Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Shipping Sector Cyber Security Awareness "Non-Existent"

Posted by samzenpus on from the do-we-have-a-password? dept.

twoheadedboy writes "The European maritime sector has next to no idea about cyber security, according to a report released by the European Network and Information Security Agency (ENISA). The shipping industry, which carried 52 per cent of goods traffic in Europe in 2010, has 'currently low to non-existent' awareness of cyber security needs and challenges, the report said. ENISA claimed the lack of understanding was evident at every layer of the industry, from government bodies to port authorities and maritime companies."

13 of 55 comments (clear)

  1. More specifically? by sidthegeek · · Score: 2, Interesting

    Is it that they didn't know, or that they didn't really care?

    1. Re:More specifically? by Tastecicles · · Score: 3, Insightful

      It being mainly Government agencies we're talking about here, they subcontract most everything out to the private sector, which is also where they lump the burden of securing the data. So, it's more complacency than anything; unfortunately, they almost always award the contracts to the lowest bidder, which means that the quality of the work is not always up to scratch.

      --
      Operation Guillotine is in effect.
    2. Re:More specifically? by _Shad0w_ · · Score: 4, Interesting

      They're talking about companies who run things like box carriers and the like, not couriers. A lot of ships have internet connections, via things like FleetBroadband from Inmarsat, so having an awareness of internet security, I would suggest, is actually pretty important.

      They regularly take data sent to them via e-mail or direct internet connection and load it on to their ECDIS units (mostly that would be ENC updates or permit files). As to whether that's in some way exploitable, I couldn't say.

      --

      Yeah, I had a sig once; I got bored of it.

    3. Re:More specifically? by Kagetsuki · · Score: 2

      Aah, now I see - thank you for informing me. Now I feel stupid for making that comment.

    4. Re:More specifically? by Uber+Banker · · Score: 2

      A simple example from my field: Letter of Credit Fraud

      A letter of credit is advised, issued and liquidated based on documentation. A supplier is paid when an LC is liquidated. These documents and specifications within are listed on an LC and trade contract. Independent 3rd parties are involved in verifying cargo amount, quality, timeliness, etc specified on the LC. When all pieces of documentation checkmarks are ticked off, the LC is paid, liquidated.

      Now what if I could get into the systems, or disrupt the information flow and security, and provide false documentation from port authorities or other maritime agents? The LC will be paid, because required documentation is ticked off. I may be a crocked supplier; I may be a man-in-the-middle that changes payee bank account number, though this shouldn't happen, because a bank should check against original hard copy when liquidating; I may be a man-in-the-middle that changes title deed of goods during transit or sell the goods to a false 3rd party during transit. There are countermeasures to all of the above implemented in banks, but who wants increased threat because of institutional carelessness?

      Terrorists disrupting chemical shipments and other low likelihood high risk events are a threat too, but the above example is a simple demonstration of high likelihood threats caused by the findings of the linked report.

  2. Physical and Digital by andersh · · Score: 4, Interesting

    After having read the full report in question it becomes somewhat clearer, they didn't just fill out forms, they interviewed people and held workshops with the key players.

    To quote the report:
    "awareness regarding cyber security aspects is either at a very low level or even non-existent in the maritime sector, this observation being applicable at all layers, including government bodies, port authorities and maritime companies.".

    My understanding is that this report is focused on what governments and the EU specifically can do to help, build and support for better security. In recent years the EU and other bodies have created and implemented security related regulation including provisions relating to safety and physical security concepts.

    Now, it's time to look at what the EU and its members should and can do to secure related information systems. Self-regulatory and co-regulatory organisational models around maritime cyber security aspects are virtually non-existent within the EU Member States, according to the report (page 19).

  3. Really? by andersh · · Score: 3, Interesting

    Do you have any actual experience or knowledge of European governments in this area? This doesn't seem like an accurate description of how things are done in my part of Europe at least. Are you American, European or something else?

    I find it hard to believe the fact that you claim to know this is how it actually works, especially in all of the 27 different EU member countries. Never mind the 50 countries of Europe. Somehow I doubt you know them all.

    The report however is specifically focused on creating frameworks for all of the nations involved in cooperation with the industry.

    1. Re:Really? by hughk · · Score: 2

      Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

      Funnily enough, the Greeks have about the largest merchant fleet in the EU. It is a major part of their problem because shipping is an area where you can get very creative as to where you make or lose money and avoiding inconvenient taxes.

      --
      See my journal, I write things there
  4. Larger Issues by andersh · · Score: 3, Informative

    We're talking about larger issues such as preventing whole tankers filled with toxic materials, oil or gas from becoming terrorist targets/weapons. They're not focused on consumer data protection in this report.

    We've recently improved our physical port security, now we need to think about securing the information infrastructure to prevent attacks that could result in massive economic [disruption] and environmental damage.

    1. Re:Larger Issues by Kagetsuki · · Score: 2

      Ok, thank you for clarifying that. In retrospect my comment was pretty stupid, wasn't it.

  5. Multi-tasking by andersh · · Score: 2

    Anyway, cyber-security of shipping companies is the least of the EU's problems right now. How about you work on finding a way to get the Greeks to do more than 3 hours of work a day?

    That's your contribution? The EU is a supra-national government, it is capable of handling any number of issues concurrently, like any other government. That's what all those employees are for. What you are "suggesting" is plainly absurd. What do you imagine the people working on food safety or road maintenance can do to fix a sovereign debt crisis? Maybe your government is incapable of working on more than one issue at the time?

    The Greeks work a lot more than that, you sure are full of vitriol, where do you get your information? Comical Ali?

    If you're from Japan I would say you have your own fair share of problems including national debts, currency problems, falling competitiveness and aging population. That sounds very much like the problems of the countries you scoffed at.

  6. It's All Greek To You by andersh · · Score: 2

    Yeah, that shows how little you know, fail to understand Europe and Europeans in general.

    Actually I'm from a wealthy non-EU, Northern European country, one with low unemployment, no currency problems, no net national debt and a booming economy. The Eurozone crisis is not ours, and it has had no impact here. I do however work with clients in the EU, I know Europe quite well, and I don't approve of misinformation and lies.

    The Greeks screwed themselves, with help from large international banks, and now everyone's paying for it. Their work ethic has little to do with it, most of them work(ed) very hard every day, for much longer than you or I. On the other hand there were/are public employees with too many benefits and great pensions. The issue was overspending, not underworking. Covering it up made it Europe's problem.

  7. There's a reason why security is low by satuon · · Score: 2

    Security is taken seriously only when threats start happening in practice, not just in theory. And for all the lack of security nothing has really happened so far. When and if ships start sinking and blowing because of viruses, security will be improved, but not until then. Same reason why people in India don't have winter coats just in case the temperatures drop to zero - which they did, once (and a lot of people died then).

    And ultimately, if it's so easy to do mischief, then why has nothing happened in practice so far?