Project Cargo Defenses Against Cyberthreats
By Thomas Timlen
Threats posed by cyberattacks have received a lot of attention of late. The recent breaches of systems owned by high-profile transport companies such as COSCO and Maersk bring the issue close to home for all practitioners in the cargo transport sector. Those hacks not only resulted in significant financial losses, but also caused damage to corporate reputations.
Like the majority of cyberattacks involving freight transport, the COSCO and Maersk hacks targeted land-based servers, internal networks and commercial databases. As far as the public knows, systems linked to the operation of the companies’ assets were not affected.
Indeed, the vulnerability of land-based servers has been seen as the primary risk for some time. While there are countless examples of hackers penetrating commercial servers and networks, the few cases of systems associated with equipment operations being compromised have most often involved controlled tests rather than actual malicious attacks.
For example, vessels at sea have had their GPS systems “spoofed,” a manipulation causing the GPS to indicate the wrong position. This GPS spoofing has been done in controlled-test scenarios as well as by unknown actors. Meanwhile, automobiles have similarly been hacked in controlled tests, but so far, not in real attacks. The potential consequences of the navigational and other onboard systems of aircraft and locomotives being hacked require no explanation.
In response to concerns regarding cyberattacks, most, but not all, transport sectors have developed sector-specific generic guidelines aimed at protecting their respective assets from cyberattack vulnerabilities. But can transporters of heavy-lift and project cargo rely solely on such generic guidelines to prevent cyberattacks?
Beyond Generic Guidelines
Regarding the available generic industry guidance, Luzius Haffter, executive director of GPLN, explained that in practice, there are pressures from clients and contractual partners that go beyond the scope of currently available guidelines.
“Any specific guidance aimed at the heavy-lift/project transport sector is usually provided or requested by some bigger companies who are offering a tender to our members for some projects, but this is different case-by-case and is also dependent on their customers.” As a result, Haffter said that some GPLN members resort to developing their own procedures to meet clients’ demands.
The information provided by GPLN’s members points to more concern regarding systems and networks as compared with transport operations. Haffter noted that guidelines alone do not provide adequate protection from these specific cyberthreats.
“We don’t think that existing cybersecurity guidelines are adequate, especially when it comes to payment issues,” he said. “During the past year we have received information from several GPLN members about ongoing scams where people hijack email accounts of our members. They then send emails under the official email account to our members and tell them that their company has opened a new bank account and to transfer the amount due to this new bank account. This fraudulence has already cost some of our members a lot of money and created distrust between them.” Haffter warns that these cases continue despite GPLN’s ongoing efforts to alert its members.
The focus of GPLN’s members on cybercrimes targeting servers and networks is not surprising. This is where the majority of activity is taking place, while it is a challenge to identify more than a handful of cyberattacks aimed at assets moving cargo by air, sea, rail or road. With that in mind, system integrity receives the most attention when setting up defenses, as this is where serious financial losses have already arisen, as COSCO and Maersk can attest.Going After the Money
“Today, the most dangerous cyberthreats are driven by financial gain, with the groups involved far more organized, well-funded and resourced,” Jenny Gao, AAL’s senior IT manager, noted. “To put things into some perspective, in 2016, the U.S. government spent US$28 billion on cybersecurity and this increased in 2018 – more than the entire budget of many countries. The speed with which online communication technology is developing and new media is available for such is incredible, and it sometimes comes at the cost of proper cyberprotection, which seems to be playing catch-up.”
Gao noted that the risks stemming from virus, ransomware and fraud emails make cybersecurity the No. 1 threat to organizational processes and integrity, and the No. 1 headache for IT teams like AAL’s.
“According to Microsoft, the potential cost of cybercrime to the global community is a mind-boggling US$500 billion, and data breaches will cost the average company about US$3.8 million. It is so important to be in-the-know about the potential threat cybercrime poses, the impact it is having, and what can be done about it,” she said.
Bringing this home for the project and heavy-lift sector, Gao pointed out: “We should not imagine that as a niche shipping segment, the multipurpose vessel sector is any less prone to attack. Cybersecurity is a growing threat to the maritime shipping community, as we demand greater 24/7 connectivity, speed, transparency and networking capability in our global operations and communications, especially with our customers, partners and colleagues. Cyberattacks are growing in prominence every day, from influencing major elections to crippling businesses overnight; the role cyberwarfare plays in our daily lives should not be underestimated.”
The concerns of GPLN’s members make perfect sense to Gao. “Worrying statistics for businesses like ours is that 5 percent of all emails contain malware, 63 percent of all network intrusions and data breaches are due to compromised user credentials and an estimated 4,000 ransomware attacks occur daily, and growing.”
For a global organization such as AAL, not only is the nature of these breaches constantly evolving, but the responses to them differ across the globe. Making sure that everyone is up to date and taking precautions within their related work functions is today one of the most crucial roles its IT helpdesk plays. “At AAL, we have a mandate from the management to invest the time and money needed to ensure our systems are professionally monitored and secured around the clock, at every point in the network operation and to the highest standards,” Gao said.
This is no small task. AAL runs a global network with multiple online platforms, each one facilitating a critical stage in the daily shipping operations. Although these highly sophisticated platforms provide cross-platform networking, they are developed and managed by different vendors and harness different technologies and architecture. Each requires its own set of security and protection protocols and standards. As such, Gao said this means that one size does not fit all, and AAL constantly needs to be engaging with multiple sources of protection software and spam filters to ensure its end-to-end system is monitored and updated with the latest software.
Tackling In-transit Threats
While industry scrambles to protect systems and networks, efforts have also been underway to protect the conveyance of project cargo.
In 2014 the International Air Transport Association, or IATA, issued its Aviation Cyber Security Toolkit. Subsequently IATA partnered with the International Civil Aviation Organization, Airports Council International, the Civil Air Navigation Services Organization, and the International Coordinating Council of Aerospace Industry Associations to develop a roadmap to unify cybersecurity preventative measures for aviation.
Addressing ocean transport, in 2017 the International Maritime Organization, or IMO, issued its Guidelines On Maritime Cyber Risk Management. Like IATA, the IMO has also welcomed the complementary efforts of related stakeholders such as the International Organization for Standardization, the International Electrotechnical Commission, the U.S. National Institute of Standards and Technology, as well as industry groups such as BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI, to produce guidance aimed at protecting vessels and maritime cargo movements from cybercriminals. But are such guidelines adequate on their own, or does more need to be done?
For one cargo sector, the absence of such guidelines does not mean an absence of related initiatives or measures. “There are no guidelines addressing the cybersecurity in the rail sector for the time being,” according to Libor Lochman, executive director of the Community of European Railway and Infrastructure Companies, or CER. “However, the European Union Agency for Railways intends to foster close cooperation with the European Union Agency for Network and Information Security and the European Commission in order to support railway stakeholders on cybersecurity strategy development. In this respect a cooperation with other EU agencies in the transport sector such as the European Aviation Safety Agency and European Maritime Safety Agency is envisaged.” The establishment of an Information Sharing and Analysis Center, or ISAC, is being considered.Not Specific Enough
But questions remain on whether such initiatives are sufficient enough to address the unique needs of project and heavy-lift transport. Existing requirements do, in principle, touch on cyberthreats. “Each railway undertaking has to possess a safety certificate authorizing its safety management system, or SMS,” Lochman said. “The SMS should also cover all activities related to cybersecurity in the railway context, especially with regards to the assessment of safety consequences originated by security threats.” In the absence of specific preventive guidance, the cyberthreat is addressed by virtue of the SMS requirements, taking into account the specific nature of the consignment.
The situation is similar for road haulage. “The industry needs to prepare for the transition to a digital future, which includes digital transport documents such as e-CMR and digital customs documents such as digital TIR,” said Jens Hugel, a senior advisor at the International Road Transport Union, or IRU. “Protecting assets proactively is good. However, understanding the issues properly by asking politicians and legislators the right questions – such as who owns the data of the future; who defines and ultimately controls the operating procedures; who is liable in cases of cyberattacks – and then jointly addressing the issue, for example by implementing tried and tested UN Conventions in coordinated ways, is even better.”
Road freight transport security has long been a major concern for transport operators and drivers, according to Hugel. “Since the attacks of 9/11, the road transport industry has put an even greater focus on this subject. Today major security concerns in Europe are related to cargo crime, irregular migration and border controls, and secure parking.”
Transport operators turn to IRU for answers, and it duly provides practical tools such as the IRU Road Transport Security Guidelines, which is a set of detailed recommendations for managers of road transport companies, drivers, shippers/consignors and companies on improving security in day-to-day operations. “They contain a wealth of practical tips to strengthen security against terrorism and other criminal threats,” Hugel said.
While the present risks are unquestionably the vulnerability of servers and networks, followed closely by ransomware attacks that could compromise asset operations, among future risks is the vulnerability of autonomous conveyance assets to cyberthreats. Until there is significant confidence in the resilience of protective measures to protect autonomous modes of cargo transport from cyberthreats, the likelihood of pursuing autonomy for the movements of often high-value and high-spec project and heavy-lift cargoes borders on the improbable.
Meanwhile, charterers do not see a high risk of cyber vulnerability with respect to project and heavy-lift cargo operations. An industry source said that presently there is a very limited degree of digitization onboard heavy-lift vessels, in contrast with the large container or bulk carrier segment. The source also felt that demand-wise, the project business is characterized by high cargo versatility and routing flexibility, and supply-wise by a very heterogeneous ownership structure. In other words, vessel-wise there is a lot more uncertainty for multipurpose and heavy-lift ships on their use, ownership and trading/chartering employment. As such, through the nature of the business, its flexibility and short-term orientation, cyber risks to cargo operations are not yet seen as a real threat for the sector.
Thomas Timlen is a Singapore-based freelance researcher, writer and spokesperson with 28 years of experience addressing regulatory and operational issues impacting all sectors of the maritime industry.
Photo credit: Shutterstock
WANT MORE LIKE THIS?
Subscribe to Breakbulk Magazine. Published six times a year, the magazine includes insight and analysis on the biggest issues facing the project cargo and breakbulk industry, profiles and commentary from leading shippers, event previews and lots more. Digital is free - just sign up! The print subscription is $48 a year, which includes shipping worldwide. You might also like our weekly Newswire - try it out, it's always free.