Verizon, managing principal investigative response, Ashish Thapar, uses the multiple attacks on the owner’s vessels to illustrate the vulnerability that shipping can face from hackers access to their IT systems.
The case study, known as the “Roman Holiday”, involved an undisclosed global shipping conglomerate that contacted the Verizon RISK Team after they became alarmed at a series of attacks were the pirates were armed with very specific information in terms of the cargo onboard the vessel.
The pirates would board the vessel forcing the crew into a single area, and then depart very quickly having located the cargoes that they planned to steal.
“The company kept on wondering how the pirates had such specific information as to know which container had the highest value cargo. They were very perplexed as to how this happened six or seven times,” Thapar explained to Seatrade Maritime News recently.
Suspicion fell on the company’s content management system (CMS) through which bills of lading were uploaded.
Studying the network traffic around the CMS Verizon found a malicious web shell had been uploaded onto the server. This allowed the pirates, or the hackers working with them to, interact with the webserver and perform actions such as uploading and downloading data including bills of lading for future shipments.
“What we did was recovered all their commands, we found out which systems they compromised and then when stopped that entire access, and we completely foiled their plan,” Thapar said.
While CMS and their vulnerabilities are by no means limited to shipping and are, according to Verizon increasingly being targeted in attacks on e-commerce systems, it illustrates the vulnerability of many of the systems used onboard vessels such as the navigational systems.
Thapar highlights system such as ECDIS, AIS and GPS tracking which if hacked could potentially allow the threat actor to take ship off course. “These systems have not inherently had that security kept in mind when they were developed several years back,” he explained.
“The maritime industry has to put in a lot effort of to improve their security. There is a very deep risk assessment that needs to undertaken by the industry to preserve their critical assets that could be approachable over internet.”
As well as undertaking a comprehensive risk assessment he recommends implementing three areas of security control – preventative, detective and response controls.
Preventative controls to stop attacks in the in the first place, detective controls to found out if anything wrong is going on, and response systems for organisations to be prepared to handle incidents when they do happen because as Thapar notes “you cannot build a Fort Knox”.
“Security needs to be kept as a part of design rather than an after thought.”