CYBER SECURITY – A fine balance of Safety & Convenience

Cyber Security in Shipping and Maritime

A few years ago, having a six-letter password was sufficient but today, two-factor authentication is the new norm

Cyber made it all possible. The world felt more connected, faster, and better – like never before. However, as good was being shared, very much inevitably the bad spread too. The most technologically perfect locks were created, and cyber-security pride reached its horizons but the flip side of this coin –the prospects of cybercrime too scaled heights.The chase continues.

While there are many definitions of cybercrime that describes it as a phenomenon which includes anything illegal that was carried out online, a more precise definition of cybercrime states that it is any act which could not be executed without cyber technologies andwithout causing financial or personal harm. Some examples may includeDoS and DoS attack, exposing user, personal data or company data, crashing or defacing sites. Some other aspects of cybercrime include illegal activities online (such as selling or trading illegal items), copyright infringement, white hacking and the likes.

When we talk of security in the shipping industry, it is a broad area and can cover anything from securing containers on freight ship up to securing access to airport hangars. To understand a broader perspective of cybersecurity in the Shipping and Maritime industry, Sea News interacted with BojanČekrlić, CTO at CargoX Ltd.

“In case of CargoX, security is linked to access to documentation. Bill of Lading, as one of the most important documents in the shipping industry, is a Document of Title. This piece of paper is an original – meaning only one copy may exist at any given time. As such, making sure the current holder is always well known is paramount. So, here comes the role of cyber security,” Bojan said.

Talking about cyber security, it is prevention and handling of cybercrimes. Cybersecurity includes active things, such as secure network architecture, firewall setup, intrusion detection systems, and passive activities, such as disaster recovery plan, backup and restore procedures, risk management list and policies.

It is an ongoing process.The only way to keep it in check is through a detailed security plan besides regular internal and external audits. These audits should cover everything – from disaster recovery scenarios to audits of interfaces (black box audits) and code itself (whitebox approach to auditing).

The top five measures that form the very basics of security shield against the attacks are decentralization, data governance, proactive regular security audits, user education, physical (doors, keys, entry logs) and cyber protection (firewalls, IDS, network infrastructure).

Cybersecurity is an evolving field. As we see further advent of decentralized technologies and more and more devices connected to the internet and/or having programmable chips, cyberattacks are going to get refined and more targeted. It’s not uncommon, even today, to have a worm spreading through printers and other devices attached.

According to Bojan, too much security is sometimes perceived as slowing down regular work processes, which is true. Security is always a tradeoff between safety and convenience. Sometimes, the line can be quite thin and at other times very blur. Good news is that with education of users, this line is moving towards better secure systems. “Just a few years ago, having a six-letter password was sufficient but now-a-days two-factor authentication is becoming the new norm. And, with the advent of public key infrastructure and blockchain, digital private keys are now, more common,” he added.

After carefully studying the safety vs. convenience balance, one can decide to err on the side of caution: all users have their own private keys which they use to transfer the digital documents. “This way not even CargoX has the possibility to alter the state of the document on the public blockchain. The decision to tread this path was taken following some high-profile hacks into digital exchanges where private keys were stolen, and cryptocurrency lost. Even though this introduces additional complexity, so far users’ experiences have been positive,” said Bojan.

Talking of vulnerability in the industry, the most vulnerable are port activities and it is because of two main reasons: they need to process and manage vast amounts of data and tight schedules which make downtimes extremely costly. Mitigating these risks is never a one-step solution and requires different approaches. To prevent denial of service attacks, decentralization seems to be the most logical answer — either by hosting classical systems in multiple distributed data centers or by moving to “distributed by nature” technologies, such as blockchain.

With many actors and points of entry, information leakage is a bigger issue, even. No silver bullet exists in this scenario, that’s why data governance is critical. If possible, information shouldn’t be stored all in one place (“don’t put all your eggs in one basket”) and should be encrypted whenever possible.

Lastly, the biggest attack vector are usually people using the system. It’s vital to educate people about good security practices and to prevent social and phishing attacks.

There are many ways to record this information.A naïve approach would be storing this information in a database. But that data can easily be changed, advertently or inadvertently.

“That’s why we decided to record this information on a public blockchain, where the records are final, immutable and publicly verifiable. Having an audit trail with timestamps of these transfers is critical, especially in the case when there’s a problem with the cargo. And public blockchain is ideal in this case, as it’s completely neutral and can’t be affected by any one party – not even CargoX. Private blockchains fall somewhere in between, as data can still be changed by consensus or majority of nodes — and this is much easier to achieve when there are 20 nodes vs. 20.000,” he added.

Other aspects of security — such as keeping data on the document accessible to specific partiesonly and keeping usernames and passwords safe — are important as well but come in a distant second and can be covered by classical means.

One solution that is being voted on these days is the idea of sharing the best practices among companies and luckily, a well-weaved system for this is well-established and already in-place. The IT world is full of “frenemies” — companies that compete in one area but collaborate in another: Microsoft joining the Linux foundation, Apple buying chips and screens from Samsung, IBM-Oracle Global Alliance, just to name a few. On a smaller scale, this is done by joining associations, organizations and alliances. On a micro scale, this is done by semi-formal or informal meetups between like-minded professionals. In the end, it’s nearly impossible to hide these practices from other companies forever.

A firm belief is that all these actions is the way forward for the whole industry. Such practices and solutions can help get customers’ recognition and trust. The business advantage of each individual company still stays in how they implement these practices and in how they get and retain their clients.

Looking at the future of this all, we find that it will for sure increase in the future.We may see infected IoT devices on containers coming into ports or wearable devices infecting single-window apps. Social engineering is going to get a lot more sophisticated, as data from various leaks is aggregated and comprehensive profiles of individuals are created to better sell a spear-phishing attack. So, to brave this all counter-measures willneed to get a lot smarter by employing artificial intelligence to detect and block suspicious behaviour as soon as it’s detected.

Bojan concludes by saying that as the industry has witnessed cyber technology moving in cycles from centralized (e.g. terminals connected to a super computer) to decentralized (first internet) to centralized again (specific services on the internet, DNS, certificate authorities) it is a widespread belief that the whole industry is on the verge of another decentralized cycle.

“Systems are going to get loosely connected, data replicated, and services decentralized over blockchain or other similar technologies. This will require a whole another set of tools to manage and combat cybercrime,” he added.

Sea News Feature, July 30

Baibhav Mishra
Author: Baibhav Mishra

Associate Editor, Sea News