Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Shipping Sector Cyber Security Awareness "Non-Existent"

Posted by samzenpus on from the do-we-have-a-password? dept.

twoheadedboy writes "The European maritime sector has next to no idea about cyber security, according to a report released by the European Network and Information Security Agency (ENISA). The shipping industry, which carried 52 per cent of goods traffic in Europe in 2010, has 'currently low to non-existent' awareness of cyber security needs and challenges, the report said. ENISA claimed the lack of understanding was evident at every layer of the industry, from government bodies to port authorities and maritime companies."

55 comments

  1. More specifically? by sidthegeek · · Score: 2, Interesting

    Is it that they didn't know, or that they didn't really care?

    1. Re:More specifically? by Tastecicles · · Score: 3, Insightful

      It being mainly Government agencies we're talking about here, they subcontract most everything out to the private sector, which is also where they lump the burden of securing the data. So, it's more complacency than anything; unfortunately, they almost always award the contracts to the lowest bidder, which means that the quality of the work is not always up to scratch.

      --
      Operation Guillotine is in effect.
    2. Re:More specifically? by Kagetsuki · · Score: 1

      Or that the don't really need it? So someone finds out I ordered something from Amazon... ok? I mean unless someone was trying to intercept a specific package or something? Maybe? The box has your name, address, and sometimes phone number and e-mail address written right on it!

    3. Re:More specifically? by _Shad0w_ · · Score: 4, Interesting

      They're talking about companies who run things like box carriers and the like, not couriers. A lot of ships have internet connections, via things like FleetBroadband from Inmarsat, so having an awareness of internet security, I would suggest, is actually pretty important.

      They regularly take data sent to them via e-mail or direct internet connection and load it on to their ECDIS units (mostly that would be ENC updates or permit files). As to whether that's in some way exploitable, I couldn't say.

      --

      Yeah, I had a sig once; I got bored of it.

    4. Re:More specifically? by Kagetsuki · · Score: 2

      Aah, now I see - thank you for informing me. Now I feel stupid for making that comment.

    5. Re:More specifically? by Anonymous Coward · · Score: 0

      What the fuck? They're talking about dropping untraceable containers containing nuclear material into the shipping system and redirecting them to the relevant place on an ad hoc basis. Nobody gives a shit about your spanking schoolgirls DVDs.

    6. Re:More specifically? by Uber+Banker · · Score: 2

      A simple example from my field: Letter of Credit Fraud

      A letter of credit is advised, issued and liquidated based on documentation. A supplier is paid when an LC is liquidated. These documents and specifications within are listed on an LC and trade contract. Independent 3rd parties are involved in verifying cargo amount, quality, timeliness, etc specified on the LC. When all pieces of documentation checkmarks are ticked off, the LC is paid, liquidated.

      Now what if I could get into the systems, or disrupt the information flow and security, and provide false documentation from port authorities or other maritime agents? The LC will be paid, because required documentation is ticked off. I may be a crocked supplier; I may be a man-in-the-middle that changes payee bank account number, though this shouldn't happen, because a bank should check against original hard copy when liquidating; I may be a man-in-the-middle that changes title deed of goods during transit or sell the goods to a false 3rd party during transit. There are countermeasures to all of the above implemented in banks, but who wants increased threat because of institutional carelessness?

      Terrorists disrupting chemical shipments and other low likelihood high risk events are a threat too, but the above example is a simple demonstration of high likelihood threats caused by the findings of the linked report.

    7. Re:More specifically? by AmiMoJo · · Score: 1

      And yet there have not been any major terror attacks on ports. The reason is that shipping containers are actually pretty robust and you would need a massive explosion to cause enough damage to sink a ship or badly damage the port. There are plenty of much easier targets that will cause a lot more deaths.

      Most security is a waste of time because terrorists fit into one of two groups: the competent and the incompetent. The former group has proper training, picks realistic targets, has professionally made bombs and are generally well organised. You can only stop them by investigation because there are just so many soft targets for them to hit.

      The incompetent terrorists are the guys who forget to scope out the target and then crash their suicide vehicle into the barriers in front of it, or try to detonate their underpants on an aircraft when the necessary equipment and procedure to do so alerts all the other passengers. You just can't get easily used bombs through x-ray machines and sniffer dogs, so they resort to the ones they can't actually use. Those guys sometimes get caught by the half-baked security measures we brought in, and sometimes they don't. The security we have only works if the attacker is dumb, and the ones which are fail for other reasons anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:More specifically? by JamesTRexx · · Score: 1

      I don't think an attack on a port is the biggest worry. More profitable is fraud by switching or making cargo disappear. Think of a container full of electronics, weapons, people, etc..
      A terrorist would rather move a lot of bombs through a loophole in logistics than blow it up with one.

      --
      home
    9. Re:More specifically? by jc42 · · Score: 1

      They're talking about dropping untraceable containers containing nuclear material into the shipping system and redirecting them to the relevant place on an ad hoc basis. Nobody gives a shit about your spanking schoolgirls DVDs.

      If history is any guide, those spanking schoolgirls DVDs are what people (and government agencies) will get really excited about. Containers full of nuclear material, though? Hardly anyone wants to get involved with them. They're booooooriiiiiiing!

      Also, the way most organizations work, if you are involved with inspecting packages for radioactive material, and you catch 999 out of 1000 of them, the one that you missed will get you fired (and possibly jailed). So you'd expect that people who value their own lives, safety, freedom, etc. to avoid such jobs. Let someone else take the blame for missing a dangerous package.

      This principle is especially strong in the "cyber security" field. Anyone ever involved with it knows that you get no credit for doing things right. Nobody ever notices that. But let a single exploit affect your systems, and you're hauled before investigative committees consisting of people who don't have a clue about the inner working of a computer or network. People with a desire for self-preservation tend to avoid such situations. In particular, when they fire you, you don't look for a second job with similar responsibilities.

      Until this problem is fixed, we can expect all our systems to remain as insecure as they are now.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    10. Re:More specifically? by Anonymous Coward · · Score: 0

      Hmmm... S-57 ENC data is encrypted to IHO S-63 (which mandates Blowfish) and the permits (which contain the encrypted keys to licensed cells) are encrypted with a key that is specific to the ECDIS for which the ship is licensed. An attack would require knowledge of the model and serial of the EDCIS on the bridge, or am I missing something?

  2. Physical and Digital by andersh · · Score: 4, Interesting

    After having read the full report in question it becomes somewhat clearer, they didn't just fill out forms, they interviewed people and held workshops with the key players.

    To quote the report:
    "awareness regarding cyber security aspects is either at a very low level or even non-existent in the maritime sector, this observation being applicable at all layers, including government bodies, port authorities and maritime companies.".

    My understanding is that this report is focused on what governments and the EU specifically can do to help, build and support for better security. In recent years the EU and other bodies have created and implemented security related regulation including provisions relating to safety and physical security concepts.

    Now, it's time to look at what the EU and its members should and can do to secure related information systems. Self-regulatory and co-regulatory organisational models around maritime cyber security aspects are virtually non-existent within the EU Member States, according to the report (page 19).

  3. Really? by andersh · · Score: 3, Interesting

    Do you have any actual experience or knowledge of European governments in this area? This doesn't seem like an accurate description of how things are done in my part of Europe at least. Are you American, European or something else?

    I find it hard to believe the fact that you claim to know this is how it actually works, especially in all of the 27 different EU member countries. Never mind the 50 countries of Europe. Somehow I doubt you know them all.

    The report however is specifically focused on creating frameworks for all of the nations involved in cooperation with the industry.

    1. Re:Really? by Kagetsuki · · Score: 1, Insightful

      "Somehow I doubt you know them all."

      I can't even remember how old I am half the time let alone recollect the prefectures of my own country. Hell I can't even remember what countries surround German and I actually lived there for a while.

      Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

    2. Re:Really? by Anonymous Coward · · Score: 0

      Yes that is how we do things. I currently work for the German government in IT and the money we waste on those cheap vendors is ridiculous. But this is right in line with the rest of the "Aldi" shopping society so no real surprises here.
      The shit only works because nothing serious has happened, yet.

      GrüÃYe aus Baden-Württemberg (mhhh the nerds must have left this site a long time ago)

    3. Re:Really? by Anonymous Coward · · Score: 0

      Somehow I doubt that you know anything about Greece neither. Maybe they have not a work ethic like the germans but that is not the reason of the economic mess in Greece and its not the reason of the economic mess in Europe.

      I am a little tired of listening this PIGS bullshit (especially from people that doesn't know what countries surround Germany).
      For instance, here in Europe, a lot of people think that americans are crazy assholes but for me always has been difficult to categorize 300*10^6 person in only one personality group. So, for your info: I have friends from Greece and they work a lot.

    4. Re:Really? by hughk · · Score: 2

      Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

      Funnily enough, the Greeks have about the largest merchant fleet in the EU. It is a major part of their problem because shipping is an area where you can get very creative as to where you make or lose money and avoiding inconvenient taxes.

      --
      See my journal, I write things there
    5. Re:Really? by Anonymous Coward · · Score: 0

      I am Greek - most of us (excluding our huge public sector - the big problem of Greece, bigger than the second problem, tax evasion) work more than 3 hours a day (actually according to the latest report from eurostat we work more than most Europeans - more than the Germans for example) - we just don't do it as productive as the Germans for example.
      Greeks control most of the global merchant fleet (by number of ships or cargo capacity), especially tankers and dry cargo - most of them are with flags of "opportunity" (Panama, Liberia, etc) for tax reasons.
      Our shipping industry is the second most important (after tourism) "export". The general work ethics in that industry is above Greek average (everyone is Greek except the low rank crew who are usually Filipinos - also with good work ethics).

  4. Not a lack of understanding by Anonymous Coward · · Score: 1

    It is more a lack of incentive.I work in assenger and air cargo, and rankly, most of our system are so old that it is hard to justify *any* security measure. Even if you were an uberloot hacker and even if you could do injection, there is too many check and balance in the code to go very far without tripping half a dozen red light (which are there to avoid COSTLY rerouting, not against hacker). As for getting root, I am not sure it is remotely useful as most of those system use abstruse system which are not even modfiable from the CLI environement, only from the TIP even for us system program, so I doubt a rooting guy could do anything. Actually I sometime wish the possibility was there would be easier to patch things up.

    And that's not even counting the XRAY scanner on the package and the other security measure from the cargo having nothing to do with the system itself.

    In such circumstance there is no way whatsoever to suggest security. when there is no money gain in it. I betcha a lot of shop are using similar old cargo system.

    1. Re:Not a lack of understanding by ColdWetDog · · Score: 1

      It is more a lack of incentive.I work in assenger and air cargo, and rankly, most of our system are so old that it is hard to justify *any* security measure.

      That's a new approach. Security through senescence.

      --
      Faster! Faster! Faster would be better!
  5. Larger Issues by andersh · · Score: 3, Informative

    We're talking about larger issues such as preventing whole tankers filled with toxic materials, oil or gas from becoming terrorist targets/weapons. They're not focused on consumer data protection in this report.

    We've recently improved our physical port security, now we need to think about securing the information infrastructure to prevent attacks that could result in massive economic [disruption] and environmental damage.

    1. Re:Larger Issues by el_tedward · · Score: 1

      I'm willing to bet that there's a computer hooked up to a thingy hooked up to another thingy you don't want to go crash boom on a boat or port somewhere.

      Is that computer hooked up to the internet? There's a good chance it is, but it's not like computer security ceases to be an issue when you disconnect from the internet.

    2. Re:Larger Issues by Kagetsuki · · Score: 2

      Ok, thank you for clarifying that. In retrospect my comment was pretty stupid, wasn't it.

    3. Re:Larger Issues by Anonymous Coward · · Score: 0

      My company manages IT on several hundred vessels, My experience is that navigation, engine and rudder control systems are not connected to the ship LAN and sat. uplink. Updates to these systems are done by cdrom or floppy disks. Most of our customers are very concerned about security, and they require frequent AV updates, firewalls and so on. https://www.palantir.no

    4. Re:Larger Issues by ColdWetDog · · Score: 1

      My company manages IT on several hundred vessels, My experience is that navigation, engine and rudder control systems are not connected to the ship LAN and sat. uplink. Updates to these systems are done by cdrom or floppy disks. Most of our customers are very concerned about security, and they require frequent AV updates, firewalls and so on. https://www.palantir.no/

      Didn't you see Jurassic Park II? If a T-rex can take over ship and ram it into a dock, certainly some 15 year old script kiddie in a cyber cafe somewhere in the third world could do horrible things!

      --
      Faster! Faster! Faster would be better!
  6. Small change by korgitser · · Score: 0

    The brits run their nukular submarines on windows for some years now. http://www.tomshardware.com/news/Submarines-Windows-Royal-Navy,6718.html
    I wonder which would be worse, greenpeace rooting a tanker or a nukesub taking a core dump? The end is nigh, but then I guess this world has bigger problems to ignore right now. Lets just push that big red button to get it over with:)

    --
    FCKGW 09F9 42
  7. Multi-tasking by andersh · · Score: 2

    Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

    That's your contribution? The EU is a supra-national government, it is capable of handling any number of issues concurrently, like any other government. That's what all those employees are for. What you are "suggesting" is plainly absurd. What do you imagine the people working on food safety or road maintenance can do to fix a sovereign debt crisis? Maybe your government is incapable of working on more than one issue at the time?

    The Greeks work a lot more than that, you sure are full of vitriol, where do you get your information? Comical Ali?

    If you're from Japan I would say you have your own fair share of problems including national debts, currency problems, falling competitiveness and aging population. That sounds very much like the problems of the countries you scoffed at.

    1. Re:Multi-tasking by Kagetsuki · · Score: 1

      I'm betting your Greek.

    2. Re:Multi-tasking by Kagetsuki · · Score: 1

      *you're

    3. Re:Multi-tasking by justsayin · · Score: 1

      Well, as one of those A-hole Americans I can state truthfully that our government is not capable of working even one issue at a time. Unless that issue is how to get more money into their personal bank accounts.

      And to the rest of the world reading this, America is full of A-holes. It was not always like this but common decency among these people has gone right out the window. So, if you see an American and you're not in America. That American is probably rich and even more of an A-hole than the rest of us who don't have enough money to travel abroad.

      I wish you could come over here and meet some of the normal people. I promise you that it would change your opinion.

  8. Not Armed Forces by Anonymous Coward · · Score: 0

    Maritime security in this context does not include the national armed forces. We're talking about shipping, not submarines.

    The EU doesn't legislate how the countries' armed forces are run, besides they already have strict national information security measures in place there.

  9. Basic Premise by andersh · · Score: 1

    I don't see how that is in conflict with what I said? That's probably not your point either? I think your point is exactly why the EU is pushing for more regulation and cooperation.

  10. Re:So, yeah, this headline? by Ragzouken · · Score: 1

    Yeah, who ever needed words like "is", "of", and "the" anyway?

  11. Grimm IT Fairy Tales from Germany? by andersh · · Score: 1

    Sorry, that's just anecdotal "evidence" from one country. It proves nothing in general European terms of specifically for Germany.

  12. It's All Greek To You by andersh · · Score: 2

    Yeah, that shows how little you know, fail to understand Europe and Europeans in general.

    Actually I'm from a wealthy non-EU, Northern European country, one with low unemployment, no currency problems, no net national debt and a booming economy. The Eurozone crisis is not ours, and it has had no impact here. I do however work with clients in the EU, I know Europe quite well, and I don't approve of misinformation and lies.

    The Greeks screwed themselves, with help from large international banks, and now everyone's paying for it. Their work ethic has little to do with it, most of them work(ed) very hard every day, for much longer than you or I. On the other hand there were/are public employees with too many benefits and great pensions. The issue was overspending, not underworking. Covering it up made it Europe's problem.

    1. Re:It's All Greek To You by bungo · · Score: 1

      The Eurozone crisis is not ours, and it has had no impact here.

      Oh, ok. You have nothing to worry about.

      So who are your major trading partners? In the EU? Or do these partners have the EU as a major trading partner?

      --
      "The best part? I became an ordained minister while not wearing pants." -- CleverNickName
    2. Re:It's All Greek To You by Kagetsuki · · Score: 1

      It's not that I fail to it's that I don't care to. The stereotype of the Greek not working hard are from the international news, which continues to target that stereotype as a reason why Greece fell apart. The other faults that were pointed out were public employees with too many benefits and great pensions just as you mention, and fraudulent/unchecked government benefits. At least that I read about. That's all I know about the situation and seeing as to how so many news agencies were presenting the same information I assumed it to be true to the degree that it has no actual effect on my immediate life whatsoever.

      I'm just as gruffed by your blatant ignorance about Japan but I'm not going to waste my time bickering over the internet. So just consider this an apology. I'm sorry for making a generalization based on knowledge gained entirely through tabloid propaganda.

    3. Re:It's All Greek To You by phayes · · Score: 1

      Yes, the Greeks screwed everyone by fraudulently juggling their budgets and indulging in an oversized public sector but the deeper problem is that the Greeks are a nation of tax dodgers. Even now, many of the translated headlines i see from Greece are more about cutting the public sector than about getting people to actually pay the taxes they use to justify the budget. You cannot have a first world public sector on a third world tax base without a windfall like oil.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
    4. Re:It's All Greek To You by Anonymous Coward · · Score: 0

      The Greeks screwed themselves, with help from large *American* banks, and now everyone's paying for it.

      There, fixed that for you.

  13. Minor Mistake by andersh · · Score: 1

    It did sort of miss the point :)

  14. Connected Economies by andersh · · Score: 1

    I'm referring to statistics from my government, the OECD and IMF (2008-2011).

    Fortunately for us we have the cash to ward off the ill effects of the global downturn. Our internal economy is pretty insular and a lot of people work for state owned industries/public offices. Our banks were already well regulated because of a past housing boom and bust. So no collapsing banks or housing market here.

    Our currency is solid and gaining due to the general European insecurity. Exports are getting more expensive of course. Our unemployment is the lowest in Europe (3%). Money is flowing from other countries to our currency, banks and stocks as a "safe harbor". We're rated AAA as a country.

    The EU is a major trading partner, but we also trade on the global commodities market. Oil and gas hasn't collapsed. We are one of the EU's largest energy suppliers (oil, gas, electricity). There is an interdependency there, but we can always sell our resources elsewhere.

    The EU recently asked us for help, due to our cash reserves, and we decided to give a few billion dollars to the IMF. It's in our interest that the EU stabilizes, but it's not our currency or banks. How badly it will affect us is yet to be seen, we've noticed very little here as of yet. We'll just have to wait and see.

  15. Anything to do with certain patriot missiles? by Anonymous Coward · · Score: 0

    Would this news piece happen to have anything to do with the 69 Patriot missiles found on a German boat headed for China?

    http://edition.cnn.com/2011/12/21/world/europe/finland-ship-missiles/index.html
    http://www.washingtonpost.com/world/europe/finnish-police-find-shipment-of-patriot-missiles-in-ship-destined-for-shanghai/2011/12/21/gIQA1sEA9O_story.html

    Some US authorities might be interested in muddying the waters on the subject of EU shipping security. The local news have accused the US of flagrant arrogance in their smuggling operations. The ship apparently had inappropriately packed but legal explosives shipment for China (which will be repacked and shipped forward) and illegal shipment of Patriot missiles, which apparently was seized by the Finnish Army. This was noticed when the ship stopped at Finland to load some wood products.

    1. Re:Anything to do with certain patriot missiles? by ladoga · · Score: 1

      This was noticed when the ship stopped at Finland to load some wood products.

      AFAIK it stopped in Finland to load few pieces of chain. Stopping in Finland if you are on the way from Germany to China makes very little sense (it's in the opposite direction), so maybe the whole stop was just to camouflage the ship's original route. However the ship got into a storm, called pilot for help and ended up being inspected.

      It was found out that the freight was not correctly secured and had been thrown around during the storm. There was also some problems with ship's freight bill. 69 Patriot missiles were found that were not mentioned.

      When questioned about the whole mess the shipping company said that the missiles were "probably loaded in by accident".

      My guess is that these missiles were German second hand PAC-2s that have been legally sold to South-Korea. Why were they smuggling them? No idea.

  16. There's a reason why security is low by satuon · · Score: 2

    Security is taken seriously only when threats start happening in practice, not just in theory. And for all the lack of security nothing has really happened so far. When and if ships start sinking and blowing because of viruses, security will be improved, but not until then. Same reason why people in India don't have winter coats just in case the temperatures drop to zero - which they did, once (and a lot of people died then).

    And ultimately, if it's so easy to do mischief, then why has nothing happened in practice so far?

    1. Re:There's a reason why security is low by Anonymous Coward · · Score: 0

      Mod parent up and start a donation drive to send winter coats to India.

    2. Re:There's a reason why security is low by Anonymous Coward · · Score: 0

      Consider the intelligence aspect of shipping, and the naked information that might be available because of simple cluelessness.

      A malicious transnational interest with aims to destroy the economy of an individual nation that won't play ball. They build intelligence through electronic surveillance of key players in the shipping sector (personal e-mail hacking, malicious GPS tagging, sneaky peaky malware, etc). These people are not aware of their being placed under observation. The information gleaned from this surveillance is used in sabotage operations whereby it is not evident how the targets and strategic information was established.

      End result, ships sink, but nobody connects the dots as to why.

      Look at what happened in England with News Corp. hacking individuals, just to make a story sell more ads and papers. I know this is grandiose tin foil hat territory, but it's just a demonstrative example, not to be taken literally.

  17. Re:Really? Yes by Anonymous Coward · · Score: 0

    When you are in the in Joe public are them and we are us and nobody cares about them.

    The contractors who supply the computers are paid treble what they should be paid. If you open a cupboard you will stumble into a pile of last year's computers. Security tags log you in to your computer system they know when you are logged in and when you have logged out. Every year they pretend that they need more security which means more money which means more supervisors which means more money. We all need more security and better systems it provides employment. "Them" have the money and us want it. It's just a scam its institutionalised.

  18. Mean Shot by Anonymous Coward · · Score: 0

    I'm sorry, it was a mean shot, I realize Japan is in a different category. I just wanted to let you know how it felt by using the same tabloid methods. I've been reading OECD reports on Japan, and there are issue there as well, but it's obviously nothing like Greece.

  19. somali pirates by Anonymous Coward · · Score: 0

    are getting more sophisticated?