Cyber piracy threat analysis

Information about Cyber piracy threat analysis

Published on November 9, 2018

Author: yonghyunjo7



1. Cyber Piracy Threat Analysis Yong-Hyun Jo* , Jun-Mo Kang** , Young-Kyun Cha*** *Graduate School of Information Security, Korea University Summary The marine industry is categorized as shipbuilding, shipping and port industry. It is a significant area that plays a large part in national competitiveness. In 2017, maritime safety committee(MSC) of the international maritime organization(IMO) began to discuss marine cyber security due to increased threat from cyber space targeting the marine industry. In this article, the marine cyber security cases and the cyber security guideline’s trends of global maritime organization will be examined and those meanings will be considered. I. Introduction The maritime industry through ocean, which accounts for 70% of the earth, accounts for more than 90% of international trade and the shipping market is estimated at $720 billion in 2010 to $1.2 trillion in 2030. The size of the Korea’s maritime industry is 217 trillion won as of 2016 and the total revenue of the shipping industry is 26 trillion won as of 2016, which is the seventh largest revenue in the domestic industry. The government announced the plans for the development of the shipbuilding and shipping industry since 2018 and is pushing ahead with strategies to build new ships and develop the shipping industry. Information and communication technologies are also applied to the marine industry as well, so that various navigation systems on ships are digitalized. It also helps to connect the devices on ship each other, ship with ship, ship with port by communication network. This change is due to changing to smart ship environment based on ICT technology because of the requirement of law/regulation implementation, increase of requirements of shipper, position of ship, sailing information, analysis of fuel use performance, application of IT technology for the implementation of environmental regulations, application of satellite communications to ships, personal e-mail for ship welfare and popularization of maritime network for using internet, the network configuration of ships’ engines and route control devices, application of IT based ship management system between ship owners, ship and operators. Conventional pirates refereed to armed groups that hijack/seize the vessels, cargos, kidnap crews as hostages, that negotiate with shipping companies and government for the cost of their release. But recently, people who sell and distribute legal software in large quantities refer to cyber pirates. However, maritime related industries such as ship, shipbuilding and shipping change to IT technology based, there has been a case of hacking, information leakage or cyber crime linked with hacker and crime organization. These cyber attacker targeting maritime industry is defined as cyber pirate in this article. In the maritime industry, importing or hiding of explosives or weapons into ships or ports was defined as a major threat according to the law on the security of international sailing ships and port facilities but turn to digitalization, cyber security issues such as hacking to ship, port or something, malware infection, system disruption come to the fore. According to survey data from the Baltic and international maritime council (BIMCO) In 2016, one in five respondents said they were victims of the cyber attack and only 40 percent of respondents said they took preventive measures. In order to respond to maritime cyber security threats, ENISA

2. classified the maritime sector as critical infrastructure along with ICS SCADA, smart grid, financial, health. The international maritime organization(IMO) marine safety commission(MSC) proposed the plan for managing maritime cyber risks in accordance with the increased risk of cyber security and decided to enforce them on January 1, 2021. In this article, the cyber security cases, global security standards and guides for the maritime industry will be analyzed. II.Maritime cyber security trends 2.1 Security issue cases The issues of maritime cyber security in [Table 1] are as follows. Case No. 1: a Nigerian crime organization that used to be armed in waters of West Africa and hijacked/kidnapped vessels and crews, worked with hacking group, has taken over the personal information of officers and staff of maritime companies in Korea, Japan, Norway, etc. (User ID, password) and tried business SCAM, which is a typical example of a traditional pirate becoming cyber pirate using cyber attack technology. Case No. 2: Confirmed that the Dutch shipping company’s e-mail system was forwarded to an external attacker at least 11 months, resulting in about 500 sensitive personal information of Australian national employees. Case No. 3, 4: Cases of data leaks or system down of global shipping companies in UK and Singapore caused by hacking. Case No. 5: a serious vulnerability has been found in the satellite communication system used in the ship, and the vulnerability can be exploited to allow attackers to penetrate the vessel’s satellite communication system, internal engine equipment, operation equipment, etc. However, this system is in end of service (EoS) status since June, 2017. Vessels equipped with vulnerable systems are threatened before the patch. But the durability of vessel’s system is 20 to 30 years, which is difficult to patch. Case No. 6: in August, 2017, a US naval ship collided with an oil tanker on Singapore Strait, killing 10 crew members. The media then raised the probability of a cyber attack. In the US Navy 7 fleet of this ship, in June, the Aegis collided with Philippines container ship. Military vessel accidents were continuously happened. Case No. 7: according to the ship security and risk report in 2017 by Allianz, a global insurance company, the impact of cyber security on vessel safety is expected to increase as a result of North Korea’s cyber attack on the South Korean vessel’s GPS system in March, 2016. [1] Case No. 8: Through the vulnerability of accounting software in use at the Ukrainian branch of the world’s largest shipping company, Maesk Line, the NotPeya ransomware has been transfered to branches and ports around the world. For the purpose of preventing further damage, the whole IT system is forced down and the system is restored for 3 months over 45,000 PCs and 2,500 applications. Maesk Line’s estimated total damage amounted to about 300 billion won. When the infection and spreading symptoms were discovered at the very beginning, giant corporation prevented the leaving of customers by propagating the damage and restoration measures through Twitter, quick judgment to force down the IT system, etc. Case No. 9: a German container vessel (8,250 TEU) was hacked and lost control of the vessel for 10 hours. In order to restore the vessel to its original condition, the vessel stopped sailing and IT system restoration operation was executed. Container vessels carry large quantities of cargos, which can cause economic losses due to delays in cargo transportation and an increase of fuel costs, etc. Case No. 10: leakage of personal information of US navy crew through laptop of maintenance company, which leaded to leakage of navy information. Case No. 11: in August, 2016, the Zeroday sql-injection(CVE-2016-5817) vulnerability was disclosured on ship Navis web-based system of Cargotec corporation in USA which is used by USA and 13 ports worldwide. The issue of patch management in ship system has been raised. [2] Case No. 12: in 2016, 22,400 pages of submarine data, including stealth technology leaked from French defense company by former navy officer. Case No. 13: Pirates hijacked the global shipping company’s vessel, they took away only containers loaded with certain cargo and escaped. As a result of a survey of shipping cargo management system and bill of lading management system of shipping company suffered from pirate, malicious code was

3. Case No. Date Content 1 2018.04 The Nigerian hacking group attacked shipping companies in Korea, Japan and Norway. Among these, The personal information of officers and staff of 3 Korean shipping companies are taken and used for BEC (Business E-mail Compromise) 2 2018.03 The Dutch shipping company's email system was forwarded to an external attacker for at least 11 months through the automatic forwarding function, confirming that about 500 sensitive personal information of Australian national officers and staff was leaked 3 2017.12 Computer system of Singapore shipping company BW group went offline due to hacking 4 2017.12 Clarksons, UK, was threatened with data leakage owing to refusing to pay the amount demanded by hackers 5 2017.10 Serious vulnerability was found in related system of satelite service company 6 2017.08 About 10 crew members were missing or killed by crash accident of US Navy ship John S.McCain. Some have since raised the probability of cyber attacks or cyber bullying 7 2017.08 According to the insurance company’s safety and risk report, the impact of cyber security on ship safety is expected to increase 8 2017.06 The world’s largest shipping company, Maesk Line, re-installed about 4,000 servers, 45,000 PCs and 2,500 applications owing to ransomware(NotPetya) attacks. The estimated total damage is approximately 300 billion won. 9 2017.02 The navigation system of 8,250 TEU ship owned by Germany was taken over by the hacker for 10 found in shippping company system. It is characterized by the fact that the pirates hired hackers to cause criminal acts using the shipping company’s computer system. The security management system of the shipping company means that the scope of the security management system of the company should be widely expanded to include cargos, vessels and the company’s computer management system. Case No. 14: Vessel Data Recoder (VDR) system, which serves as the BlackBox of the aircraft, the vulnerability was found in this system in 2015. It was announced that VDR data could be remotely deleted and modified. Therefore, it is judged that the integrity of the digital evidence will be verified by checking whether the vulnerability is patched and whether the VDR data is remotely forged during investigating vessel accident. Case No. 15: World Fuel Services (WFS), a major marine refueling company that supplies fuel to vessels and others, suffered fraud losses of $18 million with email SCAM in October, 2014. Since then, Business SCAM has continued steadily and in April 2018, a concentrated attack targeting shipping companies was found. [3] Case No. 16: Drug dealers hired hackers to break into the Belgian port of Antwerp control system and identified containers that have shipped cocaine and heroin and took them out before arriving of legitimate cargo owner. The hacker infected the relevant PC through the Trojans attachment e-mail, installed the USB after invading the office that seizes the password. Hacker used an attack method via e-mail and a method of directly entering the office and plugging the keylogger into the PC. [4] Case No. 17: in 2011, a hacker hired by criminal organization broke into Australian customs and the cargo system and identified the shipping container(shipment) information that the authority custom suspects. Case No. 18: in August, 2011, a hacker broke into the Iranian shipping line server, damaged charges, cargo number, shipping date and location data information. [6]

4. hours which is sailing from Cyprus to Djbouti. 10 2016.11 Sensitive information such as social security numbers of 134,386 Navy personnel leaked due to hacking of the laptop of IT outsourcing staff 11 2016.08 Z e r o d a y sql-injection(CVE-2016-581 7) vulnerability was disclosured on ship Navis web-based system of Cargotec corporation in USA which is used by USA and 13 ports worldwide 12 2016 22,400 pages of submarine data, including stealth technology leaked from French defense company 13 2016.03 Pirates hijacked the global shipping company’s vessel, they took away only containers loaded with certain cargo and escaped. As a result of a survey of shipping cargo management system and bill of lading management system of shipping company suffered from pirate, malicious code was found in shipping company system 14 2015 Vulnerability of VDR system which is a BlackBox function of ship was found. It ables to delete/modify data recorded in VDR remotely 15 2014 World Fuel Services (WFS), a major marine refueling company that supplies fuel to vessels and others, suffered fraud losses of $18 million with email SCAM. 16 2013.10 Drug dealers hired hackers to break into the Belgian port control system and identified containers that have shipped cocaine and heroin and tool them out before arriving of legitimate cargo owner. The hacker infected the relevant PC through the Trojans attachment e-mail, installed the USB after invading the office that seizes the password 17 2012 A hacker hired by a criminal organization in 2012 broke into Australian customs and the cargo system and identified the s h i p p i n g c o n t a i n e r ( s h i p m e n t ) information that the authority custom suspects 18 2011.08 Hacker broke into the Iranian shipping line’s server and damaged charges, cargo, cargo numbers, shipping date and location data information [Table 1] Maritime cyber security cases This concept is similar to personal information internal management plan of Korea’s personal information protection act, vessels must establish their own security plan and obtain the approval of the government. After receiving the government’s security evaluation, the vessel is required to furnish international ship security certificate (ISSC, Term of validity: 5 years) while operating. Each vessel has enforced to mark permanently their unique identification number (IMO number) on its hull, but some nations or groups of criminals are deleting or falsifying this IMO number when transporting illegal weapons. A vessel without security certificate will have problems such as docking refusal, port embargo, etc. It is also not allowed to sail internationally. Ports should appoint their own port security officers, establish security plans after conduct port security evaluation, and need to obtain government approval. 2.3 Trends of international maritime organization IMO, an international organization established to deal with international issues related to shipping and shipbuilding, warned that the spread of electronic and communication devices equipment and operation would lead to serious maritime safety problems such as hacking, information leakage and cyber terrorism. In MSC 94th, USA and Canada suggested to

5. enhance cyber security in various maritime areas of shipping logistics systems, maritime facilities on vessels and ports, in MSC 95th, USA, Canada and others argued that is urgent to develop integrated guidelines for cyber security of ports, maritime facilities and equipment other than ships, but the proposal submitted to MSC 96th includes only the ship’s cyber security guideline, reflecting the opinions of other countries in MSC 95th. This guidelines includes contents such as understanding cyber risk, the need and purpose of cyber risk management, identifying risk management procedures and proposing an activity list to be added to the risk/security management system by owners and operators. The MSC 98th session has defined guidelines for cyber security and made it mandatory for safety management systems to include the cyber security management field (Maritime cyber risk management), as of January 1, 2021, and this applies to all organizations of the industry. III. Maritime cyber security guidelines and guide 3.1 IMO IMO cyber security risk management guideline presents shipping and cargo management, passenger management, engine and communication system as the vulnerable system of the ship. This guideline presents an efficient risk management framework with the function of identification-protection-detection-response-rec overy five steps. This framework is NIST’s cyber security framework. [7] For the best risk management, it is recommended to refer the latest version of all of relevant guidelines and standards such as BIMCO’s guideline (Baltic and International Maritime Council), ISO/IEC 27001, NIST cyber security framework, etc. 3.2 BIMCO The 2.0 version was released in June 2016, following the 1.1 version of the guidelines on cyber security onboard ships[8]. In this version, the guidance was specified, considering continuity planning from cyber intrusion and vessel’s remote environment from reponse and recovery planning chapter. This guide aims to provide essential guidance for cyber security management. Chapter 1 is about cyber security and safety management. It defines that maritime cyber security protects people on board (passenger and crew), cargos and ships from unauthorized access, operation/interruption and loss of data. Major concerns are integrity damage of vessel’s electronic part display and information system (ECDIS), obstacles resulting from the maintenance and patching of marine software, damage of satellite navigation system caused by loss or manipulation of critical sensors on the vessel. Chapter 2 identifies the threats of maritime cyber security as company, ship, operation and transaction, and suggests that experience in other industries such as financial institutions and public institutions can be a case of sucesseful cyber attack mitigation. It also suggests that employees of the company may be exposed to cyber attacks, both at sea and on land. Chapter 3 identifies systems that can be exposed to vulnerability on ships. This is identical to the ship systems presented in IMO which is in this article 3.1. However, an engine performance monitoring system, which is a system communicates ship with onshore(a port or vessel operating company, shipping company), vessel maintenance system, cargo and crew management system, navigation management system, and so on. Such communication systems are additionally identified to check and control sailing on land. Chapter 4 is about the risk assessment which states that senior management is responsible for the risk assessment as well as the risk assessment guides and control items presented in K-ISMS and ISO 27001. For the assessment of impacts, the CIA Model[9] is used. The maritime industry and ship environment must be considered. For example, sensitive information includes ship location, system status/reading, cargo details, authority and certificates. The ship’s power management system includes the SCADA system and it is responsible for power distribution and control for the entire ship. The system is connected to the ship’s communication system and is configured to monitor from onshore company. Chapter 5 is about protection measures. The protection measures should be implemented under the responsibility of senior management for the risks presented as a result of the risk assessment. Protective measures are consist of procedures and guidelines. These provide technical and administrative means. Especially, when the ships are using satellite and wireless communication as a protection measure, the

6. Allianz Global Corporate & Specialty, [1] Safety and Shipping Review 2017, Aug, 2017 [2] SA-16-231-01 [3] 670152-wfs-in-court-over-18m-bunker-s cam-claim [4] cle/bmjgk8/how-traffickers-hack-shippin g-containers-to-move-drugs [5] e-cyber-security/8796/ [6] 03/security/defeating-21st-century-pirat es-the-maritime-industry-and-cyberattac ks.html [7] NIST, Cyber Security Framework, April, 2018 [8] ses/20170705_cyber-g [9] NIST, Standards for Security Categorization of Federal Information and Information Systems, Feb, 2004 [10] UK Department for Transport, Ship security: cyber security code of practice, Sep, 2017 system and specifications of satellite communication systems must be considered. The method to prevent unauthorized access to the ship must be also considered. The management interface with the control software is mainly provided in the form of a web-based user interface, the protection of which must be considered from the time of installation on the ship. Chapter 6 is about business continuity planning. In case of ships, the following must be considered: Availability or exploration integrity of electronic navigation equipment, data loss, availability or integrity loss of the global navigation satellite system (GNSS), loss of essential communications with the coast, disruption of the Global Maritime Distress and Safety System (GMDSS), loss of availability of industrial control systems, including ship propulsion systems, auxiliary system and industrial control systems, loss of integrity of other data management and control systems, loss of ransomware or denial of service (DoS). Chapter 7 is about incident response plan. For example, it is necessary to establish a recovery plan, an incident response plan and an investigation plan when the electronic chart display and information system (ECDIS) is infected with malicious code. IV. Conclusion In this article, cyber attackers targeting maritime industries such as shipbuilding, shipping companies and ports were defined as cyber pirates and their damage cases were examined. The maritime industry is composed of ship-port-support facility-company (ship owner company, ship operating company)-shippers(customer), etc. When such a system is exposed to cyber attack, it can give rise to damage of ships, cargos, passenger’s material and their life. As a result, the relevant international organizations resolved to establish a cyber security management system for the maritime industry. The ministry of transport of the UK government has proposed guidelines (Code of practice: cyber security for ships) for countering cyber threats in the maritime industry (ship operator, ship owner, crew, etc) in September 2017. [10] This moves are expected to have a close impact on the Korean maritime industry. It is believed that maritime cyber security research is essential for safe shipbuilding and shipping. [References]

Related presentations