“Quishing” and a summary report.
Cyber and physical security concerns are still actively in play in the maritime industry. Ships, seaports and supporting organizations are all exposed to cyber-attacks and threats to their physical security.
In this column, we examine a new cyber phenomena, followed by a seminal report sponsored by market data firm Thetius, risk management company CyberOwl and international law firm HFW.
Phishing and “Quishing”
Due to its increasing digitization and connectivity, the maritime sector has become more vulnerable to cyber threats, including phishing and the newly emerging threat of “quishing.”
Phishing is a common method used by cyber attackers to trick crew members or personnel into revealing sensitive information or credentials, potentially leading to identity theft, cargo theft or other security vulnerabilities.
Phishing attacks in the maritime sector—such as an attack on a tugboat in 2020 (https://bit.ly/47esRqp)—can disrupt essential services, compromise sensitive data, and even put lives at risk. For instance, malware infections (aka viruses, worms, etc.) on critical shipboard systems can disrupt vessel operations, communication and navigation, affecting the overall safety of the crew, the ship and its cargo.
Towage vessels have become prime cyber targets because of their critical part in the supply chain.
What the Heck is “Quishing?”
You have probably seen a Quick Response Code—otherwise known as a QR code. These simple “boxes of dots, squares and bars and are ubiquitous in mailers, advertisements and even on television.
For instance, on this page is a QR code for the Pacific Maritime Magazine website. When you look at the code, how do you know it is safe? How do you know it isn’t a ploy to attack your digital assets or your employer’s digital assets?
With QR codes, the URL is not immediately exposed to cyber security monitoring systems. This approach renders most email security scans ineffective.
The term “quishing,” formed by mashing up “QR code” and “phishing,” is a modern twist on traditional phishing attacks. It involves using QR codes as a vehicle for cybercriminals to deceive and steal from unsuspecting victims.
These malicious QR codes can lead users to fake websites, run background tasks or prompt the unsuspecting user to take actions that compromise their sensitive information. Attackers often deploy social engineering tactics to make these QR codes appear trustworthy, making it even more challenging for individuals to identify the threat.
To mitigate these risks of quishing, it’s critical for maritime sector organizations to understand these threats and take proactive measures to mitigate vulnerabilities and safeguard their systems.
This includes regular training and awareness programs for staff, contractors and vendors, implementing robust cybersecurity measures and staying updated on the latest cyber threats and trends.
REPORT: “Shifting Tides, Rising Ransoms and Critical Decisions”
In October, Cyber Owl maritime consultancy (UK and Singapore) issued its second annual maritime cybersecurity analysis report. You can find the report at https://bit.ly/3Msl802.
CyberOwl published this analysis in conjunction with Thetius (UK) and the HFW law firm (UK). This report is based on a combination of primary research, including one-on-one interviews, and a survey of maritime industry stakeholders constituting more than 150 individuals. They also included data from academic research, journals and published media.
Below is a summary of key findings highlighted in this 2023 report:
- Although the number of cyber-attacks has not risen dramatically since 2022’s research, there’s an undeniable increase in the financial impact.
- Cyber-attacks and breaches have cost maritime organizations on average more than $545,000 over the last three years. This is a 200% increase since the 2022 report.
- Ransom payments remain high. The average price paid for ransomware events is now $3.2 million. The demand for ransom payments has increased 357% since 2022.
- Of those surveyed, 23% said they had been tricked into transferring funds.
- There is significant uncertainty around insurance coverage and claims. Of those surveyed, 42% are unclear about whether their organization has a cyber insurance policy in place, while 25% believe there is no insurance policy in place.
- Ship operators were found to unnecessarily expose themselves to cyber risks by not understanding their insurance policies and limitations.
- Despite these figures, awareness is increasing, and companies are investing more in cybersecurity. Of those surveyed, 33% of respondents say their organizations spend less than $100,000 on cyber management, whereas in 2022, the number was 54%.
- The potential severity of cyber-attacks is increasing and there are three key roles most impacted by the changing cyber-risk landscape: risk management, IT management and fleet safety management.
Understanding the level of risk across these key roles needs work and improvement. For risk management teams, the total cost of cyber risk is poorly understood. The weakest areas of cyber defense include:
- 68% of vessel computers use obsolete operating systems.
- 63% of vessels provide crew access to more computer system functionality then they need for day-to-day operations.
- Only 37% have robust controls in place on what software can be uploaded onto vessel computers.
Of the risks related to cyber security, reputational risk is in fact one of the larger concerns for the maritime operator. Perhaps even beyond financial risk because the impacts of reputational risk are longstanding and more difficult to reverse.
Human failure will be responsible for more than 50% of all significant cyber incidents by 2025, according to IT research and consulting services firm Gartner.
This report should be required reading for executive teams and governing boards at any shipping, seaport or maritime concern. Ship captains and seaport executives need to examine the contents of the 60-page report to understand the risks they face in the cyber realm and ways to mitigate these threats.
The future of the maritime sector globally is undergoing massive change with increased digitization and implementation of autonomous ships, cranes and seaport vehicles. These all-new environments present opportunities for attackers and criminals unless you are adequately prepared.
Should you have any questions or comments on this article or have suggestions for future cyber/physical security topics for this column, please contact Ernie Hayden at ernie@erniehayden.com.
Ernie Hayden, MIPM CISSP GICSP (Gold) PSP, is an industrial control systems cyber and physical security subject matter expert. He has extensive experience in industrial controls security, the power utility industry, critical infrastructure protection/information security, cybercrime and cyberwarfare. His email is ernie@erniehayden.com.