Lessons aren’t being learned

CMA CGM and the IMO become the shipping industry’s latest ransomware victims. Why does it keep happening? And more importantly, what can you do about it?

If the aftermath of CMA CGM’s ransomware attack showed the shipping industry anything, it is that lessons clearly aren’t being learned. The French giant was the latest shipping company to be attacked, joining the likes of Maersk, MSC and COSCO in a club that nobody wants to be a member of. 

Three years on from the NotPetya attack on Maersk that cost the company $300m, CMA CGM fell victim to an attack that shut down its ecommerce systems and took more than 10 days to fix. During that time it faced criticism about the quality of its backup system and had to resort to Twitter to update its clients.

And while CMA is expected to make a full financial recovery, the loss of face and reputation will have caused damage that extends far beyond the balance sheet – especially when the industry has had several warning shots.

Days later – and perhaps coincidentally – the IMO website was held hostage by ransomware. Like CMA CGM, the loss of reputation for the IMO is more embarrassing in the short term than it is damaging in the long term – especially given that it has been pressuring the industry to take cyber security more seriously.

But, that campaign wasn’t without merit. Cyber-attacks on the maritime industry’s operational technology (OT) systems have increased by 900% over the last three years with the number of reported incidents set to reach record volumes by the end of 2020.

And somewhat worryingly, the attack on CMA CGM means that all four major players in an industry have been successfully targeted for the first time – which begs a number of questions.

Why is it happening?

One could be forgiven for thinking that shipping is now fair game for cyber criminals. The increase in attacks and the targeting of the industry’s major players and governing body suggest that it’s particularly vulnerable to cyber. But is that down to negligence or is the industry uniquely exposed?

Experts have said that shipping is ‘brutally exposed’ to the impact of ransomware, while the successful attacks on its major players show that the industry is both soft and there for the taking. That it is so integral to the global economy also means that its organisations are far more likely to pay a ransom just to keep business moving. That fact isn’t lost on cyber criminals.

A spokesperson for one ship owner, who wished to remain anonymous, said that it was becoming increasingly likely that the industry would see more attacks if it didn’t start to take action.

“Maersk was a watershed moment for the industry,” they said. “Once they’d been taken out it opened the floodgates as far as hackers were concerned. The industry was fair game, partly because of how easy it is to breach the networks and partly because a lot of companies are willing pay to get their IT back online.”

Should shipping companies be especially worried?

Figures reported in July this year tell a damning story. In 2017 there were 50 significant OT hacks reported, increasing to 120 in 2018 and more than 310 last year. This year is looking like it will end with more than 500 major cyber security breaches, with substantially more going unreported. In short, attacks are increasing at an alarming rate. So should shipping companies be especially worried?

“I think shipping companies need to be more aware of the threat they face,” says IT specialist Patrick Burgess. “Like any organisations operating in a complex industry, they’ll be using multiple systems. A lot of those systems will be old or in need of updating. That creates areas of weakness and vulnerability. 

“What we often see is that companies in any industry spend a lot of money in the wrong areas, such as on firewalls for example. What they fail to do is update the entire internal system, to make sure that if a virus or malware gets onto the network it can’t spread laterally. It’s the equivalent of locking your front door but leaving your back door open.”

The proverbial backdoor in shipping’s case appears to be the shore based networks and systems. A lot of money is spent each year on securing vessels, leaving little or no budget for shore-based upgrades. While this approach isn’t necessarily wrong it isn’t completely efficient either.

“The biggest weakness in any organisation from a cybersecurity perspective is its people,” Burgess adds. “All it takes is for one individual to click on a link that contains malware or ransomware and it can spread across an entire network. For large and complex organisations that operate across multiple sites and multiple continents, that can be very damaging, very quickly.”

In that respect, the attacks on the shipping industry are a perfect storm. It’s an industry with a high profile, a huge footprint and rich players. It’s vulnerable partly because of its success and partly through a failure to adapt. So can the spate of attacks be stopped? Are they preventable? Burgess thinks so.

“It comes down to attitude, and we advise this across every industry and to companies of all sizes. You have to assume that you will be attacked at some point. It’s not a case of if you’re going to be attacked; it’s a case of when. If you prepare for an attack then you not only mitigate the risks, you go a long way to preventing them.”

The bottom line is that lessons have to be learnt. The warnings need to be heeded. Everyone thought Maersk was too big to be attacked, but they weren’t. They were lucky to the extent they could absorb the losses and repair the damage. Not every organisation can afford that kind of financial loss or that dent to their reputation. Cyber threats need to be taken seriously because they’re not going away, and no company, regardless of size, is immune to the threat.