What next after the WannaCry and NotPetya cyber-attacks?

Sorry but I don’t have a crystal ball, although I know I will be pretty safe in predicting that we will see more major cyber security attacks announced across the globe before too long. Pretty much all of the cybersecurity professionals attending this year’s Blackhat conference also agree, with most expecting a cybersecurity breach of their own company in the next 12 months. Review the survey results here.

The Maritime industry has had a significant reaction to Maersk APM Terminals suffering a major ransomware code-based attack. Many companies are no doubt saying that if this could happen to Maersk, a company with experienced cyber security managers at their disposal, then what could happen to their own systems?

Several journalists have described the world-wide attacks in some detail, but it is worth revisiting this in the context of our industry. Malicious software often spreads by email but it is the exploit of software weaknesses in PC network connections that is making these attacks particularly dramatic.  The emerging story of NotPetya shows even more engineering – suggesting that the initial infection came through a false tax software update introduced via the Ukrainian software company M.E. Doc. This not only explains the pattern of infection and why particular companies were impacted, but also suggests some targeting, at least before a wider infection.

The company challenge

Although they had differences in how they worked, both of the recent high profile spreading attacks have been exercising and improving cyber security response. The lessons many have learnt are:

1. Have a good inventory of systems – or the ability to discover all relevant systems quickly. Many companies struggle with keeping an up to date inventory, so we saw a lot of rushing around. Hopefully the business case for keeping up to date system status information can now be made. The next widespread attack will have exploited different weaknesses.
2. Have good cybersecurity intelligence – each of the attacks followed the usual pattern of confused stories about how they operated and spread. The most successful responders were connected into well informed alert communities.
3. Have mature vulnerability management – requiring software to be updated with security patches and/or service and communications to be blocked. To resist the WannaCry attack launched in May, systems would have needed to have been maintained with a Microsoft update released two months before.

OT and the supply chain challenge

The steps outlined above should be very much a case of ‘doing the basics’ for office IT systems but is far less straightforward for embedded operational technologies (OT) as found in industrial systems and also ships. Opportunities to patch systems safely are less frequent, and patches usually require certification by control system manufacturers. Reliance on older technologies is also a common characteristic of OT systems, for example, Windows XP did not even have a patch available until after WannaCry had struck.

The lesson learnt here is the key role played by systems manufacturers. Like the energy companies before them, several shipping operators will have been asking questions to find that not all systems manufacturers are as responsive to cybersecurity concerns as others. And if you haven’t yet established those supply chain cybersecurity relationships then now is the time to do so.

The opportunity to be proactive

The weaknesses in question were publicised in April and May of this year by the hacker group ‘Shadow Brokers’, allegedly leaked from a list held by the US National Security Agency. The two weaknesses we have heard about were not the only ones on that list, and there are a good number that accompany them.

Some companies, such as banks, are carrying out line by line review of the leaks to try and anticipate what other attacks may surface. This is something we should take an interest in and could be a very useful proactive activity for ship systems manufacturers. There is no guarantee that the next attacks will use the tools on the list, but pre-warned is pre-armed and so the more we understand about the potential vulnerabilities to our systems the better prepared we can be to deal with them.

I can see that the cybersecurity experiences from other industries can provide insights for the maritime industry. I am starting to collect these together so that I can share them after the summer.

Professor Paul Dorey will be presenting at the ‘Dispelling the myth – the reality of cyber security in the shipping industry’ Inmarsat event as part of London International Shipping Week 2017 on Wednesday 13 September 2017.