Cybersecurity in shipping

From the February 2024 print edition

What is cybersecurity?

The term refers to technology and practices designed to protect organizations, computers, servers, systems, mobile devices and data from unauthorized access or malicious attacks while mitigating their impact. It protects individuals and organizations against viruses, malware and ransomware attacks that can be costly and halt operations.

The more connected we are, the more risks we face, and we often see in the news that retailers, banks, government agencies, and even hospitals can be targeted. There was an example in mid-January when the Securities and Exchange Commission’s social media account was compromised with a fake announcement of a bitcoin exchange-traded fund. It’s ironic because the SEC is the US Government’s oversight agency responsible for regulating securities markets and protecting investors, but even they are at risk. And they had to announce that the social media post was unauthorized, adding it was hacked.

The irony is that cryptocurrencies are pseudo currencies that don’t exist and have zero value in the tangible world. They are a pure product of the cyber world themselves, fuelled by speculation and greed. Also in January, Microsoft announced that some of their corporate emails had been hacked by a group linked to Russia’s foreign intelligence agency. Luckily, Microsoft confirmed the hackers did not access any customer accounts.

There are various types of cyberattacks, ranging from phishing attacks, when deceptive emails, messages or websites are used to obtain sensitive information; ransomware, when software is designed to encrypt files and demand payment for their release; denial-of-service by overloading a system or network to disrupt normal operations; man-in-the-middle or intercepting and manipulating communication between two parties without their knowledge; SQL injections, code injection techniques used to gain unauthorized access and/or attack data-driven applications with malicious commands inserted for execution, cross-site scripting, injecting malicious scripts into websites viewed by users, and more. As technology advances, making our work easier, cyberattack opportunities increase. Before looking at their impact on shipping, let’s see if this topic is a priority for companies generally.

Risk tops the list
The annual Allianz Risk Barometer report released in January confirms it is the top priority. The survey incorporates the views of 3,069 respondents from 92 countries, large, mid-size and small companies surveyed in October and November 2023, who were asked to name the three risks they believed the most important for their business. The first one overall was cyber incidents at 36 per cent (up from 34 per cent in 2022). In the survey, cyber incidents were broadly described as cyber crime, IT network and service disruption, malware, ransomware, data breaches, and resulting penalties. In Canada, business interruption risks came first (57 per cent), cyber incidents second (46 per cent) and natural catastrophes third (43 per cent), while in the US, cyber incidents came first (36 per cent), business interruption second (33 per cent) with natural events third (29 per cent). Therefore, we can see that companies are indeed aware of this challenge.

In the civil aviation sector, an activity characterized by its extensive interconnectivity, this issue is well recognized. Over the years, with continuous demand for air transport, this industry went through several digital transformations, leveraging the power of technology to enhance its efficiency and capacity. These digital advances exposed the sector to cybersecurity threats, potentially impacting continuity of service, and the safety of people and facilities. Industry systems and data flow through national borders, and close collaboration between countries and relevant stakeholders is vital.
Montréal-based ICAO, the International Civil Aviation Organization, oversees industry efforts to address aviation security globally.

It has developed standards, procedures, guidance material and recommended practices on aviation security, raising awareness and supporting aviation cybersecurity capacity building, supported by countries and the aviation community. Thankfully, there is a global framework in place that keeps aviation safe, as long as countries follow international rules.

It’s a little different in ocean transportation. There is an international framework on basic navigation and safety issues via the London-based IMO (International Maritime Organization), including guidelines and maritime cyber risk management. But it’s a largely deregulated industry, where virtually anyone who operates a seaworthy vessel can start an ocean service from port A to port B in another country. So, it’s left up to individual ocean carriers to protect themselves from cyber security risks, prevent fraud, identity theft and unlawful release of cargo. The old-fashioned practice of releasing cargo at destination only against presentation of a duly endorsed original ocean bill of lading has been largely replaced by ebills and automatic releases, adding risks. But theft and unlawful release of cargo to the wrong party happen on land, so let’s look at the situation in overland transportation.
In the trucking and logistics sectors, like everywhere, the cybersecurity landscape is evolving as more operations become integrated, relying on technology and to a certain extent, automation. This applies to offices, distribution centres and warehouses but also to trucks themselves, as technology is more and more present in vehicles. The ELD (Electronic Logging Devices) mandate that automatically records driving time in a vehicle is a good example of that. Trucks have become mobile computers, store vast amounts of data and are electronically connected, creating opportunities for hacking.

Cause for concern?
The 2023 Travelers Risk Index survey found that 55 per cent of transportation leaders were worried either a lot, or at least somewhat, about cyber risks. And nearly 25 per cent said their company has been the victim of one sort of cyberattack, with about half taking place within the past 12 months. To quote CISA, the US Cybersecurity and Infrastructure Security Agency: “as we become increasingly dependent on technology designed to make our lives easier and more efficient, we also become more exposed to vulnerabilities.” CISA works with the transportation sector to ensure organizations understand the risks they face.

Cargo theft is on the rise. According to CargoNet, thefts in Canada and the US increased 59 per cent in the third quarter of 2023, compared to 2022, and the majority were shipment misdirection attacks, where stolen data and identities are used to obtain freight and misdirect it. Criminals are getting more tech-savvy, with internet-enabled crime spreading.

To counter that, the industry must invest in the necessary tools and technology. According to Penske’s Third-Party Logistics Study, 87 per cent of shippers and 94 per cent of 3PL providers agree that adopting emerging technologies is vital to secure supply chain growth. We will see in the coming years, if having additional technology helps to mitigate cybersecurity risks.

The other element is increased awareness and education. Shippers and logistics providers themselves must become more tech savvy too. In addition to mastering technology and tools, let’s ask ourselves a question: how much of our life depends on technology, how much of our professional and personal information is stored, on our devices or someone else’s system? Technology is great but freedom might come from disconnecting from technology, when doable. We don’t have to have everything connected.