‘Very limited cyber incident troubleshooting knowledge among crew on board’ combined with ‘a complex and potentially vulnerability-prone supply chain’ are among the reasons for why ransomware attacks are inflicted on cruise ships,’ informs Bolton.
She says, ‘[Cruise ships] are under pressure to keep customers connected throughout their journeys while processing financial transactions, delivering healthcare operations and storing personal data.
‘Attackers see a wider attack surface from the technology deployed and the increased use of the cloud and trusted third-party companies. They're always looking for organisations with easy ways in – that might be from old and unpatched systems, through to phishing emails or through connections into other companies (e.g. suppliers).’
She further adds that 'organisations who do not have a way of staying on top of the latest cybersecurity risks are more likely to be targeted’ with groups able to ‘cripple an organisation’ by encrypting files and computer systems.
‘To enable the wide range of client services and the operational technology on board to be resilient to any form of cyber-attack can be a challenge, due to the scale and complexity of these systems,' she says.
In some of the latest ransomware attacks, Bolton says that criminal groups are not only encrypting systems and data but also stealing sensitive data – such as personal information about customers – and publishing it online if companies don't pay up. It means cruise companies, along with other companies in the travel sector, are a ‘particularly attractive target’ as they are ‘likely to hold large amounts of information on their passengers.’
More likely to pay up
‘Ransomware attacks are more likely to occur where there is a combination of an attractive target with weak defences’ and ‘organisations with large amounts of personal data, payment information, or with critical operations such as infrastructure providers are attractive targets because the greater impact of an attack means the company is more likely to "pay up,”’ according to Bolton. In order to solve the problem, she believes the key step should be to ensure a 'clear cybersecurity strategy with board-level ownership, which allows for everyone to work together towards a common goal.' She also believes that ‘this should take into account the whole organisation, third parties and cloud services’ – not just the vessels themselves.
‘A key aspect of this strategy is to expect, plan and test for such attacks. Knowing how you will both manage and recover from a ransomware attack is vital in being prepared for when it occurs.’
Implementing an effective solution
For these steps to be put into action requires ‘skilled employees who are empowered to make changes to the way things are done, Bolton suggests, adding that while exact actions that should be taken are dependent on the risks identified, these could include ‘having a clear incident detection and recovery plan, vulnerability management process, secure remote access, as well as cybersecurity awareness and training for staff and operators.’
She adds, ‘Third-party dependencies should be clearly understood and tested to ensure that they don't provide an easier way into the target organisation, or easy ways to access sensitive information that customers may have provided.’
Looking towards the future
Looking forward to new and emerging cyber threats, it’s Bolton’s view that cruise companies will continue to face unique pressures. ‘Cruise vessels are under pressure to improve their security posture in response to such threats, and industry bodies are publishing sector specific regulations and frameworks in an attempt to provide guidance,' she says.
‘We are seeing flag states now enforcing the IMO resolution MSC.428(98) and guidance (MSC-FAL.1/Circ.3). This offers recommendations for adopting a risk-based approach to cyber safety and security, implementing effective cyber risk management starting at senior level, aligning to industry standards such as the 5 NIST Cyber Security Framework pillars...and communicating awareness throughout the organisation.’
Bolton concludes, ‘With no doubt, the cruise sector is moving into new territories with the introduction of Internet-of-Things (IoT) technologies, the need for automation, the reliance on remote monitoring and the adoption of cloud and collaboration tools. But this comes at a price in terms of an overall increase in the threat surface.’