Feature: Maritime cyber security – best practices and lessons learnt


In this feature we look at a seminar on the maritime cyber security domain, an overview of the International Maritime Organisation’s cyber security doctrine and probably the greatest story of a shipping company overcoming a major cyber attack.

At the core of global trade, maritime traffic plays a key role in economic, political, and cultural spheres. Maritime ports are the connectors and interface of this trade and amid COVID-19, security and sustainability in the maritime sector is a major factor for long-term growth and development. Given the enormous amounts of trade via Africa’s oceans (around 90% of Africa’s trade) and the negative impact COVID-19 has had on African economies, security and efficiency of shipping and maritime trading is even more crucial.

How cyber aware or sea blind is Africa’s maritime domain? The Institute for Security Studies Africa (ISS Africa) held an online seminar, hosted by Timothy Walker, to discuss just that. The first speaker was Denys Reva, a research officer at the ISS, who discussed his key findings in a report on maritime cyber security with a focus on Africa.

“Africa needs to catch up”

Reva opened his presentation by saying, “From our research, we can see that at this point in time, maritime cyber security has not received enough attention from Africa.” In the age of digitalization, cyber security becomes increasingly important as the maritime sector looks to such technologies to raise efficiency and profits. Naturally, as operations become more digitized, so too does the opportunity for cyber threats, as Reva notes that cyber attacks are posing a greater threat to maritime security around the world. Maritime cyber defence company Naval Dome suggests that cyber-attacks in the maritime domain increased from 50 in 2017 to 310 in 2019, with 2020 seeing a 400% increase in the number of incidents.

An example of efforts to combat cyber threats came in 2018 when Singapore opened a 24/7 cyber security operations centre to respond to potential cyber-attacks to critical maritime infrastructure. In 2019, the Australian government proposed a law that would allow federal government agencies to take direct action against cyber attacks on critical infrastructure including maritime ports. These trends show that the issue of maritime cyber security is being treated with increasing seriousness around the world.

Attacks on logistic hubs, such as sea ports, can quickly disrupt a supply chain network with tremendous financial damages extending beyond the attack. In 2017, the ransomware cyber attack by Russia against Ukraine incurred major damages to companies around the world, including Maersk, a Danish shipping company. Reva notes that although most maritime cyber attacks comprise phishing emails, targeting companies’ personal data, the interconnectivity of cyber threats, as seen in 2017, cannot be ignored. Looking to African states, cyber-attacks such as these have devastating effects on trade, easily affecting fragile democracies, and worsening already struggling socio-economic climates.

The cyber space is increasingly being used by competing powerhouse states such as China, Russia, and the United States. African states need to be aware of the increasing use of the cyber space as well as the technologies that disrupt, attack, and defend it in a world that is heading further into online connectivity.

Cyber security cannot be achieved in isolation. Reva recommends a holistic and cooperative approach. For example, empirical evidence shows that cross-border cooperation and standardization of regulations across regions allows for increased efficiency and efficacy in managing immigration. Adding on this, information sharing between government and the private sector is crucial to developing a complete cyber security environment.

The last point of Reva’s presentation is that African states are not yet dedicating enough resources to current and future cyber security threats. The risks in cyber space are recognized by the Africa Union (AU), which in 2014 adopted a convention on cyber security and personal data protection (the Malabo Convention). “However, six years since the Malabo Convention, only 16 countries have signed it and eight have ratified it, which is a good indicator of current level of commitment,” said Reva. In 2018, the AU executive council made cyber security one of their flagship projects of Agenda 63. In a recent progress report on Agenda 63, it was noted that most African states are still in the first stages of developing their cyber strategies and drafting and adopting cyber laws. This trend also extends to the protection of critical African maritime infrastructure.

Reva concluded in saying, “African countries need to catch up with global awareness and mitigation efforts and the AU has a central and significant role to play in that regard.”

The IMO is there to help

The second speaker, Mourad Ghorbel, a maritime and port security expert working for the International Maritime Organisation (IMO), gave an overview of the IMO framework for maritime cyber security awareness. Mourad opened by saying there is no perfect security. IMO’s goal for maritime security is risk management, not risk elimination. The goal is to ensure access to the cyber attack’s target is extremely difficult, put measures in place to fortify ships and ports, ensure attempts are isolated and if an attempt is made, to minimize the damage.

As ships become more digitized with information and operational technology playing important roles, the opportunity for cyber attacks increases. Since 1993, the IMO has had the International Safety Management code (ISM) (chapter nine) and more recently in 2002, the International Ship and Port Security (ISPS) code. Both address cyber security and additionally, the IMO adopted guidelines in 2017 which directly address maritime cyber risk management.

Effective cyber risk management, according to Mourad, and set out in the 2017 guidelines, involves the process of identifying, protecting, detecting, recovering, and responding to cyber threats.

Mourad’s presentation did not address cyber security as an isolated issue but integrated it into IMO’s safety procedure framework.

The Maersk attack

Glenn Rittereiser, Cyber Security Officer for Maersk in the Europe, Americas, and Africa region, spoke about how the 2017 cyber attack on Ukraine effected Maersk and the resilience shipping companies are capable of.

Rittereiser gave an idea of just how massive the operations of shipping companies such as Maersk can be. Maersk is a global integrator of container logistics with a presence in over 130 countries. Their information technology (IT) sites are spread out over 600 locations globally as they move around one fifth of world trade and a quarter of the world’s fresh food. Maersk operates over 700 ships, 78 ports and terminals with inland, road, freight, and shipping services. At any one time, Maersk must track 4 million containers around the world and in June 2017, they lost all visibility.

Their corporate headquarters, in Copenhagen, Denmark, was completely taken down. They lost all IT, telephones, and all contacts on mobile devices. Six of the nine businesses were on separate networks, allowing operations to continue. All three of their shipping businesses had to shut down as a precautionary measure due to their business having a global interface with partners and other businesses. A corporate crises team was convened to contain the cyber attack.

NotPetya is a combination of different elements of malware that came together as a zero-day exploit. A zero-day exploit is a secret vulnerability that no one has generated protection for, typically used by states to conduct cyber warfare. NotPetya was released to attack the Ukraine government economically by affecting tax receipts. The timing of the attack was a day before the Ukrainian constitution day, 26 June 2017, to cause maximum political and economic damage. Banks, government ministries, newspapers, and energy firms were all impacted. At the time, 95% of companies operating in the Ukraine used MeDocs as their financial software. The software would update every four to six weeks, and after a software developer at MeDocs was compromised, this left a back door for the cyber attack to spread through MeDocs software in a June 2017 update. An independent analysis confirmed that at Maersk, the virus overcame all Windows and antimalware defences, spreading vertically and horizontally across the company, activating its payload one hour later. The only devices that escaped the infection were those off network. The infection rate of on-network devices was 100%, regardless of patching, operating system use and antivirus software that was up to date. Maersk lost 55 000 devices globally, including 6 000 servers in 17 minutes.

“The damage was extensive, no data had been stolen but the access to the data was destroyed, including any ability to reindex data from a backup. Because NotPetya was a zero-day exploit, the Maersk Chief Technology Information Officer (CTIO) knew that no help from any operating system would be available for nine to ten days.” The decision was then to reverse engineer the virus and securely build the company’s digital services from bare minimum. Together with IT partners and cyber security companies, Maersk was able to accept orders from customers the following day and 95% of ships reached their respective destinations.

Between day one to three, forensics was conducted, a new operating system was built, and they recovered their network image. From days four to nine, 2 000 laptops were built, their network was rebuilt, and they reenabled their top six apps. From day nine onwards, all apps were restored; within four weeks all laptops were restored. It took about 9 000 people working 20 hours a day to overcome the disruption.

Deloitte financial forensics were brought into reverse engineer the virus to understand how it worked and 200 consultants were flown in overnight from IBM, Microsoft, and McAfee to assist with the recovery. The incident led to a three-year investment of over $200 million in cyber security. A second quarter report for 2017 estimated that Maersk, in the third quarter of their fiscal year, lost between 200 to 300 million US dollars, due to temporary loss of revenue as well as the cost of investments and developing IT. Further estimates were at 350 million dollars, but Rittereiser mentioned that it was hard to quantify.

Rittereiser added that Maersk’s openness helped tremendously, which extended to customers trusting them and lending cyber security experts to the shipping company at a time when cyber security experts were a rare commodity.

Rittereiser concluded in saying that there were four key elements to the company’s recovery. The first was their crises management culture that comes from the shipping business in general, and the second was the ability to draw on expertise from vendors, suppliers, customers and national authorities brought about by the trust generated from Maersk’s transparency. The third was human resilience and the fourth was an element of good luck to balance the bad.

“In line with best practices at the time, we had 147 online backups of our network, distributed around the globe. 146 of them were destroyed, one survived. This is a hard drive that survived a power outage in Lagos, Nigeria. It was hand carried and flown to Copenhagen to which we rebuilt our entire global network on.”