This article is part of Evolving Threats to Southeast Asia’s Maritime Security, a series of analyses produced by experts convened by the S. Rajaratnam School of International Studies.

How have cyber-attacks evolved over the last 20 years?

Cyber-attacks are an emerging threat to the maritime sector. Although the extent of their impact has not been fully realized, they pose a constantly evolving threat which will worsen with time. Unlike sea pirates who take physical forms, the threat from cyberspace is invisible and employs myriad ways of maintaining anonymity to cover its tracks. Operating independently of national and geographical boundaries, cyber threats can launch their attacks from, and to, anywhere in the world.

As long as systems are connected to a computer network, the possibility of breaching them exists. The more digitalized and automated our systems become, the more chances there are for infiltration and achieving the attacker’s goals.

The evolution of three groups of cyber threats is described here: (1) nation-state hackers, (2) cyber-criminals, and (3) criminal organizations that enlist the help of hackers.

Nation-state hackers act on behalf of their government to compromise target states, organizations or individuals to gather intelligence or to cause harm. They are usually well-resourced, highly skilled and are not motivated by monetary gain.

Nation-state hackers have been associated with attacks on industrial facilities that use Operational Technology (OT), also known as Industrial Control Systems. OT systems include hardware and software that monitor and control physical devices and processes, including propulsion systems, cargo management systems, and others onboard ships. Cyber-attacks on OT systems can result in physical damage to infrastructure or disruption of essential services. Reported attacks on industrial facilities since 2010 have shown a gradual rise in sophistication and scope. For example, two cyberattacks were launched separately in 2015 and 2016 on Ukraine’s power grid resulting in several hours of power outage. In 2017, the safety instrumented systems of an oil and gas facility in Saudi Arabia was disabled, rendering the plant unable to fail safely if a disaster happens.

Nation-state hackers have also been associated with the deployment of destructive malware. In 2017, a malware called NotPetya was distributed through a software update to MeDoc, the de-facto tax accounting application in Ukraine. Once NotPetya was run, it spread indiscriminately globally, irreversibly rendering computers and files unusable. Southeast Asia’s maritime sector suffered collateral damage by being caught in the middle of this attack. Although the attack did not cause any physical damage, the effects on shipping lines and ports such as those operated by Maersk, one of the largest shipping companies in the world, were devastating.

Cyber-criminals compromise their targets for monetary gain. In the mid-2010s, the distribution of ransomware overtook other methods to become the dominant and and most lucrative method employed. This involves breaking into networks, encrypting files in large numbers of computers and demanding ransom for the decryption key.

Cyber-criminals have evolved rapidly in the past decade. Since 2018, instead of distributing ransomware indiscriminately, some gangs have moved towards selecting high-value targets in specific sectors such as healthcare. The result of this strategy is reflected in the leap in value of ransoms collected. A ransomware gang called Ryuk has been notably successful, collecting $61 million in ransom in 2019. Ryuk is notorious for attacking hospitals as they are more willing to pay ransoms to avoid delays in treating patients. Choosing high-value targets may not always lead to higher returns. For example, a large financial institution which has invested wisely in its cyber defenses may not be an easy target. The majority of ransomware victims are small and medium-sized businesses that are more likely to have weaker defenses and present higher chances of success for the attackers.

Cyber-criminals have become more sophisticated to overcome stronger defenses. Franchising schemes, offering as much as 70% share of the ransom collected, have arisen to expand the pool of talented affiliates. An ecosystem of specialists has also emerged, offering unique services such as those allowing ransomware to evade detection by commercial antivirus software.

Crime organizations such as drug traffickers have been known to enlist the help of hackers to enhance their capabilities. In 2011, hackers brought maritime drug trafficking to a new level when drug smugglers recruited hackers to compromise computers at the Belgian port of Antwerp. Using their access to data on container movement, the drug smugglers were able (1) to locate containers that did not belong to them but held cocaine they had earlier hidden, and (2) to retrieve the cocaine from those containers before the rightful owners claimed their actual cargo—bananas.

What are the primary governance tools that are being used in response to cyber threats?

The governance tools used in response to cyber threats in Southeast Asia’s maritime sector include (1) international conventions for ship owners and operators, (2) national legislation to strengthen cybersecurity in critical infrastructures (maritime ports included), and (3) sector-specific investments and capability development.

In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98). This resolution requires ship owners and operators to address cyber risks in their safety management system as part of compliance with the International Safety Management code. Flag Administrations have been encouraged to ensure registered ships and companies comply. IMO member states, for example, the United States through its coast guard, can also exercise port state controls to impose the aforementioned requirements on companies with foreign-flagged vessels that call on their ports.

To support the implementation of MSC.428(98), several guidelines have been published by international shipping associations, including the Baltic and International Maritime Council, the Digital Container Shipping Association and the Oil Companies International Marine Forum. In April 2022, the International Association of Classification Societies adopted two new Unified Requirements, E26 and E27, to provide the minimum requirements for cyber resilience in newly classed ships contracted for construction from January 1, 2024. E26 describes the secure integration of IT and OT systems into a vessel’s design while E27 addresses system integrity in onboard systems and equipment. The vast majority of commercial ships in the world are built and surveyed for compliance with the standards laid down by classification societies.

National legislation in Southeast Asia has also laid the groundwork for improving cyber resilience across critical sectors including the maritime sector. In Singapore, the Cybersecurity Act of 2018 established a legal framework for the oversight and maintenance of national cybersecurity. It also provides powers to the Commissioner of Cybersecurity to issue codes of practice for the regulation of measures taken by Critical Information Infrastructure owners to protect their infrastructure from cyber threats. Other countries in Southeast Asia including Malaysia, Thailand, Indonesia, the Philippines, and Vietnam have also passed similar cybersecurity bills.

In Singapore, the Maritime and Port Authority (MPA) is responsible for both exercising port State control and carrying out duties as the flag Administration of Singapore-registered ships. Its mission also includes the safeguarding of its maritime interests. In 2019, the MPA opened its Maritime Cybersecurity Operations Centre to provide early detection, monitoring, and response to cyber-attacks.

What are the primary harms cyber-attacks pose to regional stakeholders?

Cyber-attacks pose a risk to regional stakeholders by disrupting shipping operations, trade, and endangering safety. The effect of the NotPetya cyber-attack on Maersk in 2017 was devasting. 50,000 laptops and 4000 servers spanning 130 countries were unavailable for ten days while Maersk attempted to continue operations manually. 17 out of 76 of Maersk-owned container terminals operated by APM Terminals were shut down or experienced severe slowdowns in cargo operations. At India’s Nhava Sheva port, extra storage space had to be set aside for export containers stranded due to APM’s inability to access booking data. And APM’s Pier 400 at the port of Los Angeles was closed to inbound truckers.

Cyber-attacks rendering vessels stuck at highly congested choke points, such as the Strait of Malacca and Singapore, can also disrupt worldwide trade. The blocking of the Suez Canal by the accidental grounding of the Ever Given in 2021, though not caused by a cyber-attack, is a good illustration.

Cyber-attacks can also endanger safety at sea. To date, most cyber-attacks in the maritime sector have been aimed at compromising ports and shore-side corporate networks, rather than taking control of vessels or port equipment. However, there are concerns about major attacks of this nature in the future. The basis of concern stems from (1) the growing connectivity and automation used in vessels and ports; (2) reports of cyberattacks affecting shipboard systems e.g. in 2019, the U.S. Coast Guard reported an incident on an ultra-large-container ship off the port of New York, commenting “Although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted”, and; (3) an increasing trend since 2010 of cyber-attacks on industrial facilities that, like ships, also use OT systems. Some hacking techniques that have been used to confuse navigational aids are also a source of concern. Global Position System (GPS) spoofing can result in false GPS data, leading to inaccurate navigation decisions by the crew or auto-pilot if not further verified.

How has maritime awareness developed to reduce cyber threats?

The domain awareness of cyber threats in the Southeast Asia maritime sector is now in its infancy. To accelerate its development, there is a need to setup a maritime-specific information sharing and analysis center (ISAC) such as the Maritime Transportation System’s Information Sharing and Analysis Center in the United States and NormaCyber in Norway. ISACs can create an ecosystem of trust where experiences can be shared amongst its members, helping less experienced ones to grow. ISACs also provide actionable threat intelligence, alerts, early warnings, and continuous monitoring through their security operation centers. In this region, several trusted entities may be well placed to fill this gap. They include the Information Fusion Centre and the Regional Cooperation Agreement on Combating Piracy and Armed Robbery Against Ships in Asia Information Sharing Centre which facilitate information sharing regarding threats to maritime security. Both organizations can leverage their well-established multilateral ties and partnerships with regional militaries, law enforcement agencies, and the private sector to share information about maritime cyber security threats.

About Chan Yan Jau

Chan Yan Jau is director of cybersecurity consulting of a leading professional services firm. He has spent more than 20 years as an adviser to many businesses around the Asia Pacific region in a diverse array of sectors including maritime, water, telecommunications, financial services, pharmaceuticals, and law enforcement.