In its monthly official newsletter ‘Phish & Ships’, sponsored by CSO Alliance Maritime, Be Cyber Aware at Sea campaign focuses on “Petya” cyber attack that recently affected the shipping sector. The incident made clear that finally shipping will be forced to face the fact that attacks are not only probable, but that they are real, and the industry is vulnerable to them.
As explained, the virus is believed to be ransomware – a piece of malicious software that shuts down a computer system and then demands an often extortionate sum of money to “fix the problem”.
How companies reduce risk
According to Sharif Gardner, Cyber Unit Training Manager at Novae Group, each company is different. There are technical and procedural responses for reducing risk. Technical controls in today’s environment will require getting the basics right where possible, such as software and system updates, reducing privileged access and where possible, technically restricting automatic downloads of unauthorised software. Procedural controls will take longer because it is a behavioural challenge and one that enforced policies alone will not fix – training is the key to improving procedural security.
How are passwords discovered
According to UK National Cyber Security Centre (NCSC), attackers use a variety of techniques to discover passwords. Many of these techniques are freely available and documented on the Internet, and use powerful, automated tools. Approaches to discovering passwords include:
- Social engineering eg phishing; coercion
- Manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names
- Intercepting a password as it is transmitted over a network
- ‘Shoulder surfing’, observing someone typing in their password at their desk
- Installing a keylogger to intercept passwords when they are entered into a device
- Searching an enterprise’s IT infrastructure for electronically stored password information
- Brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found
The International Maritime Organization (IMO) has given shipowners and managers until 2021 to incorporate cyber risk management and security into their safety management systems. The implementation, and indeed the new focus on cyber risks and responses, will not be an easy or comfortable task for shipping. However, there should be some comfort in the fact that both owners and officers understand the processes of managing safety through the existing ISM Code structure.
Overall, considering the interconnectedness of the issues, interweaving cyber safety into regular safety management systems is the most sensible route, not least by making compliance an important business decision too.
Not conforming to the new rules means shipowners run the risk of their vessels being detained. Detained vessels, or those found to be unseaworthy in commercial disputes are a major threat to any business so there is a financial pressure for shipping companies to react promptly.
Shipowners and managers need to get onboard with the new risks and work to address the cyber needs of their people, clients, vessels and shore management effectively.
Beware the Whaling
This is where criminals take it up a level and send out a highly targeted phishing attack: one usually aimed at senior executives, and which masquerades as a legitimate email. Victims are encouraged to perform secondary actions, such as initiating a wire transfer of funds.
Whaling does not require extensive technical knowledge yet can deliver huge returns. As such, it is one of the biggest risks facing businesses. In their choice of target, senior management and chief executives, whaling emails tend to look more sophisticated than generic phishing emails. They usually
- Personalised information
- Convey a sense of urgency
- Have a solid understanding of business language and tone
Explore more by reading the full newsletter: