Compulsory Cyber Security threatening shipping. More than hackers.

Shipping has to brace itself for a Cyber Security Threat, in forms of new conventions, regulations, checks and inevitable money spending, as if there aren’t more than enough spendings, already. That is to say, that I estimate the threat of compulsory Cyber Security as much more valid and substantial, than that rather obscure threat of hacking.
There was recently, a spree of news related to Cyber Security risks, and after that, a spree of news and analysis, debunking those Cyber Threat fairy tales.
I counted five stories, maybe I missed some other. Among them three are outstanding in their stunning stupidity and profound illiteracy:

News on container ship taken under control by perpetrators, who hacked its’ navigational systems and tried to take the ship to a spot, where, probably, pirates were waiting for it (!!!)
https://www.asket.co.uk/single-post/2017/11/26/Hackers-took-full-control-of-container-ships-navigation-systems-for-10-hours-AsketOperations-AsketBroker-ELouisv-IHS4SafetyAtSea-TanyaBlake-cybersecurity-piracy-shipping

News on possibility of sinking container ships by hacking into loading systems
https://www.pentestpartners.com/security-blog/sinking-container-ships-by-hacking-load-plan-software/

News on possibility of sinking bulk carriers by hacking into loading systems
https://www.pentestpartners.com/security-blog/sinking-bulk-carrier-ships-by-hacking-hsms/

All three stories were debunked by industry media, in detail and with a good touch of irritation and indignation, caused by blatant fear mongering nature of those fantasies, and barely disguised newsjacking.
https://theloadstar.co.uk/blog-alert-ease-cyber-attacks-ships-pure-scaremongering/
http://www.seatrade-maritime.com/news/europe/warning-that-hackers-could-sink-a-bulk-carrier-but-why-would-they.html
http://splash247.com/fear-fake-news-cyber-hype/

The mechanism of those fantasies’ creation is as clear as a bar stool – it’s a pure Hollywood scenario, when screenwriter is tasked with creating techno thriller story, based on some basically real facts, and theoretical possibility of a disaster, if all the involved factors will contribute to it, in unison. Practically speaking, the chance of such an event is near zero, but let’s imagine it happened, that’s what thriller is all about, right?

News on hacked loading risks were generated by something called Pen Test Partners, company registered in the UK and doing – well, not exactly clear what is it they’re doing, they’re “testing”. If they’re testing others’ problems with as much creativity, as was applied to creating their news, one sure way to stay out of possible trouble is stay away from their services.
That fantastic crap about hacking and hijacking container ship originated from Fairplay, article in full is for subscribers only, but it was obtained somehow, and jubilantly reposted, with many fear-mongering comments, by many media, including industry media.
British company ASKET is most enthusiastic disseminator of all fear-mongering, cyber security related, news, proclaiming itself, on each such occasion, as “Worlds leading independent security brokerage”. The message is clear – it’s very dangerous out there, guys, but it may be safer than kinder garden, if you contract world’s leading security brokerage.

There were two other news concerning cyber security – both have been widely spread and received a lot of major media coverage. I refer to hackers (or claimed so) attacks which hit Maersk and Clarkson. Why do I express some kind of doubt?
I don’t have any doubt, that something badly affected both Maersk and Clarkson businesses, I just have some doubts about the cause of it.
Clarkson itself mentioned the unauthorized access was gained via a single and isolated user account which has now been disabled – so maybe, after all, there wasn’t any real hacker around, and stolen data accident was caused by inside problems.

As for Maersk story, I’m skeptical because Maersk, thanks to its’ enormous size, is, according to mathematics, in a constant state of barely controllable chaos. The bigger is the company, or any other institution, the less controllable it is, it’s a physical law. It may be some inside computer glitch which led to major intranet crash. Why not invent a face-saving story about hackers attack? It’s better than admitting inside instability, or constant near-chaos status. After all information I received from minor shippers, while monitoring container ship major fire several years back, plus information from stevedoring companies with regards to unreported fires in containers, I don’t believe anything those shipping majors say or do. I believe though, that there’s nothing to stop them from hiding the truth or twisting it, or telling lies, if their reputation is at stake.
Nevertheless, those Maersk and Clarkson stories played right into the hands of cyber security “experts”.

Now to most important thing, as I see it. Critics who debunk those fakes say or hint, that fake news and fear-mongering are all about self-advertisement, or newsjacking. Yes of course, there’s undisguised newsjacking, but is it all of the story, or part of it? I believe, it’s only part of it. All those fake news and numerous “analysis” materials, their massive coverage by all media, including major, resemble bombardment of enemy lines before calling to general advance. Industry media itself, in numerous cyber security articles, hints at what lies ahead. Go to any major industry outlet, search for “cyber security”, and you’ll be lost in abundance of cyber security “analysis” materials. There’s no meaning in reading them in full, they’re useless for any practical or knowledgeable purpose, while just several extras are enough to get the main idea:

There are numerous industry studies that point to an overall deficit of one to two million cyber security professionals across all industries. Many industry observers believe that the maritime industry is at least five to seven years behind the cyber security level of the financial services sector and up to a decade behind the energy sector.

There are increasing pressures to have a properly certified cyber security professional officer on highly automated ships. There are also calls to implement a “cyber hygiene” training program as part of the STWC certification process.

Emma Biggs, business director at security brokerage firm ASKET,warned of cyber companies targeting the maritime sector and offering protection that may not be best suited to a fleet. ASKET has begun offering a brokerage service to shipowners, based on its model for private maritime security companies.

Now it’s all clear. Cyber Security is to become compulsory, and new conventions, laws and regulations will see to it. All shipowner has to do, to make himself safe from those malicious and omnipresent hackers, is to pay everywhere around, to comply with new rules.
Will shipping be safe from Cyber threats, when security becomes compulsory? No way, and if anything, the risks will be bigger or to be exact, they’ll arise out of nowhere, Cyber Security providers will see to it. Take for example, navigational cyber-related risks. Shipowner can eliminate all those risks for his fleet, once and for all, simply by making paper chart primary and ENS secondary, and obliging his officers on deck to obtain ship’s position, at least twice during their watch, by means other than GPS and ENS. If it’s coastal waters, oblige them to obtain position by good old radar distances and bearings, if it’s on high seas, let it be just dead reckoning, simply to make sure, that the officer doesn’t lose contact with reality, that’s all what one needs to make his ships safe from electronic glitches or perpetrators.

I have no doubt at all, that the new regulations will be soon invented and put into force. The shipping will become, inevitably, more risky, much more technically complicated, and more costly, but that’s the point. Nowadays trend is in looking for, inventing and enforcing, most costly and more often than not, absolutely unnecessary, ways to fight problems. More often, than not, problems themselves are either fictitious, or highly inflated. So what we witness now, is the unfolding of a new fear-mongering campaign, as a prelude to oncoming regulations.

There are other risks, inherent to general idea of providing Cyber Security Safety in accordance with “experts” advises and guidelines. One will have to trust Cyber Security provider (officer, specialist, team or third party – whatever) with his innermost secrets. How trustworthy will be those guys, if, from the very beginning of all that Cyber Security fuss, their major practice is fear-mongering, in forms of fake news and very poor analysis?

Voytenko Mikhail
December 26, 2017

Comments

comments

Author

//

My name is Mikhail Voytenko, I’m Russian, professional merchant marine navigator, by education and former experience. I own and run Maritime Bulletin website for more than 10 years. I've been involved in solving a number of piracy hijack cases, including the hijack of ro-ro FAINA, loaded with tanks. It was me who made public, and unravel, freighter ARCTIC SEA mystery. I've been also closely involved in a number of maritime disaster, one of them being MSC FLAMINIA major fire.