnerable to such attacks, but the dependence has made it much easier to be affected big time when something happens abroad. I think the government needs to invest in cyber security research, education, training, and develop capabilities and manpower.”
It is challenging to assess the actual loss done to the trade due to cyber attacks which paralyzed terminal operations but it is yet to be ascertained what would be the damage in case of theft of critical data because shipping industry as a whole has millions of shipper and other information. On this, Captain Vivek Anand, President, Mumbai and Nhava Sheva Ship Agents Association, said, “The unfortunate attack on Maersk Group global system and its cascading impact on Indian operations have led to an unprecedented accumulation of import laden containers. Such incidents are industry agnostic and impact all spectrums of the economy and not restricted to the maritime industry in particular. In all such cases, there are back-up support of all data, which is a universal practice and hence we believe that all relevant data can be restored once issue is resolved and overcome. Coming to the June cyber ransomeware attack on Maersk, the systems by now should have limped back to normal by the time this is published.”
But the fact remains that port and shipping industry are prone to cyber threat as hundreds of shipper data is constantly uploaded onto their system, and any weak link can compromise others as well. Rainer Horn, Press Spokesman, Hapag-Lloyd AG, clarified, “In general cyber attacks are a permanent challenge in our industry. We have sophisticated and progressive systems in place and believe that our set up is pretty good. Furthermore, we have action plans in place including a Business Continuity Management. We have had already cyber-attacks against our systems, but of course our IT security experts do everything to keep malicious software out of our systems.”
Contingency, Risk Assessment & Damage Control
The attack on APM Terminals Mumbai should be treated as a wakeup call by the industry and the government to build robust system to stay immune in the future or to minimize loss. Dr. Sandeep K. Shukla of IIT Kanpur emphasized on regular data backup, standby servers, software to enable reinstatement of the system within minutes from the backup when such attacks happen – that is a proper recovery plan and technology must be developed. Ukraine power grid recovered within an hour in the last attack on them – whereas a year before they took many hours. They learnt from their mistakes and worked on resilience and recovery plan thoroughly.
With mounting data, gradually companies are moving towards cloudbased platforms. Moreover, many shipping lines due to global nature of their business have offshore data and support centers. They also have data centers on Indian shores to leverage from low labor cost and IT capability. But now it is time for a thorough evaluation of these service centers in India and elsewhere. For example, Hapag- Lloyd AG has service centers in India, and when asked about the risk factor of offshore servers, Rainer Horn, Press Spokesman, Hapag-Lloyd AG assured, “We have service centers in India as well, and the same security levels apply as anywhere else in our organization since they are an integral part of it. In fact, we had outage at one of our centers some years ago due to a fire in the building. The water by the fire fighters destroyed the electric system of the whole building. Our contingency plan worked very well and no container had to be left on a terminal worldwide and all ships sailed as scheduled. After two days all affected colleagues of the center started working again with new hard-ware in an alternative office space close-by.”
Speaking on risk assessment and preventive measures, Kate B. Belmont, Associate (Maritime), Blank Rome LLP, and President, WISTA, New York/New Jersey chapter, said, “One of the most fundamental things that a port, or any company, should do to prevent cyber attacks is conduct a cyber security vulnerability assessment. In addition, port operators, shipping companies and all businesses reliant on information and communication technology (“ICT”) must continue to implement security controls such as protective technology, as well as develop operational procedures that include risk assessments and asset management, awareness and training, information security procedures, detection processes and response and recovery plans. Human error continues to be a significant factor in breaches, hacks and ransomware attacks and while technical upgrades are necessary, developing an effective cyber security culture is critical to managing cyber risk.”
The most vulnerable port systems include, cargo management systems, automated cargo handling systems, autonomous gantry cranes, automatic identification systems (“AIS”) and global positioning systems (“GPS”), Belmont emphasized.
Meanwhile, taking cognizance of the severity, the second edition of The Guidelines on Cyber Security Onboard Ships has been released in early July by a joint industry working group, whose members are BIMCO, Cruise Lines International Association (CLIA), International Chamber of Shipping (ICS), International Association of Dry Cargo Shipowners (INTERCARGO), International Association of Independent Tanker Owners (INTERTANKO), International Union of Maritime Insurance (IUMI) and Oil Companies International Marine Forum (OCIMF). The second edition includes among others new practical advice on managing the ship to shore interface, and how to handle cyber security during port calls and when communicating with the shore side. Similarly, the International Association of Ports & Harbors (IAPH) in its Annual General Meeting in May at Bali had adopted a resolution on “Planning cyber security program to reduce cyber risks”, informed Hiro Nagai, Under Secretary, IAPH.
Common perceptions amid small business entities are that an anti-virus software has enough fire power to protect their business. One needs to understand that standard tools such as firewalls and anti-virus are quite ineffective. A very good anti-virus program will only catch something like 50 per cent of the computer viruses out there. But, according to a technical update from Microsoft, a significant part of the spread of the newest virus could have been prevented if the systems had the newest updated version and had been properly configured for defense-in-depth. Note that both of these conditions have to be met – it is not enough to have the latest updates, the network configuration also have to be done to prevent internal lateral spread of an intrusion.
Bringing business back to normal Cyber experts strongly recommend for effective segregation of networks and servers where one stores critical information. Hence, in case of one network or server coming under attack, it could be plugged off thus not affecting the entire network or server. Moreover, procedural control, network security, data classification and most importantly data backup remains key to bring business back to normal at the earliest. Maersk is in the small group of companies which had at least devoted some time and resource in the last few years to improve cyber security, and the fact that they can be so comprehensively shut down further demonstrates the risk to the entire maritime sector. In much smaller scale, there have in the past been cases of stolen data – usually used to smuggle or steal cargo.
Matthew Williams, Senior Marine Adviser, International Chamber of Shipping has words of caution for the trade. He said, “New which increases connectivity will provide new opportunities and new risks in many industries, including international shipping. Petya should be a catalyst for shipping companies and ports worldwide to critically review the resilience of their operations to ransonware and other similar attacks. Petya is not a unique event.”
It is a transition time for Indian port and maritime sector as the country slowly moves towards a digital economy. Hence, several steps need to be in place – also known as defense-indepth to secure business. All systems must constantly be updated with the latest upgrades and patches, and this should be a standard routing performed very quickly after each release of patches. Elaborating the need to give importance to IT infrastructure, Lars Jensen, CEO, CyberKeel explained, “We made a study a week ago on a sample of ports showing that 20 per cent had not applied a patch which is 2½ years old and protects against significant threats identified 2½ years ago. The system needs to have a high level of external cyber security, making it as difficult as possible to gain entry into the system. But it must also be realized that the external defenses will sometimes be penetrated. Therefore the internal network must be configured in such a way that even if I penetrate a computer in the company, then I cannot easily move further into the network. The third step is monitoring the network activity and being able to realize a cyber attack takes place, and if it becomes clear that both the external and the internal defenses have failed, then quickly be able to shut down everything. The final important layer is to have a very solid back-up plan. We have for several years advised our client to have a contingency plan based on the assumption that everything is gone.”
Imagine a situation where data files, computers, communication systems – everything is gone. And then be able to re-start quickly from that point. The situation could be scary for any business. Such an event is a realistic scenario, and have been seen not only in other industries before, but also on a smaller scale in the shipping industry. In order to test whether the defense systems are set up correctly there is a need to perform penetration tests of both the external and the internal defenses by very skilled hackers who perform such tests, and the results are used to quickly and efficiently improve cyber defenses. Indian port and shipping industry is slowly but surely moving towards a paperless environment but in the backdrop of cyber attack on India’s busiest container terminal, and some other facilities in India and other parts of the world, threat from cyber attack is getting bigger by the day. It is time to consider investment in IT a core business strategy.
“PETYA IS A WIPER, NOT A RANSOMWARE”
The worm originated in Ukraine, and spread to various countries and reached India which means may be Maersk doesn’t has robust network protection mechanism.
Q Govt and organizations don’t take cyber threat seriously. How you look at it?
Indian government sometime back initiated national cyber security strategy under the aegis of Dr. Gulshan Rai. But it requires lot more in terms of strong outline, standards, and procedures to deal with adversaries. Transportation is a critical sector, especially maritime industry where more than 90 per cent of world trade is moved. If it is not consider as critical infrastructure, then the focus is missing in building a robust national cyber security strategy. This industry is not like banking sector where one has regulators like RBI who make it mandatory to have certain policies to keep check on ill practices. Few days ago Singapore government came up with its new Cyber Security Law, which has lot of focus on critical infrastructure, and logistics industry was one of them. It is time the Indian government should come up with clear guidelines and policy for some baseline control of critical infrastructure such as logistics and maritime sector.
Verizon’s Data Breach Digest Report 2016, highlights the maritime industry involving CMS vulnerabilities where Content Management Server was compromised which had B/L of a shipping company. There were unauthorized download to identify containers carrying high value items.
Q How do you look at preparedness towards cyber security threat?
Current state of cyber security is very dynamic and complex. In one hand there are IT and cyber security related threat and on the other hand there are issues related to operational technologies such as industrial control system, radar, supervisory control system, etc, apart from many IoT solutions that have been implemented to optimize operation and business. From regulatory standpoint the industry was completely unregulated and except laws of the land, there is no protection or mandatory compliance requirement for this industry.
Q The Maersk attack emanated from Ukraine and through the company’s global network it reached India.In case of Maersk, it is blamed that the origin of the worm was a patch of an accounting software MeDoc which was used by one the subsidiary companies of Maersk in Ukraine and through network it affected the parent company. Being prepared with disaster recovery plan, robust back-up, preventive and detective controls, and detailed instant response manual can help companies to bring operation back to normal in quick succession. Tight network policies on firewall, and segregation of networks to contain spread of virus to other parts of networks is needed. Since the infection spread to various countries and reached India which means may be Maersk doesn’t has robust network protection mechanism.
It was not a targeted attack on Indian shipping industry. In fact if we go into the details, it is not a ransomware but it was meant to be a wiper, so that the data is never recoverable. It is now being called more as nation-state cyber attack with an intension to badly impact Ukraine. If a cyber attack of this scale is unleashed against India, the maritime and shipping industry will be severely affected. Indian shipping and port industry need to do a lot to sharpen themselves to counter such cyber warfare. In case of a cyber attack one should not pay any ransom as the word spreads very fast among the hacking community, and at the end one is inviting more attacks. Still in some cases companies end up paying ransom but Bitcoins are expensive and due to such incidents currently it trades at US$2,600 per Bitcoin as compared to few hundred dollars some months ago.
“With cargo operations relying more on automation, cyber threat always looms large. Certain procedural practises always needs to be followed to secure business and minimise loss. In a connected world, it is inevitable that there will be security breach”
Q How serious are future threats from Ransomware and other similar cyber attacks? How organizations can be better prepared?
Victims often try to keep successful hacks a secret. The reason for this is that the maritime companies value their reputation more than the money they actually lose. In many cases companies are unaware they have been hacked. Another problem is that in cases of an onboard device hack, many sailors are not ready to manage it. For instance, a GPS break can send a ship off-course while making her appear to be on-course. This can lead to collision and delay in freight delivery.
One should back up important files regularly and check that back up copy is in good condition. Cybercriminal often distribute fake email messages mimicking email notifications from an online store or a bank, luring a user to click on a malicious link and distribute malware. This method is called phishing. Finetune your anti-spam settings and never open attachments sent by an unknown sender. Enable ‘Show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially malicious files. As Trojans are programs, you should be warned to stay away from file extensions like “exe”, “vbs” and “scr”.You need to keep a vigilant eye on this as many familiar file types can also be dangerous. Scammers could use several extensions to masquerade a malicious file as a video, photo, or a document (like hot-chics.avi. exe or doc.scr). Regularly update your operating system, browser, antivirus, and other programs. Use a robust antivirus program to protect your system from ransomware. If one discovers a rogue or unknown process on your machine, cut off the Internet connection immediately. If the ransomware did not manage to erase the encryption key from your computer, there’s still a chance you can restore the files. However, the new strains of this type of malware use a predefined key, so this tip, unfortunately, would not work in that case. If you are unlucky to have your files encrypted, don’t pay the ransom, unless the instant access to some of your files is critical. In fact, each payment fuels this unlawful business. If you have been infected, you should try to find out the name of the malware: maybe it’s an older version and it is relatively simple to restore the files. Moreover, the police and cyber security experts collaborate to detain the adversaries and provide file restoration tools online. https:// www.nomoreransom.org/
Q Why enterprise cyber security solution providers have not been able to deal effectively with the latest cyber threat?
There are cyber attacks that occur on the same day a weakness is discovered in a software, also known as zero day vulnerability. It is known as “zero-day” because zero time has passed since the bug’s existence was disclosed. The fewer the days the bug has been known about, the higher the chances that it has no mitigation. Organizations at risk from such exploits can employ several means of detection, including using virtual local area networks (LANs) to protect transmitted data, by making use of a firewall and using a secure Wi-Fi system to protect against wireless malware attacks.
“RECENT ATTACKS BY WANNACRY AND PETYA USED A 2 MONTH OLD EXPLOIT”
Q What precautions the industry needs to take while shifting to a Web or cloud-based platform?
Businesses that are moving towards Web and cloud based platforms should prioritize security. It’s not just about going live on the Web, but one needs to ensure that all best security practices are being followed. It is difficult to estimate the loss caused due to these attacks, as they could be direct and indirect such as live systems being taken down by the attacks and indirect being businesses that would want to go live on the Web and scale, but are deterred by such attacks.
Q Since cyber threats are here to stay, how one can minimize risk?
A business should always keep their software updated, mainly their Operating System. The Operating System should not be outdated, most of the machines that got infected with the WannaCry malware were older Windows Operating Systems. Have strong Users Rights Policies on machines, so that even if users do encounter a malware, the malware won’t be able to infect the machine. There should be a firewall which is updated to protect the entire network. Regularly change passwords and secret keys. Keep strong password policies. Keep regular backups of the business data. For websites, have backup servers, to which visitors can be redirected, incase the primary server fails. Always encrypt sensitive data in the databases, so that it can’t be misused even if stolen. Disconnecting the suspicious machines from the internet and local network should stop the malware from spreading. Inform all stakeholders about the attack and to be careful of opening any attachments that could’ve been auto sent. Get an IT security expert to check the infected machines and identify the malware and use an antivirus/antimalware to try and remove it, failing which one would take a backup and reinstall all softwares.
Q How hackers have been able to dodge cyber safety net?
The recent attacks WannaCry and Petya used a 2 month old exploit. Microsoft had released the security updates for those 2 months ago. Computers that did not update were open to the exploit. So this is more of an execution problem at the enterprise cyber security solution providers’ end.
Q Maersk Line and Hewlett- Packard Denmark had signed a $150 million 5-year infrastructure services agreement in 2011 to use HP’s cloud-enabled data centers. Is this a question mark on the robustness of the cloud computing solutions?
The 5-years infrastructure services agreement would have ended in 2016. The cloud computing solution at Maersk was not affected, it was the Service Desk function which HP had taken over in addition, which got affected, which as in the previous question is an execution problem.
Q What is your assessment of the situation about data theft?
Cyber criminals and Cyber security experts are always trying to be one up on the other, Cyber security experts will create secure systems, cyber criminals will eventually crack it and then security updates will be released and this will go on forever. Many big firms like facebook and google invite hackers to try and infiltrate their systems, so that they can plug it before someone with malicious intent figures it out. There are ways to secure the data in databases, even if it is stolen it wouldn’t be of any use to them and this should be followed.