In a statement on its website IMB says that “Recent events have shown that systems managing the movement of goods need to be strengthened against the threat of cyber-attacks.”
“It is vital that lessons learnt from other industrial sectors are applied quickly to close down cyber vulnerabilities in shipping and the supply chain.”
The Bureau notes that the threat of cyber-attacks in maritime has grown, with cyber security experts highlighting the dangers posed by criminals targeting carriers, ports, terminals and other transport operators, while the growing sophistication of the IT systems used in shipping has introduced new vulnerabilities.
The statement also references a speech recently given by the TT Club’s insurance claims expert Mike Yarwood at the TOC Container Supply Chain Europe conference in London, who said, “We see incidents which at first appear to be a petty break-in at office facilities. The damage appears minimal – nothing is physically removed.”
“More thorough post incident investigations however reveal that the ‘thieves’ were actually installing spyware within the operator’s IT network.”
IMB says that Mr Yarwood also spoke about a new trend whereby individual workers' personal devices were being targeted, to gather data on routing patterns and to extract information such as release codes for containers from terminal facilities or passwords to discover delivery instructions.
“In instances discovered to date, there has been an apparent focus on specific individual containers in attempts to track the units through the supply chain to the destination port,” said Mr Yarwood.
“Such systematic tracking is coupled with compromising the terminal’s IT systems to gain access to, or generate release codes for specific containers. Criminals are known to have targeted containers with illegal drugs in this way; however such methods also have greater scope in facilitating high value cargo thefts and human trafficking.”
IMB also notes that accounting firm KPMG has added its voice to the debate, warning that hackers are the new open sea pirates, referencing Wil Rockall, a director in the organisation’s cyber security team.
Mr Rockall says that the cyber security of maritime control systems are controlled by engineers and not chief information security officers (CISOs) or chief information officers (CIOs), and as a result are lacking security controls and are vulnerable to hackers.
“Most ports and terminals are managed by industrial control systems which have, until very recently, been left out of the CIO’s scope. Historically, this security has not been managed by company CISOs and maritime control systems are very similar,” he said.
“As a consequence, the improvements that many companies have made to their corporate cyber security to address the change in the threat landscape over the past three to five years have not been replicated in these environments. Instead engineers have often been left to implement and manage these systems – people who focus normally on optimising processes efficiency and safety, not cyber and security risks. It has meant that many companies and their clients are sailing into uncharted waters when they come to try and manage these risks.”
“We have found that one of the main blockers in improving this is a real translation problem when corporate IT security teams attempt to impose their standards on industrial control systems or maritime control systems. KPMG’s work with the operator of one of the largest fleets of crude oil and oil products tankers and liquefied natural gas carriers in the world, found that bridging that gap and coming up with pragmatic solutions to improve industrial control systems security without compromising process efficiency or safety, are vital to the success of industrial control systems cyber risk management.”