The cyberattack on Maersk, the container shipping industry’s largest company, is not an isolated case in the sector, according to Lars Jensen, Founder of maritime cyber security specialist CyberKeel. In this interview, Jensen tells Port Technology that there have been other instances where companies have fallen victim to similar malware and even paid ransoms. But this is not about to change, and may even get worse.
CyberKeel’s testing has revealed that 44% of carriers are showing low levels of cyber security.
It also found that an unnamed top-20 carrier allows shippers using their eCommerce platform to use “x” as their password, while a carrier in the top five claims that the password “12345” is of “medium” strength.
Perhaps more shockingly, a port terminal is guilty of having a server accessing eCommerce tools that can be taken over by downloading software from the internet.
Additionally, 10% of carriers and 20% of the sampled ports and terminals have still not patched the vulnerabilities related to the 'Poodle' and 'Heartbleed' cyber threats which emerged more than two-and-a-half years ago.
But Maersk's openness about what happened to its APMT Terminals has made Jensen see a silver lining in the cyber security cloud.
“This is what the industry needs,” says Jensen. “We need an injection of realism as to what the threat is out there. This is not the first time something like this has happened to a shipping company. They’re very good at keeping it in-house as no one seems to see any value in publicising that they have been breached.”
Technical Paper: Protecting Ships: The Threat of Hackers
He believes that this kind of attitude means organisations underestimate the threat posed by malware, leaving a void of knowledge in the maritime industry of how best to recover.
“Maersk is probably collateral damage,” adds Jensen. “Overall, from how this has unfolded, it seems it was a deliberate attack on the infrastructure of the Ukraine. Then Maersk and a few other international companies caught it as well.
“Some of the hackers in my outfit are telling me that when they look at the code it’s very sophisticated and well written. This is not the kind of thing that has been done in a basement on the fly.
“It’s not ransomware. It disguises itself as such so that if you pay $300 you get your data back. If you look at how the code is written, there is absolutely no way in which you can get it back. This one has been designed specifically to destroy.”
Technical Paper: Detect and Control Cyber Risks
The attack stands out because of the number of terminals affected, but Jensen views it as not being “out of the ordinary” because of the speed at which terminals came back online.
This also meant that the impact on the industry has not been as severe as many feared due to bookings being made a week or two ahead of time.
However, Jensen says that had this scenario gone on for longer, Maersk’s 16% share of the global fleet would have created a backlog of ocean cargo that other carriers would have found “impossible” to deal with.
After almost three years of warning against the dangerous lack of maritime cybersecurity, he believes that the latest attack should finally serve as a “major wake up call for the entire industry”.
“No matter how good your cyber defence is, you will never be 100% safe,” adds Jensen, who sees poor patching procedures as one of many weak points that hackers can take advantage of in a company-wide system.
This is what fuelled the WannaCry virus that infected more than 230,000 computers in over 150 countries in May this year (2017).
It's a shame that, only a month later, we're faced with another cyber disaster that shows it didn't serve as a lesson to some of the biggest organisations in the world.
Once the virus got into the Maersk system, it was able to spread both globally as well as across its business units.
Technical Paper: Cyber Risk Management
Jensen says that Maersk's internal cyber defences cannot be categorized as “high” because more defensive network configuring and maintenance would have prevented such wide-spread disruption.
And while Maersk’s contingency plan secured rudimentary functions within 36 hours of the attack, it’s Jensen’s belief that the subsequent six-day recovery shows a clear lack of preparedness.
“If I have 50,000 computers, all it takes is one not to be patched. The virus can get on to that one. From there it can spread to computers that are patched. The attacker only needs to get it right once.
“This is a matter of having procedures where you quickly realise you’re under attack. The worst thing you can do is dawdle around at that point in time. The longer you wait, the more computers that become infected. What you need to do is shut everything down.”
Technical Paper Update: Threats of Port Cyber Security
Jensen advises to even pull plugs out of the wall in some cases, which he says is more or less what Maersk did “very quickly”.
Checking whether a system is infected or not should be last on the list of priorities. That can be carried out once a solution is found.
It's these measures that caused Maersk’s systems to all go down, not because they were all infected, but because it was “a proper defensive mechanism to deploy”, says Jensen.
“Maersk seem to have reacted in the right way and the particularly good thing to see is that they were very public about it being a cyberattack.”
Considering the state of the industry at large, it is crucial that maritime companies look at the Maersk case and learn from it by creating more robust and resilient systems.
Although it dealt with the problem in the right manner and recovered well, Maersk could have avoided the problem in the first place.
This should be a lesson for everyone in the industry to take on board. After all, it will not be the last time we will see such challenges arise.