Written by Walter Hannemann | 06 April 2018
By Walter Hannemann, Product Manager, Dualog
Cybercrime represents a serious threat to the global maritime industry. The few cases that made the headlines recently - and there are potentially many other cases that we have not heard about - made it clear that it is a real problem to be immediately and seriously addressed and not just hype from vendors trying to sell cyber security products. It is also clear that the impact of a cyber incident is no longer limited to malfunctioning computers or employees not being able to use e.g. email. There is a direct, negative impact on the business and the bottom line.
It is also known that the vast majority of cyber incidents, not only in maritime, have two main characteristics: 1) they are randomly distributed – or spread automatically after the first infection – using exploits and 2) they find their way into computers via known vulnerabilities in IT systems. Because of that, companies must ensure they have solid infrastructure and update/upgrade policies in place to protect their systems and consequently their businesses.
That is not to say that there are not targeted attacks, where an actual hacker or hacker organisation goes after a specific company, taking the time to device and deploy social engineering schemes that will bypass not only security controls but also users common sense – we are, after all, essentially trusting beings. But even in those cases it is common to have the actual malware exploiting a vulnerability to enter and/or spread itself in the target organisation.
A software vulnerability is a security flaw, glitch, or weakness found in software or in an operating system (OS) that can lead to security problems. An example of a software flaw is a buffer overflow. This is when software becomes unresponsive or crashes when users open a file that may be "too heavy" for the program to handle.
However, this commonly encountered error becomes a security concern when attackers uncover the vulnerability, conduct research about it, and create a malicious code (exploit) that targets this glitch to launch their malicious software, which may include gaining administrator privileges which gives attackers control over the vulnerable system or infecting it with malware.
Software bugs that lead to vulnerabilities exist in all software and all digital platforms, from operational systems like Windows, MacOS and Android (yes, mobile devices are also under attack) to software packages like your planned maintenance system. Vendors and the software community are constantly working on fixing (patching) their systems to continuously improve the security.
A large number of IT security professionals are exclusively dedicated to finding those vulnerabilities and helping software vendors with fixing it. The result is that most computers users see update offerings from different software being pushed to their systems sometimes several times per week. They are known as security patches. And those security patches are usually made available at zero cost from the vendors – users just have to download and install it.
An exploit is a code purposely created by attackers to abuse or target a software vulnerability. This code is typically incorporated into malware. Once the exploit code is successfully executed, the malware drops a copy of itself into the vulnerable system.
In some cases, an exploit can be used as part of a multi-component attack. Instead using a malicious file, the exploit may instead drop another malware, which can include backdoor Trojans, spyware that can steal user information from the infected systems and now more commonly ransomware, that by encrypting files or the whole system, makes the data unavailable unless the user (or company) pays ransom to the attacker.
Vulnerabilities can be roughly classified as the following matrix:
Because hackers (generically speaking) work primarily by finding and exploiting vulnerabilities, the likelihood of falling prey to a cyber-“attack” in a system that is not fully updated is much higher, even higher if the computer is not running the most current versions of operational systems.
To make things worse, users tend to not notice software vulnerabilities. That leads to two potential problems: 1) users are less keen to update their systems that are otherwise “working fine” (“don’t fix something that is not broken” attitude) and 2) a cyber-“attack” might be going on without the user being aware, because there is no evident sign of anything wrong.
For professionally managed systems and infrastructure, this makes the life of IT administrators even more complex, because they need to both ensure that operational systems and applications are well-functioning and updated, which in some cases is mutually exclusive. And because of the interdependency of many components, like an application dependency on a specific version of the operational systems or Java.
A Maritime Cyber Security white paper published in 2015, cited that 99% of cyber-“attacks” are known to come from vulnerabilities and 90% of these vulnerabilities have security patches available, which just shows how important it is to ensure your systems are fully updated. Cyber attackers are, in the main, opportunistic thieves. They will go around looking for unlocked doors, rather than carry out highly-thought out, complex, targeted attacks on individual businesses.
Our own research has shown that many companies in the maritime shipping industry are reluctant to patch their systems, including the Windows operating system. Usually, reasons range from “it’s too expensive to download all that data” to “I have a business application that was developed in 1999 and if I patch my Windows then that application is going to stop working because of the functionality it uses is the cause of such and such vulnerability”. But we also find excuses like “that cargo management computer belongs to the vessel equipment and we are not responsible for it” and “this computer is not connected to the Internet, so there is no need to update or patch”.
Companies have lost millions of dollars by falling victim to cyber incidents or attacks, but how much does it cost to patch a computer? In comparison, very little – the patch itself is usually free. It really starts in good hygiene in your IT systems. Because if you don’t, you are tacitly accepting an underlying risk. It’s not about companies failing to invest in security controls, policies, or even personnel, but more often about weaknesses –in altogether robustly secured systems being exploited by the cyber attackers.
We can probably agree that patching and upgrading applications and computers is one of the key factors in cyber securing your company. Why is it then that many companies fail to do so in a timely manner?
First of all, there must be a shift in people’s attitude and mind-set towards IT security – and IT in general. Part of the problem is that people just don’t realise how critical IT is. When a computer system is hit by e.g. ransomware, it is no longer an IT problem but a company problem, because it is the company that loses money, not the IT department. IT is not something that is on the side; it is as important as the main office or the ship itself, if not more, because if IT collapses many parts of the business collapses. We have recent evidence showing that this is becoming more and more relevant.
However, having a fully updated infrastructure isn’t something that will happen overnight. If the industry is going to be successful in clamping down on cybercrime, companies must count IT departments as one of the vital aspects of their business and plan ahead to ensure their IT systems are updated and secured. That in turn means that IT departments should become more engaged with the business and received proper attention, both in their budgets and their qualification to deal with the increasing responsibility.
One argument we have heard is that there is no budget for updating or upgrading applications, and therefore operational systems cannot be patched. But the costs of a disruptive cyber incident are potentially and likely much higher. You have the direct investigation and recovery costs, but add to that the operation disruption, the reputation damage, the market value impact and all of a sudden, upgrading a legacy application seems simple and a very good idea. Even better if you consider that a system replacement can be planned and budgeted in the most convenient time, as opposed to a cyber incident, that you just have to deal with.
Because upgrading computer systems on ships is not a quick fix, it needs a detailed and planned approach. It’s more imperative than ever that the business gets involved and defines its own strategy and goals. Companies are often reluctant to engage in such long-term projects because of the high costs involved, so they simply wait until their current system gets attacked and nothing works - by which time the damage has already been done. And the money is not spent wisely, as it’s then all about making the company operational again.
Top management should be aware of the needed attention and budget to IT systems before a cyber-“attack” (targeted or not) makes their systems unavailable. They should bring their IT departments closer to the business and ensure they all understand how critical it is to have well-functioning systems and what is the impact to the business if they don’t.
As we can see from the recent cases, the argument for patching is compelling because, without it, you might have firewalls and intrusion detection systems, for example, leading to a “lock on a cardboard door scenario”. Fear of breaking legacy applications or the predictable patching costs (download and deployment) leads to more serious risks and problems further down the line, including a potential ransomware attack that breaks everything.
As a digital platform provider that brings together internet, cloud and email services under one space, we have placed cyber security as a key component in all services we provide and we believe that by enabling our customers to deploy properly managed infrastructure, they are inherently much more secure and can properly manage their systems. We not only encourage our clients to keep their computers and systems up-to-date in our continuous collaboration with their IT departments and vessel management, but also enable better management of their IT assets by data traffic optimisation and visibility of their overall vessel infrastructure.
Finally, Dualog has been offering “Security and Control Services” long before cyber security made the headlines in our industry. This continued commitment is even more valid today and we keep enabling our customers to not only put a lock on their doors but also to ensure that their infrastructure is rock-solid.
This story was originally published in The Maritime Risk International magazine.