It sometimes seems news of cyber-attacks is an ordinary occurrence. For example, Sony’s PlayStation Network and Sony Entertainment Network were taken offline last Sunday due to a distributed denial of service attack, which was an attempt to overwhelm the network with artificially high traffic. The networks were back online Monday, and Sony announced it has seen no evidence of any intrusion to the network and no evidence of any unauthorized access to users’ personal information.
Also this week, it has been widely reported that Russian hackers attacked the U.S. financial system in mid-August, and infiltrated and stole data from JPMorgan Chase and as many as four other banks. The sophistication of the attack and technical indicators extracted from the banks’ computers provide some evidence of a Russian government link, reports a story on Bloomberg. Security experts and government officials have not yet reached that conclusion, however, and investigators are considering the possibility that the attacks are the work of cyber criminals from Russia or somewhere in Eastern Europe.
So if it seems cyber-attacks are commonplace, does that mean maritime shipping and supply chain systems may be the next targets? Leaders at the International Maritime Bureau (IMB) think so. In fact, IMB has released a statement calling for vigilance in the maritime sector because shipping and the supply chain is the “next playground for hackers.”
IMB leaders believe recent events show that systems managing the movement of goods need to be strengthened against the threat of cyber-attacks.
“It’s vital that lessons learnt from other industrial sectors are applied quickly to close down cyber vulnerabilities in shipping and the supply chain,” says IMB.
The problem is that while IT systems have become more sophisticated and enable companies to better protect themselves against fraud and theft, the systems also may leave companies more vulnerable to “cyber criminals,” explains IMB. At the same time, criminals increasingly target carriers, ports, terminals and other transport operators.
“We see incidents which at first appear to be a petty break-in at office facilities,” says TT Club’s insurance claims expert Mike Yarwood in the IMB statement. “The damage appears minimal and nothing is physically removed. More thorough post-incident investigations, however, reveal that the ‘thieves’ were actually installing spyware within the operator’s IT network.”
The larger industry challenge is that the cyber security of maritime control systems is controlled by engineers and not chief information security officers (CISOs) or chief information officers (CIOs), says Wil Rockall, a director in KPMG’s cyber security team, in the IMB release. Most ports and terminals are managed by industrial control systems which have, until very recently, been left out of the CIO’s scope. Historically, this security has not been managed by company CISOs and maritime control systems are very similar, Rockall says.
“As a consequence, the improvements that many companies have made to their corporate cyber security to address the change in the threat landscape over the past three to five years has not been replicated in these environments,” Rockall says. “Instead engineers—people who focus normally on optimizing processes efficiency and safety, not cyber and security risks—have often been left to implement and manage these systems. That means many companies and their clients are sailing into uncharted waters when they come to try and manage these risks.”
What are your thoughts on the security of maritime shipping and supply chain? Is their vulnerability a concern for your company or partners?