Shipping Companies Confront Cyber Crooks as Economies Reopen

Major shipping companies, stung by ransomware attacks, are looking for ways to thwart money-motivated hackers from interfering with their deliveries as global economies reopen after the Covid pandemic.

Companies infected with ransomware have temporarily shifted their operations offline and authorities have shut down ports. That’s left customers with tough choices: higher fees to transfer their goods to other companies at the last minute, late arrivals, or spoiled perishable goods. More broadly, the hacking disrupts global trade.

The Coast Guard plans to make public an update of its cyber strategy this summer, and one senator from a maritime state, Ed Markey (D-Mass.), plans to reintroduce a bill that would require federal agencies to provide cyber support to private and government vessels, an aide said.

Any company or industry that uses computers, “people are going to try to hack into it and steal information,” Hady Salloum, director of the Maritime Security Center at the Stevens Institute of Technology, said in an interview.

Shipping companies are part of critical infrastructure that’s fallen prey to cyberattacks in recent years, which most recently included the world’s largest meatpacker JBS SA and the southeastern Colonial Pipeline Co. Supply bottlenecks can drive consumer prices higher.

Pandemic Shocks, Costs Go Far Beyond Empty Shelves: Supply Lines

Luke Sharrett/Bloomberg via Getty Images

A Maersk shipping container is loaded onto a vessel at the Port of Charleston in Mount Pleasant, S.C., on March 22, 2021.

Rise in Attacks

Ransomware attacks on shipping firms tripled between 2019 and 2020, cybersecurity company BlueVoyant reports. The world’s four largest shipping companies—Maersk, Mediterranean Shipping Company, CMA CGM, and COSCO—were all infected by ransomware in the last four years.

Ransomware attacks encrypt victims’ files, preventing them from accessing sensitive information until they pay the hacker. Hackers can gain entry through malicious email attachments, old passwords, or other phishing techniques.

“A lot of people are asking, ‘Why all of a sudden are all these critical infrastructure companies being attacked?” Austin Berglas, global head of professional services for BlueVoyant, said in an interview. “These groups are all financially motivated, and they’re just looking to target now organizations that they know they’re going to get the biggest payday from.”

Illustrating the need to ensure shipping companies are operating adequately, the Ever Given, a quarter-mile container ship, got stuck in the Suez Canal for almost a week, disrupting traffic and resulting in a loss of almost $10 million per day.

The Inside Story of the Stuck Suez Ship That Broke Global Trade

President Joe Biden focused on cybersecurity after the high-profile attack of the Colonial Pipeline caused gas prices to skyrocket for the 50 million Americans the company says it serves.

Biden, in a May executive order, pushed for improvements in security software across industries, called on the Department of Homeland Security to create a cyber safety review board, and directed federal agencies to improve information-sharing with contractors regarding cybersecurity.

But cracking down on cyber crooks is a tall order for the federal government. The maritime industry is internationally regulated, yet decentralized within the U.S.

Who’s in Charge?

Hackers can break into a ship’s proprietary records or operational technology through three major avenues: ships, ports, and companies. Each falls under a different jurisdiction.

U.S. shipbuilders must abide by technological standards set by the International Maritime Organization and the Coast Guard, but most vessels are built abroad, Joan Mileski, head of the Department of Maritime Business Administration at Texas A&M University at Galveston, said in an interview. Those ships are subject to regulations from the IMO and their own governments, which tend to require fewer security measures than the U.S. does.

The Coast Guard largely regulates U.S. ports, but each can range several dozen miles and has its own rules, Mileski said. The Coast Guard’s cyber strategy will come this summer, Chief Warrant Officer Kurt Fredrickson said.

Onshore companies, the primary targets of recent cybercrimes, are private and competitive, and may not share security information, complicating anticipation of potential crimes.

More than 20 federal agencies govern the U.S. maritime industry and its cybersecurity efforts, Mileski said.

With various jurisdictions “and different organizations doing the same thing, sometimes it’s hard to draw the line between who does work and who doesn’t,” Salloum, from the Center for Maritime Security, said.

Pipeline Cybersecurity Solutions Suffer From Oversight Divide

Trump Plan

A Trump-era national maritime cybersecurity plan sought to untangle the roles and responsibilities of the various agencies that oversee maritime cybersecurity.

A National Security Council official confirmed the plan is still in effect under Biden’s administration. A White House official didn’t respond to questions about progress in carrying it out.

Markey’s bill would direct the Coast Guard, Department of Homeland Security, and the U.S. Maritime Administration—part of the Department of Transportation—to provide cyberattack mitigation and recovery resources to the maritime industry, an aide to the senator said. The bill would apply to both government and private vessels in the U.S.

“As the maritime sector increasingly adopts internet-connected technologies, such as electronic maps and virtual aids to navigation, the threat of a cyber-attack continues to rise,” Markey said in a press release. “Maritime shippers transport the vast majority of U.S. overseas trade and could be a partially attractive target to cybercriminals.”

Markey’s office didn’t respond to questions about the timing for the bill’s reintroduction.

Industry Solutions

The world’s largest shipping firm, AP Moller – Maersk A/S, was infected by a piece of notorious malware in 2017 that cost the company $300 million in lost revenue, information technology restoration, and operational costs.

Cyberattacks are becoming more coordinated and companies must stay up to date with security standards, said Andy Powell, who joined Maersk as its chief information security officer following the attack. The company has since bolstered its cybersecurity team and purchased cyber insurance.

“Organized crime has become much more prevalent in cybersecurity than ever before,” he said. “On top of organized crime, we’re seeing a massive rise in nation-state type attacks as well.”

Not all companies have the resources to spend on high-end security technology.

Shipping firms must weigh three things when preparing for ransomware attempts: “How high do you want your security wall to be? How much do you want to pay for it? And how sophisticated do you want it?” Mileski, from Texas A&M, said.

Stopping Ransomware Is a Tech Battle Measured in Milliseconds

Limits of Policy

While lawmakers such as Markey want legislation to improve cybersecurity, some analysts say federal regulations can only do so much.

The best way to stave off attacks is to train employees to avoid clicking on a bad link or to prevent an old password from resurfacing, Salloum said.

“It will be good to find a way to educate people at all the levels, from people without a college degree to people that are CEOs,” Salloum said, adding that it’s each individual’s responsibility to follow the rules. “It’s not the responsibility of the government or somebody else.”

Hackers will continue to look for new ways to carry out their 21st century piracy.

“They’re doing their due diligence,” BlueVoyant’s Berglas said. “They’re looking at organizations to see if they have cyber insurance, they’re looking to see, you know, how much money they’ve got on their books so that they can ask for a payment that they know that the organization can pay.”

To contact the reporter on this story: Nicole Sadek in Washington at nsadek@bloombergindustry.com

To contact the editors responsible for this story: Robin Meszoly at rmeszoly@bgov.com; Sarah Babbage at sbabbage@bgov.com; Anna Yukhananov at ayukhananov@bloombergindustry.com