OSM Thome – threats with e-mail and fake invoices

From People Tech Maritime Bergen - Some of the biggest cybersecurity threats to shipping today are with e-mail, both as a means of attack and hackers seeking access to e-mail accounts. Fake supplier invoices are increasing. Arne Sørensen explained

E-mail is a big cybersecurity threat in two ways. It is used for phishing attacks and supporting the hacker’s aim of gaining access to corporate e-mail accounts, explained Arne Sørensen, Senior IT Manager, OSM Thome, speaking at People Tech Maritime Bergen in November.

“We are very vulnerable when it comes to emails. We have about 400 vessels with 5-6 email addresses on each. We have a lot of emails going to all the vessels.”

“We try to adopt zero trust, never assume internal emails are safe, even when it looks like they are coming from the vessels. We handle the vessels' email addresses as external.”

Logins to access e-mail onboard have historically been role based, such as one login for the master. But it is easier to manage cybersecurity if logins are given to individuals, so if one account gets compromised, it can be closed, while other crewmembers continue with their access. This is a change likely to happen soon, he said.

Creating individual logins means extra administration work, with 29,000 seafarers on OSM Thome’s database. “We need really good software for that one,” he said.

Multifactor authentication systems to log on to e-mail is a “little bit of hassle but something we need to have,” he said. “That's something we have been working on over the last few years. There will be more and more need for that.”

It is important to implement DMARC SPF and DKIM on e-mail domains, to ensure that e-mails can only be sent by someone authorised by the domain owner.

Invoices

The company has also seen its suppliers being hacked. Then it receives invoices with different bank account details.

OSM Thome receives around 600,000 invoices a year, so it cannot check them all manually. There are routines in the invoicing system, which route an invoice to a manual check if it does not have the right account code, or there has been a change in the name. There is also a system for making checks on any new vendors.

“Sometimes it takes time to get invoices through the system, but we need to have this thorough control of things,” he said.

OSM Thome has also received invoices from fake suppliers, sometimes with changes which are hard to notice, such as an e-mail from ‘rnicrosoft.com’.

Operations technology threats

Vessel systems are increasingly connected, including with operations technology onboard, which gives hackers a bigger surface to try to access.

The company seeks to control the networks onboard as well as it can, including with segregation.

There are threats to GPS services for shipping in parts of the world. This means that vessels need to navigate using other means. “We try to train bridge teams to detect when things are not normal,” he said.

Continuous effort

The cybersecurity threat is “evolving a lot,” he said. Maintaining defences is a continuous effort, not a one-time fix.

People are both the weakest link but also the first and strongest line of defence, he said. “As we train people, we are strengthening security.”

“We try to integrate technology, training and teamwork together to get everything more secure, working together from shore to vessel,” he said.

Cybersecurity can be understood differently by people from different cultures. The company is seeking to implement standardised best practise and controls across the company and on all of its ships, he said.

There are procedures for “more or less everything” which are continually updated, he said.

OSM Thome does a great deal of staff training for cybersecurity. “We provide staff with updates about new threats to applications. We run cybersecurity drills, sometimes managed by external companies,” he said.

The company stays informed about maritime specific threats and mitigation methods. “If we can see if there's something [for threat mitigation] happening in Asia we can adopt that and take it into Europe,” he said.