EU Shipping Sector Cyber Security Awareness "Non-Existent"

twoheadedboy writes "The European maritime sector has next to no idea about cyber security, according to a report released by the European Network and Information Security Agency (ENISA). The shipping industry, which carried 52 per cent of goods traffic in Europe in 2010, has 'currently low to non-existent' awareness of cyber security needs and challenges, the report said. ENISA claimed the lack of understanding was evident at every layer of the industry, from government bodies to port authorities and maritime companies."

More specifically?

[sidthegeek]

Is it that they didn't know, or that they didn't really care?

Re:More specifically?

[Tastecicles]

It being mainly Government agencies we're talking about here, they subcontract most everything out to the private sector, which is also where they lump the burden of securing the data. So, it's more complacency than anything; unfortunately, they almost always award the contracts to the lowest bidder, which means that the quality of the work is not always up to scratch.

Re:More specifically?

[Kagetsuki]

Or that the don't really need it? So someone finds out I ordered something from Amazon... ok? I mean unless someone was trying to intercept a specific package or something? Maybe? The box has your name, address, and sometimes phone number and e-mail address written right on it!

Re:More specifically?

[_Shad0w_]

They're talking about companies who run things like box carriers and the like, not couriers. A lot of ships have internet connections, via things like FleetBroadband from Inmarsat, so having an awareness of internet security, I would suggest, is actually pretty important.

They regularly take data sent to them via e-mail or direct internet connection and load it on to their ECDIS units (mostly that would be ENC updates or permit files). As to whether that's in some way exploitable, I couldn't say.

Re:More specifically?

[Kagetsuki]

Aah, now I see - thank you for informing me. Now I feel stupid for making that comment.

Re:More specifically?

[Uber+Banker]

A simple example from my field: Letter of Credit Fraud

A letter of credit is advised, issued and liquidated based on documentation. A supplier is paid when an LC is liquidated. These documents and specifications within are listed on an LC and trade contract. Independent 3rd parties are involved in verifying cargo amount, quality, timeliness, etc specified on the LC. When all pieces of documentation checkmarks are ticked off, the LC is paid, liquidated.

Now what if I could get into the systems, or disrupt the information flow and security, and provide false documentation from port authorities or other maritime agents? The LC will be paid, because required documentation is ticked off. I may be a crocked supplier; I may be a man-in-the-middle that changes payee bank account number, though this shouldn't happen, because a bank should check against original hard copy when liquidating; I may be a man-in-the-middle that changes title deed of goods during transit or sell the goods to a false 3rd party during transit. There are countermeasures to all of the above implemented in banks, but who wants increased threat because of institutional carelessness?

Terrorists disrupting chemical shipments and other low likelihood high risk events are a threat too, but the above example is a simple demonstration of high likelihood threats caused by the findings of the linked report.

Re:More specifically?

[AmiMoJo]

And yet there have not been any major terror attacks on ports. The reason is that shipping containers are actually pretty robust and you would need a massive explosion to cause enough damage to sink a ship or badly damage the port. There are plenty of much easier targets that will cause a lot more deaths.

Most security is a waste of time because terrorists fit into one of two groups: the competent and the incompetent. The former group has proper training, picks realistic targets, has professionally made bombs and are generally well organised. You can only stop them by investigation because there are just so many soft targets for them to hit.

The incompetent terrorists are the guys who forget to scope out the target and then crash their suicide vehicle into the barriers in front of it, or try to detonate their underpants on an aircraft when the necessary equipment and procedure to do so alerts all the other passengers. You just can't get easily used bombs through x-ray machines and sniffer dogs, so they resort to the ones they can't actually use. Those guys sometimes get caught by the half-baked security measures we brought in, and sometimes they don't. The security we have only works if the attacker is dumb, and the ones which are fail for other reasons anyway.

Re:More specifically?

[JamesTRexx]

I don't think an attack on a port is the biggest worry. More profitable is fraud by switching or making cargo disappear. Think of a container full of electronics, weapons, people, etc..
A terrorist would rather move a lot of bombs through a loophole in logistics than blow it up with one.

Re:More specifically?

[jc42]

They're talking about dropping untraceable containers containing nuclear material into the shipping system and redirecting them to the relevant place on an ad hoc basis. Nobody gives a shit about your spanking schoolgirls DVDs.

If history is any guide, those spanking schoolgirls DVDs are what people (and government agencies) will get really excited about. Containers full of nuclear material, though? Hardly anyone wants to get involved with them. They're booooooriiiiiiing!

Also, the way most organizations work, if you are involved with inspecting packages for radioactive material, and you catch 999 out of 1000 of them, the one that you missed will get you fired (and possibly jailed). So you'd expect that people who value their own lives, safety, freedom, etc. to avoid such jobs. Let someone else take the blame for missing a dangerous package.

This principle is especially strong in the "cyber security" field. Anyone ever involved with it knows that you get no credit for doing things right. Nobody ever notices that. But let a single exploit affect your systems, and you're hauled before investigative committees consisting of people who don't have a clue about the inner working of a computer or network. People with a desire for self-preservation tend to avoid such situations. In particular, when they fire you, you don't look for a second job with similar responsibilities.

Until this problem is fixed, we can expect all our systems to remain as insecure as they are now.

Physical and Digital

[andersh]

After having read the full report in question it becomes somewhat clearer, they didn't just fill out forms, they interviewed people and held workshops with the key players.

To quote the report:
"awareness regarding cyber security aspects is either at a very low level or even non-existent in the maritime sector, this observation being applicable at all layers, including government bodies, port authorities and maritime companies.".

My understanding is that this report is focused on what governments and the EU specifically can do to help, build and support for better security. In recent years the EU and other bodies have created and implemented security related regulation including provisions relating to safety and physical security concepts.

Now, it's time to look at what the EU and its members should and can do to secure related information systems. Self-regulatory and co-regulatory organisational models around maritime cyber security aspects are virtually non-existent within the EU Member States, according to the report (page 19).

Really?

[andersh]

Do you have any actual experience or knowledge of European governments in this area? This doesn't seem like an accurate description of how things are done in my part of Europe at least. Are you American, European or something else?

I find it hard to believe the fact that you claim to know this is how it actually works, especially in all of the 27 different EU member countries. Never mind the 50 countries of Europe. Somehow I doubt you know them all.

The report however is specifically focused on creating frameworks for all of the nations involved in cooperation with the industry.

Re:Really?

[Kagetsuki]

"Somehow I doubt you know them all."

I can't even remember how old I am half the time let alone recollect the prefectures of my own country. Hell I can't even remember what countries surround German and I actually lived there for a while.

Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

Re:Really?

[hughk]

Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

Funnily enough, the Greeks have about the largest merchant fleet in the EU. It is a major part of their problem because shipping is an area where you can get very creative as to where you make or lose money and avoiding inconvenient taxes.

Not a lack of understanding

It is more a lack of incentive.I work in assenger and air cargo, and rankly, most of our system are so old that it is hard to justify *any* security measure. Even if you were an uberloot hacker and even if you could do injection, there is too many check and balance in the code to go very far without tripping half a dozen red light (which are there to avoid COSTLY rerouting, not against hacker). As for getting root, I am not sure it is remotely useful as most of those system use abstruse system which are not even modfiable from the CLI environement, only from the TIP even for us system program, so I doubt a rooting guy could do anything. Actually I sometime wish the possibility was there would be easier to patch things up.

And that's not even counting the XRAY scanner on the package and the other security measure from the cargo having nothing to do with the system itself.

In such circumstance there is no way whatsoever to suggest security. when there is no money gain in it. I betcha a lot of shop are using similar old cargo system.

Re:Not a lack of understanding

[ColdWetDog]

It is more a lack of incentive.I work in assenger and air cargo, and rankly, most of our system are so old that it is hard to justify *any* security measure.

That's a new approach. Security through senescence.

Larger Issues

[andersh]

We're talking about larger issues such as preventing whole tankers filled with toxic materials, oil or gas from becoming terrorist targets/weapons. They're not focused on consumer data protection in this report.

We've recently improved our physical port security, now we need to think about securing the information infrastructure to prevent attacks that could result in massive economic [disruption] and environmental damage.

Re:Larger Issues

[el_tedward]

I'm willing to bet that there's a computer hooked up to a thingy hooked up to another thingy you don't want to go crash boom on a boat or port somewhere.

Is that computer hooked up to the internet? There's a good chance it is, but it's not like computer security ceases to be an issue when you disconnect from the internet.

Re:Larger Issues

[Kagetsuki]

Ok, thank you for clarifying that. In retrospect my comment was pretty stupid, wasn't it.

Re:Larger Issues

[ColdWetDog]

My company manages IT on several hundred vessels, My experience is that navigation, engine and rudder control systems are not connected to the ship LAN and sat. uplink. Updates to these systems are done by cdrom or floppy disks. Most of our customers are very concerned about security, and they require frequent AV updates, firewalls and so on. https://www.palantir.no/

Didn't you see Jurassic Park II? If a T-rex can take over ship and ram it into a dock, certainly some 15 year old script kiddie in a cyber cafe somewhere in the third world could do horrible things!

Multi-tasking

[andersh]

Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

That's your contribution? The EU is a supra-national government, it is capable of handling any number of issues concurrently, like any other government. That's what all those employees are for. What you are "suggesting" is plainly absurd. What do you imagine the people working on food safety or road maintenance can do to fix a sovereign debt crisis? Maybe your government is incapable of working on more than one issue at the time?

The Greeks work a lot more than that, you sure are full of vitriol, where do you get your information? Comical Ali?

If you're from Japan I would say you have your own fair share of problems including national debts, currency problems, falling competitiveness and aging population. That sounds very much like the problems of the countries you scoffed at.

Re:Multi-tasking

[Kagetsuki]

I'm betting your Greek.

Re:Multi-tasking

[Kagetsuki]

*you're

Re:Multi-tasking

[justsayin]

Well, as one of those A-hole Americans I can state truthfully that our government is not capable of working even one issue at a time. Unless that issue is how to get more money into their personal bank accounts.

And to the rest of the world reading this, America is full of A-holes. It was not always like this but common decency among these people has gone right out the window. So, if you see an American and you're not in America. That American is probably rich and even more of an A-hole than the rest of us who don't have enough money to travel abroad.

I wish you could come over here and meet some of the normal people. I promise you that it would change your opinion.

Basic Premise

[andersh]

I don't see how that is in conflict with what I said? That's probably not your point either? I think your point is exactly why the EU is pushing for more regulation and cooperation.

Re:So, yeah, this headline?

[Ragzouken]

Yeah, who ever needed words like "is", "of", and "the" anyway?

Grimm IT Fairy Tales from Germany?

[andersh]

Sorry, that's just anecdotal "evidence" from one country. It proves nothing in general European terms of specifically for Germany.

It's All Greek To You

[andersh]

Yeah, that shows how little you know, fail to understand Europe and Europeans in general.

Actually I'm from a wealthy non-EU, Northern European country, one with low unemployment, no currency problems, no net national debt and a booming economy. The Eurozone crisis is not ours, and it has had no impact here. I do however work with clients in the EU, I know Europe quite well, and I don't approve of misinformation and lies.

The Greeks screwed themselves, with help from large international banks, and now everyone's paying for it. Their work ethic has little to do with it, most of them work(ed) very hard every day, for much longer than you or I. On the other hand there were/are public employees with too many benefits and great pensions. The issue was overspending, not underworking. Covering it up made it Europe's problem.

Re:It's All Greek To You

[bungo]

The Eurozone crisis is not ours, and it has had no impact here.

Oh, ok. You have nothing to worry about.

So who are your major trading partners? In the EU? Or do these partners have the EU as a major trading partner?

Re:It's All Greek To You

[Kagetsuki]

It's not that I fail to it's that I don't care to. The stereotype of the Greek not working hard are from the international news, which continues to target that stereotype as a reason why Greece fell apart. The other faults that were pointed out were public employees with too many benefits and great pensions just as you mention, and fraudulent/unchecked government benefits. At least that I read about. That's all I know about the situation and seeing as to how so many news agencies were presenting the same information I assumed it to be true to the degree that it has no actual effect on my immediate life whatsoever.

I'm just as gruffed by your blatant ignorance about Japan but I'm not going to waste my time bickering over the internet. So just consider this an apology. I'm sorry for making a generalization based on knowledge gained entirely through tabloid propaganda.

Re:It's All Greek To You

[phayes]

Yes, the Greeks screwed everyone by fraudulently juggling their budgets and indulging in an oversized public sector but the deeper problem is that the Greeks are a nation of tax dodgers. Even now, many of the translated headlines i see from Greece are more about cutting the public sector than about getting people to actually pay the taxes they use to justify the budget. You cannot have a first world public sector on a third world tax base without a windfall like oil.

Minor Mistake

[andersh]

It did sort of miss the point :)

Connected Economies

[andersh]

I'm referring to statistics from my government, the OECD and IMF (2008-2011).

Fortunately for us we have the cash to ward off the ill effects of the global downturn. Our internal economy is pretty insular and a lot of people work for state owned industries/public offices. Our banks were already well regulated because of a past housing boom and bust. So no collapsing banks or housing market here.

Our currency is solid and gaining due to the general European insecurity. Exports are getting more expensive of course. Our unemployment is the lowest in Europe (3%). Money is flowing from other countries to our currency, banks and stocks as a "safe harbor". We're rated AAA as a country.

The EU is a major trading partner, but we also trade on the global commodities market. Oil and gas hasn't collapsed. We are one of the EU's largest energy suppliers (oil, gas, electricity). There is an interdependency there, but we can always sell our resources elsewhere.

The EU recently asked us for help, due to our cash reserves, and we decided to give a few billion dollars to the IMF. It's in our interest that the EU stabilizes, but it's not our currency or banks. How badly it will affect us is yet to be seen, we've noticed very little here as of yet. We'll just have to wait and see.

There's a reason why security is low

[satuon]

Security is taken seriously only when threats start happening in practice, not just in theory. And for all the lack of security nothing has really happened so far. When and if ships start sinking and blowing because of viruses, security will be improved, but not until then. Same reason why people in India don't have winter coats just in case the temperatures drop to zero - which they did, once (and a lot of people died then).

And ultimately, if it's so easy to do mischief, then why has nothing happened in practice so far?

Re:Anything to do with certain patriot missiles?

[ladoga]

This was noticed when the ship stopped at Finland to load some wood products.

AFAIK it stopped in Finland to load few pieces of chain. Stopping in Finland if you are on the way from Germany to China makes very little sense (it's in the opposite direction), so maybe the whole stop was just to camouflage the ship's original route. However the ship got into a storm, called pilot for help and ended up being inspected.

It was found out that the freight was not correctly secured and had been thrown around during the storm. There was also some problems with ship's freight bill. 69 Patriot missiles were found that were not mentioned.

When questioned about the whole mess the shipping company said that the missiles were "probably loaded in by accident".

My guess is that these missiles were German second hand PAC-2s that have been legally sold to South-Korea. Why were they smuggling them? No idea.