The CMA CGM cyber attack came to emphasise the vulnerability of the shipping industry to attackers. Fleet operators started to ask themselves questions about their own organisation’s resilience to a similar cyber attack.
In response to this, we have produced a two-part Special Report on the questions management should be asking IT teams in light of this latest attack, and how IT teams should answer them.
It has taken 2 weeks for CMA CGM to restore online customer systems following a cyber attack. Could your shipping company also be a victim? Your management team is going to want to know how vulnerable your systems are to similar risks and how ready you are to respond.
Cyber attacks in shipping are no longer an anomaly. All 4 largest companies have now been cyber attacked. CMA CGM is just the latest victim. Nearly 2 weeks since their systems went down, they have just managed to restore their online eCommerce systems. It will take a while before we fully understand whether losses are as severe as the much publicised $300m of the Maersk attack.
This attack is creating fear and uncertainty among other shipping companies. And this isn’t helped by the speculation, misinformation and fear-mongering circulating. So we thought we would provide some useful, practical guidance instead.
If you haven’t discussed the attack with your management team yet, you are probably about to. It is difficult to escape the news in the shipping and financial press. Owners, shareholders and customers will want answers. If you’re the CIO or IT Manager, you’re probably one of the few staff who can provide some meaningful answers. So best prepare.
These are probably the questions you will get asked and how you can prepare your responses…
Unfortunately, the answer is likely to be yes. But how likely will depend on what cybersecurity you have in place.
To understand the likelihood, we need to explain a little bit about the attack. Publicly available intelligence tells us that CMA CGM was hit with the RagnarLocker ransomware. If this is true, this is a targeted attack, not simply an opportunistic one. So firstly, the myth that shipping companies are not being targeted is simply not accurate.
Let’s explore some basics on RagnarLocker. The attackers who use the RagnarLocker ransomware tend to follow a pattern of doing some reconnaissance to find out details of your organisation’s network before deploying the malware. They also tend to steal confidential or embarrassing data to be used as extortion material, before sending demands for payment. This gives the gang 2 means of extracting financial gain – firstly ransom in return for decrypting the files on infected systems and secondly extortion in return for not releasing the data they have stolen. The RagnarLocker malware itself can be delivered through various means (including embedded into files in a phishing email), but has most commonly been delivered through remote management systems, such as through Windows’ Remote Desktop Protocol. It tends to be deployed as a virtual machine and hidden in a relatively large file, which are techniques the attacker uses to evade detection.
So how likely would you have fallen victim to a similar attack? If you have a strong identity and access management system in place and strict processes for controlling remote access, it is possible you would have prevented delivery of the malware. Actively reviewing your firewall logs, antivirus logs or rules-based intrusion detection systems for suspicious behaviour would have helped you detect the attack. Anomalous behaviour monitoring of networks and endpoints is also likely to flag up the attacker’s reconnaissance, data theft and attempted virtual machine installation activity before the malware took hold.
Otherwise, put simply, you would have fallen victim too.
From our experience, we believe most shipping organisations would have fallen victim to the same attack given the sector’s low level of cyber maturity. So it is more useful to shift the discussion to the impact should such an attack occur. This enables a meaningful discussion about how much cyber risk your management team is willing to live with or to what extent you should invest in risk mitigation.
The fastest way to get an answer to this is to do 2 things:
Firstly, assess all the IT services that would critically impact the business if they went down for 2 weeks. Consider the following:
-
Why 2 weeks? Because it would likely have taken you that time as well to recover minimum services.
-
The temptation is to focus on systems and applications. It is far more useful to present this to the management team in terms of potential operational disruptions.
-
Gain clarity on the responsibilities for response and recovery. Consider how contingency plans, including those that have been put in place to manage Covid-19, help reduce any potential impact.
-
Focus on the critical services. For example, it may be possible for manual processes to replace the functionality of onboard ship management or financial management software for a couple of weeks. But customer service portals and ship management software may be fundamental to generating revenue, delivering operations and preserving reputation with customers.
Secondly, make a list of all the key pieces of data that would really impact your business if they were released to the public. Consider sensitive customer, employee or supplier data, details about sensitive cargo or voyages and any commercial trade secrets or financial information.
If you are under pressure to provide quick answers, doing this exercise should give you an initial view of your exposure. In the longer term, a comprehensive cyber risk management approach is the only way to minimise exposure and maintain business continuity.
Vessel IT systems are vulnerable to RagnarLocker. Remote access and management is increasingly in use, but it is not common to find robust identity and access controls. This allows the Ragnar Locker gang to exploit their preferred delivery method of the malware.
For vessel OT systems, this depends. RagnarLocker targets Windows machines. There are critical onboard OT systems that incorporate Windows machines, for example, this is typical of bridge and cargo systems. But the majority are Linux systems, so will not be impacted by RagnarLocker. To be clear, this doesn’t make OT systems impervious to ransomware. See for example Lilocked or Tycoon ransomware that specifically target Linux machines, and Ekans and Megacortex that specifically target industrial control systems.
However, let’s put this in perspective. The multi-stage deployment of RagnarLocker takes some effort, particularly on vessel systems. So the attackers would need to be highly motivated in order to persist with attacking vessel systems. It is far easier for the criminals to reap financial gain by attacking your shoreside and cloud systems. (Disclaimer: CyberOwl specialises in securing onboard systems. But that is irrelevant. Our honest assessment remains that shoreside systems are more at risk from this particular attack.)
Finally, don’t forget to consider the indirect impact on fleet operations as a result of shoreside IT system blackouts. For example, the functionality of onboard ship management systems may be affected if the web-based shipping Enterprise Resource Planning (ERP) system goes down.
At the time of writing, there hasn’t been any specific comments related to the CMA CGM cyber attack from maritime agencies. However, a few wider developments in the US are worth noting:
-
US Coast Guard (USCG) have published a number of cybersecurity-specific Marine Safety Information Bulletins recently: warning of malicious email spoofing incidents, including impersonation of USCG email addresses on 30 September 2020; and calling for the urgent need to protect operational technologies in maritime systems on 24 July 2020.
-
US Treasury Department published an advisory on 1 October 2020 that companies involved in negotiations with ransomware extortionists could face steep fines from the US federal government, if the extortionists are under economic sanctions.
-
US Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) announces an initiative to extend the cyber maturity assessment framework, currently used in the energy sector, for assessing maritime organisations transporting energy products.
Given the volume of cyber attacks on maritime organisations this year and as IMO 2021 approaches, we would expect more focus from authorities worldwide over the coming months.
Ok, your management team is probably not asking this question – not many people consider supply chain cyber risk. But this is a really important dimension to assess.
Look for supplier web-based systems that your operations rely on critically. These tend to be either cloud-delivered services or systems that depend critically on the availability of data integrations. It is possible the IT team don’t have awareness of some of these “shadow IT” applications if they were not directly involved in procuring or providing access to such systems.
Common supplier applications to consider that may be critical include (but aren’t limited to): ERP software, eCommerce web portal, cargo tracking portal, crew management software, ship management software, procurement systems and vessel reporting systems. Also, shipping operations still heavily rely on a brittle system of emails and Excel spreadsheets, making mail servers and document management systems critical.
In some ways this is your hardest question if you are unprepared.
You have a choice. One option is to take limited, specific actions solely to defend against RagnarLocker. This will provide temporary comfort by preventing attacks using similar techniques without significant modification.
This is a temporary measure. Malware and attacker techniques are constantly evolving. But if you choose this path, many commercial firewall, antivirus and endpoint protection solutions have released updates to address RagnarLocker. Make sure yours are updated. Tighten controls over remote access via RDP, VPN, proxies and servers. Urge your key software suppliers to do the same and get them to report back. It is also worth refreshing your backup programme.
The better path is to implement “defence in depth” across land and sea. This is multi-layered, but a critical part of this is visibility and cybersecurity monitoring. Configure your cybersecurity monitoring tools to particularly hunt for:
-
Indicators of unexpected remote access
-
Suspicious activity in PowerShell logs
-
Suspicious large data downloads
-
Use of hypervisor/virtualization software to detect suspicious virtual machines
-
Persistent data leakage to unexpected IP addresses
Be prepared that this could add to your team’s workload to interpret the suspicious events. But accept that this is a critical approach to systematically mitigating the risks of exploiting the vulnerabilities in your systems. An intelligent security analytics system can take some heavy-lifting through automated aggregation and correlation. You may also choose to get support from a managed security operations centre (SOC), enabling you to lean on experts who do this day in and day out.
The limited path will prevent RagnarLocker attacks until they evolve. The better path raises your overall cyber resilience. You have a window of opportunity to make this choice while the sector is still wincing at the CMA CGM attack. And the business case is even clearer given the impending IMO 2021 deadline.
Use this window wisely.