top of page
Search

Meeting the growing cyber threat - discussion at People Tech Maritime Athens

  • farah674
  • 8 hours ago
  • 6 min read

 

Photo courtesy Loukas Michalitsis


Speakers from A M Nomikos TWMA, Hellas Confidence, KPMG Greece and Ulysses Systems discussed the growing maritime cyber threat, preventing attacks permitted by company staff, hacker AI, cybersecurity for OT, space and GPS, and using models

 

Over the past few years, we have seen attackers learning more about shipping, said Yiannis Sofianidis, IT Director and CISO - A.M. Nomikos Transworld Maritime Agencies (TWMA) , speaking at a cybersecurity discussion session at People Tech Maritime Athens in April. So maritime attacks have increased.  

 

The increased maritime connectivity offers a bigger attack surface. Many smaller shipping companies do not have so much cybersecurity expertise, so they can be a more tempting target for an attacker.

 

Hackers increasingly recognise the wealth in the shipping industry, added Alex Stathopoulos, IT Manager, Hellas Confidence Shipmanagement. They don’t care about the ships,  or that lives may be at risk due to their hacks. You couldn’t hack vessels in the past when they were offline nearly all the time.

 

Shipping historically has been about 5 years behind shore-based industries in its use of technology. Nowadays shore offices use modern technologies. But they may also be the technologies hackers try hardest to find ways to attack, he said.

 

However, hackers often tend to go for volume. So, they may be more interested in hacking software companies than shipping companies, because by hacking a software company they could hack multiple shipping companies at once.

 

State attackers have different goals and can be much harder to detect than criminals,  said Spyridon Papageorgiou, Partner of Cybersecurity in Technology & Transformation, KPMG Greece.

 

They may be using the same techniques, tactics, procedures, even the same tools as criminals, but work in different ways. “They prefer to gain access, to stay hidden, to steal all the needed information, and destroy the target at the right time. Those are very difficult to deal with.”

 

You need to be able to see what is going on with your systems at the most granular level, including on desktop computers on the network, and within applications on those computers. “Your security operations centre (SOC) has to cover pretty much everything. You have to see everything; you have to analyse everything.”

 


Crew and office staff

 

Phishing attacks can be the biggest form of attack today. “Attackers prefer to log in not to break in,” Mr Papageorgiou said. “They say the human factor is the weakest link. We can change that. We can make them the strongest link.”

 

“Maybe the only way is cybersecurity training,” said Mr Sofianidis of A.M. Nomikos TWMA. In many companies, “I don't believe that it's a priority.” For example, cybersecurity training may be allocated only 10-15 minutes of a 1-hour safety session.

 

IT cyber defences, such as removing access and locking down systems, do not remove the need for training, he said.

 

People on board ships may have many things on their minds,  and may not be thinking much about cybersecurity, he said. It should be considered as important as making sure the engine is running fine.

 

“From my experience users tend to be the weakest link, at least today,” said Mr Stathopoulos of Hellas Confidence. “Sometimes  we struggle  because of different priorities.”

 

Giving seafarers access to the internet is important, but creates more risks. “I understand that nowadays living without the internet is a very difficult thing. Everybody gets that. “

 

But we really need people to take cybersecurity more seriously, and this is not necessarily achieved through training, he said.

 

The most difficult situation for the IT department is when they need to treat a crewmember as a threat. This can happen when a crewmember wants to access a service the IT department considers unsafe, or they try to manipulate the hardware to get more bandwidth or data allowance.

 

IT people know that if a user is given trusted access to the network, he or she has much more capability to cause cyber problems than a hacker, who first needs to find a way to access the network.

 

Cybersecurity can create threats “that nobody can understand, unless they live through it.,” he said.

 

AI for hacking

 

Hackers are making more use of AI. “They are working in the machine speed and we as defenders are working at the human speed,” said Mr Papageorgiou of KPMG.

 

Cybersecurity companies are developing their own AI solutions to counter it.  “You have to use AI as a defender,” said Mr Sofianidis of A.M. Nomikos TWMA. “There are a lot of AI tools in the market that will help you stop another attack.

 

Mr Stathopoulos of Hellas Confidence pointed out that many tools being marketed as AI do not actually use AI. “AI is more a commercial umbrella than a terminology. If you dig in, if you search and know what you're doing, you will notice that they're not AI at all.”

 

Many such cybersecurity systems are not yet mature enough to be used without human input, he said. In one example, his cybersecurity system thought it had detected an attack. This led to a requirement to prove that it was a false alarm.

 

“I was pretty confident that it was a false positive to begin with, [but] we had to dig in and ensure that,” he said. “We lost man hours chasing our own tails.”

 

 

OT cybersecurity

 

Operations technology (OT) cybersecurity is a growing challenge for shipping, KPMG’s Mr Papageorgiou said. Companies have much more experience with IT cybersecurity than OT.

 

The big risk is often alterations to the firmware, made by USB stick. You cannot add malware easily to an OT device, unless it is running Windows.

 

“Until recently, most of these OT devices were a black box for us,” said Mr Sofianidis of A.M.Nomikos TWMA. But recently, the systems have been more open.

 

It is important to know exactly what assets you have, and how they are connected, he said.

 

People need clear instructions about updating the firmware, even if it is only possible via USB stick. In one example, a captain was sent an update to the ECDIS firmware on a USB stick. When it was plugged in, the ECDIS stopped working. Then the captain tried it on the back-up ECDIS, and the same thing happened. So the vessel could not navigate.

 

In this event, the file on the USB stick was an update for a different ECDIS version to the one on the ship. So it was a staff error, not an attack.

 

Most OT devices were created to be standalone, not part of a network, said Mr Stathopoulos of Hellas Confidence. But some of them still run on Windows. “I was very surprised to find an ECDIS from a well-known maker running Windows XP,” he said. “Windows XP  is a playground for a novice hacker. “

 

It is understandable that manufacturers of equipment such as ballast water management systems want to be able to troubleshoot equipment remotely. But providing this remote access creates a route for a hacker. Maybe it is better to leave it disconnected from the internet, and have the engineer come onboard the vessel.

 

If OT systems do connect to the internet, it makes sense for the network to take a “zero trust” approach and only make connections which are necessary.

 

If the use of USB keys cannot be blocked within the software, you need to have controls onboard, such as to say they can only be inserted into equipment with the master’s permission, and make sure the master has appropriate training, he suggested.

 

Space and cyber

 

Satellites can also be vulnerable to attack, said Giorgios Mantzouris, Advisor, Ulysses Systems, former commander of the Hellenic Navy and former CEO of Hellenic Space Agency. There were 145 successful cyber attacks on satellites recorded in a registered attacks database for 2024.

 

The EU has developed its own satellite positioning system, Galileo. This is the satellite positioning system most resistant to spoofing and jamming, he said.

 

GPS is vulnerable to hacks, and NATO vessels are sensing these hacks when operating in specific areas” he said. “GPS is not very safe, especially in the commercial code.”

 

It is a known action that ships should close down GPS systems if there was any GPS compromise. Senior officers need to know when they are seeing something abnormal and be able to understand it.

 

Cybersecurity through models

 

AI cybersecurity defences will work better if they are based on a behavioural model, rather than using probabilistic analysis, Mr Mantzouris said.

 

For example, you can allow the system to permit 150 specific activities, It will have a model for each of them, of common patterns of behaviour which are seen when they take place. You can specify that to permit a further activity, you need senior level approval.

 

Detecting threats through a model of behavioural patterns is similar to the way that we might detect whether a person on the street has a malicious intent. Different factors of their behaviour will not align with our model of how a person on the street normally behaves.

 

NATO similarly uses models in missile defence to discriminate real attacks from false alerts. These models provide a much richer situation awareness, he said. This is the only way to achieve robust cybersecurity.

 

You can watch the full discussion on YouTube at https://youtu.be/Y7PbdW5-fIo

 

 
 
 

Comments


bottom of page