Pirates Exploiting Cybersecurity Weaknesses in Maritime Industry
In the last months of 2011, there was a flood of new firms offering private armed guards to companies whose ships ply the pirate-infested waters of the Gulf of Aden and northwest Indian Ocean. The competition in the counter-piracy industry grew heated, and it spurred a wave of cyber-attacks.
At least one private maritime security firm had its website hacked, which resulted in visitors having viruses downloaded surreptitiously into their machines. And a premier U.K. association that’s dedicated to vetting the private maritime security industry also had its emails infected by a “spybot.” The malicious program tracked every keystroke and relayed them to some unknown third party.
This is a ruthlessly competitive industry, with tens if not hundreds of millions of dollars at stake. It would have been surprising if these firms did not try to spy on each other.
It appears that ship owners and shippers are mostly oblivious to even the most elementary rules of not only cybersecurity, but more importantly, of information security.
They should be paying more attention to this issue. Somali pirates and their confederates, especially their foreign bankrollers, are increasingly surfing the Web for loose information that can help them with targeting vulnerable and valuable ships. They are hiring experts who know how to break into the “secure” computers of ship owners and shippers and obtain information that is not being shared with the public, including blueprints to ships and the insurance they carry.
A recent European Union study found that ship owners and shippers have only a rudimentary understanding of cybersecurity, which is only one portion of the broader concept of “information security” — the protection of critical information regardless of whether it is stored, disseminated or used.
Kevin Mitnick, perhaps one of the world’s most notorious hackers, once admitted that he was able to infiltrate some of the most protected computers in the world simply by calling up employees and pretending to be “security” and having passwords released to him.
This form of manipulation and deceit is called “social engineering.”
And it is effective.
It is not enough to protect networked computers with technological fixes such as firewalls, tripwires and passwords. They can only provide so much security. One also has to train staff to not give away vital information to strangers in person or over the phone, or by just throwing out revealing documents without shredding them first.
This is relevant to the maritime security sector because the Somali pirates’ business model is evolving as it faces increased pressure from modern navies. The pirates’ game is becoming less about ransoming ships and more about kidnapping Western crews. And they are doing more homework online. Pirates and their foreign bankrollers are vacuuming the Web for any loose information about ships, cargos, plots and locations.
Since the navies began employing spy aircraft and submarines, the smarter pirates have avoided giving away early clues of their intent. Guided by a ship’s Automated Information System, they zero in on a specific prize, go out at the last minute, pile on to her deck and hijack her so fast that the modern naval warships on the prowl and their fast response helicopter-borne sharpshooters can’t show up in time.
The last hijacking of 2011 was precisely this sort of operation. The Enrico Ievoli was carrying caustic soda from the Persian Gulf to the Mediterranean, and was targeted in a premeditated way. Her itinerary, cargo and crew, location, and the fact that she didn’t have armed guards were all known in advance by her Somali attackers, thanks to help from the Italian mafia, which commissioned the hijacking. She was grabbed practically under the noses of the foreign navies patrolling and assuring the security of the Gulf of Aden corridor.
Hyperbolic stories published in the maritime industry press have warned of Somali pirates hacking their way into shipping operations centers’ computers and hijacking the unprotected communications data channels of ships at sea. Media pundits also cautioned that pirates may be able to take over the ships’ operation remotely.
Frankly, that is more the realm of the next James Bond movie. That would require a level of computer sophistication that’s expensive to achieve. More money can be made doing much lower level computer intrusions. All it takes is passive reconnaissance of information negligently left on unprotected servers or shared with the press.
But the remote control hijacking of a ship, or cyber-intrusions into ship owner or shipper websites, are not the biggest causes of concern. What is far more alarming is undetected spying on ship computers in order to glean what’s needed to make the next hijacking a low-risk “in-and-out” operation with high payouts for pirates. Such was the case with the Enrico Ievoli.
In 2011, Somali pirates managed to extort almost $160 million in ransoms from ship owners. That is almost double the $81 million they earned in 2010. In 2009, they made only about $70 million. The 2011 results are truly head-spinning.
What’s even more troubling is that in 2011 they were able to almost double their take-home pay, while hijacking and returning only half as many ships. Somali pirates are holding ships longer and negotiating better. They are not working harder; they are working smarter.
This game of cat and mouse is becoming more diabolically clever as pirates exploit information security vulnerabilities in the maritime sector.
Until the industry begins to respect the elementary rules of cybersecurity — and more importantly, information security — Somali pirates can be expected to continue to make large sums of money for themselves and their foreign backers.
During World War II, there was a poster in the United Kingdom that reminded all that “Loose lips sink ships.” It’s time to update that poster and have it read, “Loose lips get ships hijacked.”
Michael G. Frodl is a Washington attorney and emerging risks advisor to global underwriters. He heads a maritime risks consultancy, C-LEVEL Maritime Risks. He is also co-founder of the Forum for Environmental Law, Science, Engineering and Finance (FELSEF). He can be reached at firstname.lastname@example.org
For additional information visit http://c-level.us.com