That's according to a report from researchers at the University of Lancaster who found that maritime systems were especially susceptible to computer attacks and that ageing systems and a lack of training were particular barriers.
Security consultant Brian Honan said that all navies, indeed all shipping companies, were vulnerable to these threats. “What the report highlights is that many ships use Windows XP or Windows Server 2003 – one of which Microsoft has stopped supporting, and one Microsoft is about to stop supporting. And because ships are at sea a lot, it's not always easy to replace antiquated systems. It's a problem faced by private companies too,” he said, adding that the Lancaster report mirrors one produced in the autumn of last year by ENISA that also pointed out the security problems faced by shipping.
According to the Lancaster report, Cyber Operations in the Maritime Environment, shipping is a tempting target for cyber-criminals as 95 percent of goods are conveyed by sea.
“A combination of factory blockades, attacks on platforms and the digital disruption of ports is constant problem for multinational corporations. Some of the unrest is organised by political parties in rival territories who use the information-rich society to follow new vectors of attack”, it says, adding that “The risk posed by attacks on the new logistics is no longer negligible. The delay and disruption caused both by sabotage and crime is major cause of concern to both the military and the commercial world.”
Although this sounds almost apocalyptic, there are real serious concerns. “This is emphatically not scaremongering” said Nigel Inkster, director of Transnational Threats and political risk, at the International Institute for Strategic Studies (IISS), and a former assistant director of MI6. He says that the situation is the result of some indifference in the past. “We've sleep-walked into a situation where we were heavily dependent on ICT for everything and yet haven't taken security into account,” said Inkster.
Honan agrees, “There's been a major under-investment in IT and security” he says, pointing out this is not just a problem for maritime organisations.
There are steps that can be taken to improve security although, as Inkster points out, “We'll never make systems as secure as we'd like, no matter how much we spend.” He says that one of the first steps should be a sensible division of labour between government and the private sector, where each side can do what they're best at. He did say there were difficulties with the government's approach to cyber-security as they found it hard to gather all the information, as people don't always reveal details about threats. He also pointed out that: “Lots of threats are uncovered by GCHQ and there's a culture of secrecy there that makes it hard for them to make information on these threats available.”
Honan agrees that money isn't the answer to everything but navies and shipping companies should do what they can. “Focus on what the key risks are: make them more resilient so they don't fail totally in the event of an attack,” he says.