Security expert seeks collaboration among littoral states

Former President, Maritime Security Providers Association of Nigeria (MASPAN), Captain George Alily (rtd), has called for increased collaboration in information sharing among littoral states in the country to support the maritime security architecture being put in place by the government to secure the nation’s waterways against pirates’ attacks.

Speaking against the backdrop of the latest global piracy report released by the International Maritime Bureau (IMB) for the third quarter of 2019, which showed a reduction in cases of pirates attack in the country, Alily said the development is an indication that the Government was stepping up its efforts at improving maritime security.

To continue reading, please click here.




Shipping firms still pay $2,000 per day for protection of crew, vessel

By Godwin Oritse

Despite the abolition of the controversial safe anchorage area by the Nigerian Ports Authority, NPA, where vessels and crew members wait before they proceed to berths, shipping companies still pay $2,000 per day to operators of the area.

Speaking Vanguard Maritime Report at a maritime stakeholders meeting in Lagos last week, Mr. Mark Wash, Executive Director, ENL Consortium, operators of berth A, B and C at the Apapa port, confirmed that NPA has told shipping firms to stop paying for protection at the ‘safe anchorage’.

To continue reading, please click here.


Gulf of Guinea: Security team comes alive in 3 months

By Godwin Oritse

In a bid to secure oil and gas operations as well as fishery activities in the Gulf of Guinea, countries in the region have agreed to set up an expert working team that would implement resolutions reached at the just concluded Gobal Maritime Security Conference, GMSC, held in Abuja, last week.

Disclosing this to newsmen at the end of the conference, Director General of the Nigerian Maritime Administration and Safety Agency, NIMASA, Dr. Dakuku Peterside, said that the team will be established within the next three months.

To continue reading, please click here.


Cyber Hack: Fortifying Maritime, Port Security

Andrew Kinsey

The United States Coast Guard Marine Safety Alert 06-19 (USCG MSA 06-19) outlines a February 2019 incident aboard a deep draft commercial vessel that called on the Port of New York / New Jersey after experiencing a significant cyber incident that impacted their shipboard network. 

The Safety Alert stated in part:
“An interagency team of cyber experts, led by the Coast Guard, responded and conducted an analysis of the vessel’s network and essential control systems. The team concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted. Nevertheless, the interagency response found that the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.”

To continue reading, please click here.


Maritime piracy incidents down in Q3, yet Gulf of Guinea remains a hot spot

The International Chamber of Commerce International Maritime Bureau’s (IMB) report for the third quarter of 2019 demonstrates fewer incidents of piracy and armed robbery against ships than the first nine months of 2018.

119 incidents of Piracy and Armed Robbery Against Ships have been reported to the IMB Piracy Reporting Centre (IMB PRC) in 2019, compared to 156 incidents for the same period in 2018. Overall, the 2019 incidents include 95 vessels boarded, 10 vessels fired upon, 10 attempted attacks, and four vessels hijacked. The number of crew taken hostage through the first nine months has declined from 112 in 2018 to 49 in 2019.

While the overall number of incidents has dropped, incidents involving guns and knives remain consistent. There have been 24 knife-related and 35 gun-related incidents reported in 2019, compared to 25 and 37 for the first nine months of 2018. These statistics confirm IMB’s concerns over continued threats to the safety and security of seafarers.

Gulf of Guinea

The Gulf of Guinea remains a high risk area  for piracy and armed robbery. The region accounts for 86% of crew taken hostage and nearly 82% of crew kidnappings globally.

In July a general cargo vessel was hijacked approximately 120nm SW from Brass. Ten crew members were kidnapped from the vessel and released four weeks later. In August a bulk carrier and a general cargo vessel were boarded within hours of each other at Douala anchorage, Cameroon and a total of seventeen crew were kidnapped from the vessels. Within six weeks all kidnapped crew were released.  This incident demonstrates the range of piracy activity in the Gulf of Guinea and that all types of ships are vulnerable to attack. Lagos recorded 11 incidents in 2019, the highest number for any port.

Lagos recorded 11 incidents in 2019 – the highest number of any port in the world. Despite reporting more attacks than any other country, Nigeria has reduced Q3 piracy attacks from 41 in 2018 to 29 in 2019.

“Although incidents are down, the Gulf of Guinea continues to be a concern for piracy and armed robbery-related activities with kidnappings of crew members increasing in both scale and frequency,” said Pottengal Mukundan, Director, ICC IMB. “It is important that shipmasters and owners continue to report all actual, attempted, and suspected incidents to ensure that an accurate picture of these attacks emerge and  action is taken against these criminals before the incidents further escalate.”

Continued improvement in Indonesia

Meanwhile, Indonesia reported a decline in overall piracy related incidents with 20 actual and attempted attacks for the first nine months of 2019. Over the past five years, Indonesia has gradually reduced its share of piracy related incidents. As recent as 2015, Indonesia reported 86 actual and attempted piracy incidents through Q3. Indonesia’s impressive gains can be attributed to continued information sharing between the Indonesian Marine Police and the IMB PRC.

No incidents in Somalia, but threats remain

Meanwhile, Somalia has no piracy-related incidents recorded for the first nine months of 2019. Although no incidents have been reported, Somali pirates continue to possess the capacity to carry out attacks in the Somali basin and wider Indian Ocean. As a result, the IMB PRC advises ship owners to remain cautious when transitting these waters.

Global anti‐piracy support

Since 1991 the IMB PRC’s 24-hour manned centre, has provided the maritime industry,  governments and response agencies with timely and transparent data on piracy and armed  robbery incidents – received directly from the Master  of the vessel or its owners.

The  IMB  PRC’s  prompt  forwarding  of  reports  and  liaison  with  response  agencies,  its  broadcasts to shipping via Global Maritime Distress and Safety System (GMDSS) Safety Net  Services and email alerts to Company Security Officers, all provided free of cost, has helped  the response against piracy and armed robbery and the security of seafarers, globally.

IMB strongly urges all shipmasters and owners to report all actual, attempted and suspected  piracy and armed robbery incidents to the IMB PRC globally. This first step in the response  chain is vital to ensuring that adequate resources are allocated by authorities to tackle piracy.  Transparent statistics from an independent, non- political, international organization can act  as a catalyst to achieve this goal.


Sensible Cyber Security for Maritime

By David Rider

In 2012, as piracy in the Indian Ocean began to wane, a number of private security companies began to transition from armed security services into other areas of business. For some, this meant moving into a general Risk area. Others, meanwhile, noticed that the shipping and port industries were slow to capitalize on the digital revolution and realized that those same companies were also exposing themselves, unwittingly, to cyber threats. The lack of expertise in the area allowed some companies to begin offering services and, in short order, the more traditional cyber security providers followed them in to the maritime domain.

Quiet on the Water

As of October 2019, to the best of my knowledge, there has not been a single, dedicated hacking attack against a vessel at sea by malicious actors. While there have been rumours – specifically one from an American telco provider in 2016 – that hackers have teamed up with pirates to track high value cargoes, there has been no firm evidence.

Equally, the dire warnings of ships having their navigation systems hacked so they could be directed to ports where pirates or criminal gangs could then ransack them have so far proven to be little more than interesting worst-case scenarios (I don’t even want to begin discussing the logistics of this, because they’re enormous and far outwith the means of most pirate groups).

What has been noted, however, is a rise in spear-phishing of vessels at sea. This has become an increasing problem and prompted the US Coast Guard – widely seen as being at the forefront of maritime cyber security – to issue a series of warning and advice notices in July 2019. They warned that emails purporting to have come from the US Port State Control authority were being sent to ships and disseminating malware throughout vessel systems. They reported that a merchant vessel bound for the Port of New York began to experience “a significant cyber incident impacting their shipboard network.”

An investigation found that, “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.” Additionally, and perhaps unsurprisingly, they noted that the vessel was, “operating without effective cyber security measures in place, exposing critical vessel control systems to significant vulnerabilities.”

While incidents like this are a genuine cause for concern, more commonly, the maritime domain has seen malware introduced into ship systems by crew and third party providers by accident. While these incidents have been, in some cases, hugely expensive to put right – any delay to a vessel costs money – they have so far fallen short of the scare stories suggested by some parties.

This is not to dismiss or minimise the threat of an actual, focused attack by an APT group on a shipping line or vessel. It could happen. Indeed, it probably will. But it hasn’t happened yet for a number of reasons, the main one being, Why? Why attack a ship? If we assume that most cyber attackers are criminal rather than terrorist or hacktivist, then the motives for attacking a ship at sea begin to fall away; there simply isn’t any profit in it, and return on investment is important to cyber criminals. It’s like mugging a bank teller rather than emptying the cash drawer.

The ongoing, real threat is and will always be found at a company’s head office. How the company deals with that will decide what any attacker does next. Outside the realm of hacktivism, criminals are looking for a payday, and that means they’re going to be looking for any vulnerability which can give them access to company bank accounts.

In the last few years, I’ve seen numerous reports of highly specific and convincing email fraud attempts against shipping companies, ports and ship brokers. In several instances, the hackers have infiltrated a company’s systems and then sat dormant, often for months, waiting for their opening. In one case, this involved sending spoofed emails to a client and redirecting payment of hundreds of thousands of pounds to the hacker’s bank accounts. Fortunately, thanks to quick-thinking staff, the fraud was discovered and the banks and police were able to stop the transfers. But this isn’t always the case.

Directed attacks remain a significant threat to any company, regardless of the business sector, and maritime is no different.

Shipping has so far managed to avoid the massive headline-grabbing attacks such as the $4.2 million stolen from an Oklahoma pension fund, or the $47 million initially stolen from networking firm, Ubiquiti in 2016, but the sector remains highly exposed due to a number of factors.

The Push for Efficiencies

As the maritime industry embraces digitization and the efficiencies and cost savings that come with it, security can often be taken for granted. Unfortunately, as those systems evolve, so do attackers. Their methods become more advanced and the paydays bigger. For example, phishing emails have been with us since the dawn of email. The question is how your company deals with them. There are a few questions you should ask yourself, or senior management:

• Does your company have a dedicated Chief Information Security Officer (CISO)?

• Are you a small organization reliant on third party software and consultants?

• Has your administrative staff been trained to recognize a phishing attempt?

• Are they aware of the risks of social engineering?

• Are they regularly updated with the latest threats and attacks in your sector?

If the answers to those questions are all Yes, then here’s another: does this extend to your crew on the water? Do your vessels employ specific measures to counter and combat attack or contamination?

Deep Fakes are Here

The persistent threat to most companies is the Business Email Compromise (BEC) or CEO Fraud. The good news is that it’s relatively easy to mitigate in most companies. The bad news is that it’s becoming highly sophisticated, thanks to ‘deep fakes’.

In September 2019, it was reported that a gang of cyber thieves had managed to steal $243,000 from a UK energy firm in a complex BEC attack that used an AI-generated voice of the company’s German parent firm’s CEO to authorize the transfer of funds. During the course of just three phone calls, the AI was convincing enough for the criminals to pull the fraud off. And, as the media reported at the time, “After the transfer, the funds were moved to Mexico and then to other countries, making the funds harder to track. No suspects have been identified.”

How would your company deal with such an incident? Are large financial transfers subject to face-to-face scrutiny with senior management? Well, they should be. You can no longer rely on a phone call or email to confirm that a transfer of funds has actually been authorized by senior management. Nor should you.

The threats to vessels at sea are more easily apparent. BIMCO has noted a number of incidents where malicious software was introduced to ship systems by accident, often by third parties contracted to check or even update specific bridge equipment, but crew introduction remains the more obvious route. Again, this is easily countered by enforcing strict protocols; blanking off USB ports and ensuring no crew equipment is plugged in to any ship computer systems being the most obvious. Again, training courses and refreshers should be offered to all crew, as well as more practical software protection.

Following the reported spear-phishing incidents this summer, the US Coast Guard suggested that basic cyber security practices be adopted by ships. These include:

• Implement network segmentation.

• Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary

• Be wary of external media

• Install anti-virus software

• Keep software updated

Basic, common sense moves designed to make breaking in to or disrupting your ship systems a little harder. Yet it’s surprising how few vessels adopt even these recommendations.

Mitigate and Educate

The good news is that over the last few years, maritime cyber specialists have entered the market and maritime cyber insurance policies have matured. Templar Executives, a UK cyber security specialist, teamed up with Wärtsilä to create the International Maritime Cyber Centre of Excellence (IMCCE), which consists of the Templar Cyber Academy for Maritime (T-CAM) and a Maritime Cyber Emergency Response Team (MCERT). Through its Cyber Academy, Templar now offers training for companies operating in the maritime domain, from C suites to crew and port officials, while the MCERT, with its 24/7 operations centre, is intended to share information on new attack vectors and prevent as many incidents as possible. As a result, it’s now being picked up by marine insurers, with Lampe & Schwartze in Germany partnering with Templar to launch a new Ship Owners Marine Cyber Cover.

The hope is that moves such as this will lead to companies reporting cyber intrusions and attacks in a timely manner. At present, there are no firm figures for maritime cyber security incidents; shipping companies are, in general, loathe to admit to them for a variety of commercial reasons. Anonymous reporting will certainly make that easier, as companies such as CSO Alliance hope. However, speed is key. It’s crucial that a company under attack share the information in order to allow others in the sector to bolster their own defences. In this case, sharing is definitely caring.

The Innocent Bystander

Of equal concern is the potential knock on effect from a wider malware attack. Few people in the maritime domain will be unaware of the NotPetya incident that affected Maersk in 2017. To call it massive would be an understatement. More worryingly, Maersk was simply unfortunate collateral damage in an attack that spread around the world and saw the company forced to rebuild its network of 4,000 servers and 45,000 PCs at a cost running into hundreds of millions of dollars.

The financial blow alone should be a salutary warning to most companies, but the fact that it happened as part of a domino effect should be more sobering. Your company doesn’t have to be directly targeted to be impacted.

Threat mitigation is good, but threat prevention is always better. These days, there are few excuses for any company not to adopt a robust cyber security policy for its land- and sea-based operations, particularly given the scale of the threat and its financial implications.

As the shipping industry begins to look seriously at the prospect of autonomous vessels, these same problems persist and insurance underwriters are already taking note. It will be interesting to see how the industry adapts to the challenges posed. The IMO will certainly be watching. As will the cyber criminals.

Maritime security training for Trinidad and Tobago

Trinidad and Tobago is the latest IMO Member State to receive maritime security training. A self-assessment and audit training workshop took place in in Port of Spain, Trinidad (23-27 September).

Participants were trained in self-assessing how two key IMO maritime security instruments – SOLAS Chapter XI-2 and the International Ship and Port Facility Security (ISPS) Code – are implemented at the port facility level. This is done using established, industry-standard IMO and ISO procedures to identify areas for improvement.

The course addressed outcomes of a previous workshop on ISPS Code responsibilities delivered by IMO in Port of Spain last year.

The workshop included theoretical lessons for participants to understand the certification process involved in obtaining the Statement of Compliance of a Port Facility, presentations on audit processes and techniques, and practical exercises on role playing the review of a port facility security plan.