Taking a Bite Out of Cybercrime
For many, the words “cybersecurity” and “cybercrime” call to mind a shadowy world of high-profile criminals and “hacktivists” gaining wealth and fame while influencing world politics. Names like Guccifer and Anonymous sound like names from a comic book and indeed, members of the latter group wear masks from a popular series of graphic novels when they appear in public.
However, the daily reality is much less glamorous, and in many cases, even more costly and harmful than these infamous exceptions. A 2018 joint report between computer security company McAfee and the nonprofit Center for Strategic and International Studies (CSIS) determined that the cost of cybercrime worldwide is just over $600 billion USD per year, or 0.8% of world GDP. Less conservative estimates have placed this number much higher, with underreporting of cybercrime by victims as well as poor government data collection among the reasons.
MORE TECH NEWS: The Future of Exoskeleton Standards
One of the defining characteristics of cybercrime is that it is conducted at scale. One internet provider cited by McAfee/CSIS reported 80 billion malicious data scans per day, while the U.S. Federal Bureau of Investigation reported an average of 4,000 daily ransomware attacks perpetrated in 2016 alone, many of which inflicted severe damage to worldwide commerce.
At the forefront of the global effort to combat cybercrime and strengthen cybersecurity is ASTM International’s committee on ships and marine technology (F25) and its subcommittee on computer applications (F25.05). At first glance, this may seem like an unlikely home for such an effort. However, with 90% of the world’s goods transported by sea, according to the U.N.’s International Maritime Organization (IMO), this committee is in fact a logical fit. And with today’s oceangoing vessels becoming more technologically advanced and relying more heavily on computerized systems for navigation, propulsion, and communication, the threat to these vessels from cyberattacks has grown exponentially.
The subcommittee on computer applications has published one cyber-related standard: the guide for cybersecurity and cyberattack mitigation (F3286). Now the subcommittee has a second, more targeted standard on the way: the guide for inclusion of cyber risks into maritime safety management systems (WK67401).
“Nowadays, as ships become more complicated, systems become more automated, the possibility that a bad actor can get in there and start messing with things is more likely,” says Robert Sheen, vice president of operations with Ocean Shipholdings Inc. and a member of the computer applications subcommittee. “The reason is connectivity.”
There are numerous reasons cybercriminals hack the onboard systems of seagoing vessels. Commercial espionage or intelligence is one. A state military operation aimed at harming another state is another. And the threat of terrorism is ever-present in today’s world. But the targeting of commercial shipping vessels with piracy and ransom for monetary gain is the most common — and most profitable for the perpetrators. From cargo vessels to oil tankers, the stakes are high.
“There are a lot of dollars flowing on these vessels. And there are a lot of dollars tied up in these shipping companies,” says Todd Ripley, chair of the F25 committee and a general engineer with the U.S. Maritime Administration, part of the U.S. Department of Transportation. “So they’re ripe targets.”
Attacks on those targets are becoming more frequent and more sophisticated, prompting the U.S. Coast Guard to issue a grim warning in July following a cyberattack on a large freight vessel inbound to the Port of New York and New Jersey: “With engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery.”
With 90% of the world's goods transported by sea, maritime cybersecurity has become a critical issue.
Many may wonder who the “bad actors” perpetrating such acts would be. These are sophisticated operations, requiring greater resources and manpower than a single individual would have. Organized criminal enterprise — the “pirates” and “warlords” depicted in pop culture — are most often the perpetrators.
“One Southeast Asian nation was really bad for this,” says Sheen. “We found out that some of the freight forwarders’ and cargo consolidators’ systems had been hacked. And people were getting in [to the computer systems] and finding out not only what types of cargo were on the ships but exactly where it was stowed.”
This made the mission of these pirates one of boarding, unloading, and escaping into the night. Their operations became surgical strikes rather than haphazard ambushes.
However, while intentional attacks from outside actors are dangerous and often costly, it turns out that one of the most common forms of cyberattack comes from an unusual source: the ship itself.
“We’ve had some examples of crew plugging flash drives into USB ports, and there’s a virus on there,” says Ripley. “So it disables all the bridge equipment, and that might not be an intentional attack, but it affects operations and safety.”
According to Ripley, similar examples of unintentional attacks have come from third parties such as technical staff doing repairs or maintenance. “They plug in a computer that hasn’t been properly maintained and introduce errors into the power equipment or engine room,” he says. “The [attacks] that are unintentional are more prevalent, and by doing some cyber-hygiene and cyber-maintenance, we can protect ourselves.”
Preventing an Attack
Protecting onboard computer systems from attack — both intentional and unintentional — is exactly what the computer applications subcommittee plans to do with its newest proposed standard, which follows on the heels of the F3286 guide for cybersecurity and cyberattack mitigation, published in 2017. Ripley calls the F3286 guide a good first step as it addresses the need for cybersecurity and provides general recommendations: “The first [standard] was more of a top-level thing, covering the overall topic; an umbrella piece for protecting yourself. Now, the follow-up standard will be more specific.”
Geared toward safety management systems (SMSs), the proposed guide is intended to be incorporated into the IMO’s International Safety Management (ISM) Code, an international standard for the safe management and operation of ships, Ripley says. In order for any vessel worldwide to comply with the ISM Code and receive a safety management certificate (SMC) and document of compliance (DOC) allowing it to operate on the high seas, it must have an approved SMS. Covering everything from the documentation of crew injuries to operating procedures in bad weather, a ship’s SMS helps ensure its safe and efficient operation. However, to this point, the ISM Code has not required an SMS to include cybersecurity.
Sheen says the original drafters of the ISM Code had no idea of the dangers that cyberattacks would someday pose. “It [the ISM Code] never addressed things like cybersecurity because in the early 1990s when it was first developed, nobody even thought about that.”
The IMO is thinking about it now, however, adopting a resolution in 2017 mandating that in order to receive a DOC, every organization operating ocean-going vessels must include a cybersecurity system in each SMS by Jan. 1, 2021.
And rather than providing a top-level overview, the guide proposed by the computer applications subcommittee provides many of the specific details mentioned by Ripley. “Do you have version control on your software? Do you know where all the access points are for your computer equipment? Where can people plug in thumb drives? Are your people being trained in cyber issues? Things like that.”
Taking the Lead
Two factors make ASTM International the ideal organization to lead the development of maritime cybersecurity standards, notes Sheen. One is ASTM’s general reputation as a respected developer of standards, but the other is ASTM’s unique position in the world of maritime regulations.
“In the first place, ASTM really is a recognized organization that is known for establishing standards across all industries,” says Sheen, before moving on to the second factor. “Even [U.S.] Coast Guard regulations refer to ASTM standards and guides. So ASTM’s expertise already exists in regulations. Leveraging that to get a guide that’s from an organization that’s known for the development of standards brings credibility to what we’re trying to do.”
Ripley agrees. “Within the ASTM environment, we can bring everyone in and all considerations are addressed from the government and commercial sides. And that brings a lot of power to it.”
With a recent report from U.S. software company SentinelOne indicating that 45% of U.S. companies that had undergone a cyberattack had paid a ransom to have files unlocked in 2017 — at an average cost of nearly $1M — the need to protect onboard computer systems and stop these attacks before they begin is an urgent one. And the standards being developed by the F25 committee on ships and marine technology will go a long way toward preventing the next cyberattack for ransom.
“What we have to look at is prevention,” says Sheen. “That’s what this whole cybersecurity issue is about.”