When one of the most technically advanced and sophisticated shipping companies in the world became crippled by a vicious cyberattack, it left the entire industry exposed and shaken. Aleya Begum Lønsetteig reports on the challenges facing businesses and the lessons to be learnt from Maersk’s recent battle.
As digitisation revolutionises companies’ operations, supply chains and transactions, it is also making them increasingly vulnerable to cybercrime. In August, the world’s largest container shipping company, Maersk Line, revealed that it will lose up to US$300mn after being struck by a malware dubbed NotPetya in June. The attack, which wiped out Maersk’s operations across 76 ports, saw the company go back to basics, implementing manual processes to keep trade flowing. Maersk’s loading volumes dropped from levels of around 210,000 forty-foot containers to 160,000 in the week following the attack. Weeks passed before Maersk could report that business was functioning as normal again in mid-July.
Starting in Ukraine, the attack hit 12,000 devices across an estimated 65 countries. In Kiev, ATMs stopped working, while workers at the old Chernobyl nuclear plant were forced to monitor radiation manually after their computers failed. Tech managers at companies across the globe including US pharmaceutical giant Merck and media conglomerate WPP were all scrambling to respond. Cyence, which helps insurers measure cyber risk, has estimated economic costs from the attack total US$850mn.
Over the past few years, cyberattacks have become faster, harder, and more damaging. According to insurer Hiscox’s Cyber Readiness Report 2017, 2016 cyber-attacks were estimated to cost businesses as much as US$450bn globally. Its research reveals that in Germany, the UK and the US, where it assessed over 3,000 companies, most were not prepared to deal with cyberattacks. The report found that 53% of companies were ill-prepared, and just 30% were rated “expert” in their overall cyber readiness – despite over half (57%) having experienced an attack in the past year.
Speaking of the June attack, Maersk CEO Søren Skou told the Financial Times that the ordeal was “frankly quite a shocking experience” and that while for “most business problems, you will have an intuitive idea on what to do… with this and my skills, I had no intuitive idea on how to move forward”. Such an open admission from the leader of the biggest freight company in the world, perceived as having industry-leading IT systems, highlights the problems of inexperience and subsequent exposure companies are now grappling with.
Odds of attack up
In the 12th annual Cost of Data Breach Study 2017, IBM and the Ponemon Institute warn that the odds of experiencing a data breach are now as high as one in four (global average 28%). The study also highlights that companies are now experiencing larger breaches, with the average size of a data breach increasing by 1.8% from the year before to over 24,000 records (lost or stolen records containing sensitive and confidential information).
In good news, the study reported the global average cost of a data breach has dropped by 10% to US$3.62mn. The authors noted, however, that a strong US dollar had significantly influenced the global cost analysis and some 48% of the decline could be attributed to currency fluctuation. It is also worth noting that the study took place before both the WannaCry (a malware attack in May which within a day infected more than 230,000 computers in over 150 countries) and NotPetya attacks.
The largest component of total cost of breach is lost business. The report research showed more organisations worldwide lost customers as a result of their data breaches. Meanwhile, certain industries have more costly data breaches, with healthcare and financial services suffering the most.
While studies and reports go a long way to understanding the threats and costs, they can only be based on reported incidents. One of the biggest challenges in the battle against cybercrime is the underreporting of attacks. Recent figures from the UK’s National Crime Agency (NCA) reveal that fewer than one in 100 cybercrimes in the UK are reported. Underreporting remains a key barrier to understanding the true scale and cost of cybercrime. Fears of reputational damage, lack of understanding of the reporting system, and unawareness that an attack has even occurred are common reasons for not reporting cybercrime.
The basics
While most cybersecurity experts agree that it’s impossible to fully protect yourself from an attack, companies could be doing a lot more.
“No matter what you do, you can never protect yourself 100%, that’s simply not possible – everybody gets penetrated every now and then,” Lars Jensen, CEO of maritime industry cybersecurity firm CyberKeel, tells GTR.
“The reality for the maritime sector is that the simple stuff is not being done. It is something as simple as systems not being updated, or passwords being shared with thousands of people. Every time we test, we find this time and time again. A lot of the players in this industry make it all too easy. Often, they don’t need to buy very expensive, sophisticated cybersecurity software: they need to concentrate on getting the basics right first.”
Jensen says the next step is to make sure your systems are updated and configured so that any penetration does not result in access to your entire network.
“You need to have in-depth defence – by having different gateways and different servers that restrict access, you make it more difficult for a virus to spread. How a system is set up and configured is not the same as whether it is updated. You can have a fully-updated computer but if it is not configured correctly you can still breach security,” he says.
It would appear Maersk’s experience has served as something of a wake-up call for a complacent industry.
“This incident has definitely caught the attention of leadership, boards of directors, and investors in companies,” senior intelligence account analyst at cybersecurity firm FireEye, Jens Monrad, tells GTR. “If you look at how transparent Maersk were in informing parties on what was happening, hopefully that will inspire other companies by making them realise that they need to invest in not just technology, but the right processes and the right people.”
Over the course of the attack and recovery, Maersk kept its customers informed with regular operational updates and responses via Twitter, while its management made themselves available to questions and provided candid answers to the media.
Corporate clients are voicing concerns to their banks about phishing attacks and how to improve credential security.
“When we ask customers about their overall business concerns, cybercrime is becoming more and more prevalent,” says HSBC managing director, global trade and receivables finance, UK, Ian Tandy. “The simple fact is, if you’re the director of a business, you need to consider all the risks. At the moment, cybercrime is a risk you have to consider. It’s not something you should be abjectly worried about, but you should at least be considerate.”
Tandy explains that businesses should follow some basic steps: “Large companies have procedures for who organises and authorises payments. Most of the time it’s about making sure you follow your own rules – governance within your own businesses.”
Contingency is key
According to experts, contingency planning and incident response platforms (IRP) are among the most effective ways to become more cyber-resilient. Other prevention tools include identity management, authentication, and intrusion detection and prevention systems.
Last year, however, a survey by IBM and Ponemon of 2,400 security and IT professionals found that 75% didn’t have a formal cybersecurity incident response plan across their organisation. 66% were not confident in their organisation’s ability to recover from an attack.
“This year’s study shows that organisations globally are still not prepared to manage and mitigate a cyberattack,” says John Bruce, CEO and co-founder of Resilient, an IBM company. “Security leaders can drive significant improvement by making incident response a top priority – focusing on planning, preparation and intelligence.”
Maersk was the first to test how robust its contingency plan is, and its transparency meant that it was a public recovery. Speaking on CNN Money a few days after the attack, COO Vincent Clerc admitted “we didn’t think it could hit us so hard so fast and we’ve had to learn a lot”.
He said the company chose to take the entire system down and that bringing it back to life was “complicated”. He believed the cybersecurity team made the right calls, although the incident was “obviously causing a lot of pain for colleagues and clients”.
In his interview with the FT, CEO Skou admitted that the company had not been able to recover its IT systems quickly enough.
Market commentators say it’s not yet possible to assess Maersk’s response without better understanding the intricacies. At the time GTR went to press, Maersk said it is still in the midst of conducting an internal forensic investigation and so is unable to comment further.
“Maersk have small offices branches and connected equipment all over the world. Some of the equipment is in offices, some on ships, some in terminals, some on oil rigs, so it’s very hard to have a full overview on what’s going on, on all sides,” says Monrad from FireEye. “What we are asking large companies following this is: do you have the ability to discover any threats and how quickly can you actually respond to them? From Maersk’s incident, the lesson learnt is how to minimise the time from discovering an issue to reacting to the intrusion, and isolating that from the rest of the environment.”
For Jensen at Cyberkeel, contingency plans have been the dictum for years. When a company is under attack it is not in control, but the company has years to plan for its response and recovery once the attack is over.
“For the last three and half years, we have been saying to the entire industry that you need to have a contingency plan, based on the assumption that you have lost everything. No computer, no phone, no customer records. You need to have a back-up plan that has you up and running from that point,” he says. “The best way is to assume you lose everything tomorrow, and ask yourself, how long can we survive? Too often companies give the IT department a budget and tell them to build a backup plan, but that doesn’t really work, you have to look at it from the business perspective: how long do you have? With digitisation, we see that time getting shorter and shorter.”
Cybersecurity leadership
While cybercrime conjures up the image of anonymous geeky gangs, the perpetrators don’t always fit that bill. Some of the most ominous hackings of recent times have been sponsored, or supported by governments.
Russia is suspected of leading a hack into the US Democratic National Committee last year, while a North Korean team has been credited with unleashing the WannaCry malware. Russia is also suspected of using hacking to try to influence recent elections in the US and France and upcoming elections in Germany. The increase in such attacks led Nato to announce in December last year that cyber defence will be a key talking point at its next summit.
“When you look at the recent attacks out of Ukraine, it was actually disguised as ransomware. But there was no data exchange for ransom. This was a disruptive attack that had the tune of a politically motivated one,” says Monrad.
“Everyone uses the internet – citizens, enterprises and governments. Governments need to sit down and have some sort of agreement on how to engage. It’s unfair to tell private enterprises that they need to protect themselves better against other foreign nations that are potentially backing them into a geopolitical conflict.”
However, whether or not governments should take a lead to secure the cyber world is less obvious to others.
“The moment you start to talk about governments in this context, several things become difficult,” says Jensen. “Firstly, global government regulation is extremely difficult and time consuming to get in place, since you need almost 200 governments around the world to agree. It took the international maritime organisation the better part of 20 years just to agree on a set of rules for how to weigh a container. Imagine how much time it would take to have a concerted approach on cybersecurity – and once they are done it’s going to be outdated anyway.”
The second obvious problem, he adds, is that with some state entities being a threat themselves, you don’t want to then rely on them for critical safety infrastructure. For Jensen, a more practical answer is the insurance industry.
As an analogy, he compares cybersecurity to property security. If your home is burgled and everything is stolen, you are able to make an insurance claim to recover your losses. However, if it turns out that you always leave the house without locking your door, this amounts to gross negligence, and no pay out will be made.
“In the cyber world we are still lacking those types of guidelines. If the insurance industry can begin to provide at least basic guidance, then you can get some minimum guidelines that become enforceable,” he says.
While studies show that an increasing number of organisations are transferring the cyber risk to an insurer, the insurance industry could expand its role by issuing universal best practices and guidelines.
But ultimately, organisations are up against the need for an entire mindset overhaul, concludes Jensen: “The best way to generate security is to think about security at the design phase and not as something you slap on after the fact. A lot of what is happening in digitisation right now is driven by functionality and business cases, but not a lot of thought is put on the security side. The more we can get the security side deeply integrated at the design phase, the better off we are going to be.”
The attack in Maersk’s words
When: Tuesday June 27, 2017
Where: Ukraine
How:
- Maersk was one of many global companies to be hit by a malware distributed through a Ukrainian accounting software called MeDoc, used for filing tax returns in Ukraine.
- The MeDoc software contained backdoors into the networks of users, which were used by the malware to enter via the automatic update system.
- Updates and patches applied to both the Windows systems and antivirus were not effective protection, since this type of malware was unforeseen.
Action taken:
- Infected networks were shut down as soon as the attack was noted. The malware was contained to the container-related businesses, and six out of nine businesses upheld normal operations.
- For Maersk Line, port and terminal operating company APM Terminals, and freight forwarding and supply chain management company Damco, systems had to be shut down for a period for precautionary measures, as they have global interfaces across businesses and partners.
- The attack was contained on June 28 and Maersk immediately began implementing its technical recovery plan.
- On June 29, Maersk Line was able to accept bookings from customers with existing accounts. Operations for Maersk Line, Damco and APM Terminals normalised during the week of July 3 to July 9.
- Maersk systematically brought back users and applications in 500 locations, in order to minimise further disruption.
- Maersk has put in place different and further protective measures and is continuing to review its systems.
Consequences:
- System shutdowns resulted in significant business interruption.
- While businesses were significantly affected, no data breach or data loss to third-parties occurred.
- Up to US$300mn in potential loss expected.
- 76 ports ground to a halt in the immediate aftermath of the attack.
- Loading volumes were down from levels of around 210,000 forty-foot containers to 160,000 in the week following the attack.
