Το Ελληνικό Ινστιτούτο Στρατηγικών Μελετών (ΕΛΙΣΜΕ) και η Ερευνητική Ομάδα Maritime and Seapower Analysis Group (MSAG) στην Εσπερίδα 'Νέες Τεχνολογίες και Απειλές στο Θαλάσσιο Περιβάλλον: Internet of Things & Κυβερνοπόλεμος’ την Πέμπτη 7 Νοεμβρίου 2018 στο ΕΛΙΣΜΕ. https://www.facebook.com/events/251980868801123/

1. The better the question. The better the answer.
The better the world works.
Maritime
Cyber Security
November 2018
Fotis Sofronis
Manager at EY Cybersecurity Services

2. Page 2
Maritime Industry
History
To transport the capacity of
a large container ship you
would need:
► 1,100 airplanes
► 35 trains
► 11,400 trucks
► Cargo ships have been used to transport commodities for over 3,000 years!!!
► 90% of world trade is carried by the maritime industry, a capacity increase of almost
20,000% in just 59 years

3. Page 3
“A ship in harbor is safe, but that is
not what ships are built for”
Grace Murray Hopper, pioneering computer
scientist and U.S. Navy Rear Admiral

4. Page 4
CyberCrime
Hacktivism CyberWarfare
eSpionage
CyberTerrorism

5. Page 5
Maritime systems vulnerabilities
Vulnerable on-board systems include
► Propulsion and engine controls (ICS, SCADA,
Remote management)
► Cargo management (RFID, Tracking systems)
► Navigation and positioning systems (AIS GPS,
ECDIS)
► Communication systems (NavTex, VSAT, WII,
Email, VoIP)
► Crew and passenger management and welfare
systems
► Alarm and access control systems
► Cargo management systems (RFID, Tracking
systems, inspection systems)
► Cargo handling systems (ICS, SCADA)
► Ground systems for vessels (Mooring, tracking,
maintenance)
► Alarm and access control systems
► Passenger management systems
► Personnel and stevedore management systems
► Corporate IT systems (Email, intranet…)
Vulnerable port systems include

6. Page 6
Maritime cyber attacks
People
Propulsion
Cargo
Systems
Navigation
systems
On shore
systems
On board
(ship)
systems
Attack Surface
Maritime
cyber
attacks
Cyber-attack on
the Islamic
Republic of Iran
Shipping Lines –
The attacks damaged
all the data related to
rates, loading, cargo
number, date and
place resulting in
severe financial
losses.
APT attacks on
Japanese and South
Korean maritime and
shipbuilding groups
Malware was uploaded
into the main computing
system of the MODUFirst case of
ghost shipping -
Drug traffickers hacked
into the computer
controlling shipping
containers at the port of
Antwerp
Multiple
ransomware
cases in the
Greek market

7. Page 7
The cyber attack
Maersk
Imagine a company where a ship with 20,000 containers would enter a port every 15 minutes, and for ten days you have
no IT
MAERSK, 2017
► Hit by the malware NotPetya
► 76 port terminals closed around the world Cost to
the business USD $300m
► They went back to basics and did everything on
paper

8. Page 8
The cyber attack
Limassol - Cyprus
Shipping Company - Cyprus, 2015
► August 2015, received an email purportedly from their fuel supplier in Africa, requesting money
owed be paid to a different account than usual
► Shipping company complied, paid roughly $644,000
► Later received email from fuel company asking for payment
► Cyber crime (Interpol) has traced the money in Poland

9. Page 9
The cyber attack
Houston – Oil rig
Oil rig stability/security – Houston, 2013
► Hackers seized command of the petrochemical plant’s computerized control-and-safety system
► Infiltrated the safety system’s firmware and inserted a ‘Remote Access Trojan’ (RAT) which
allowed them to go inside the computer system and issue instructions via a hidden, electronic
“back door”
► Malicious software unintentionally downloaded by offshore oil workers through laptops and
USB drives, from online sources through satellite (pornography, music piracy)

10. Page 10
The cyber attack
Port of Antwerp - Brussels
Port of Antwerp – Brussels, 2013
► Hackers working with a drug-
smuggling gang repeatedly breached
digital tracking systems to locate
containers holding large quantities of
drugs
► Sneaked hackers into the docks'
offices and fitted special key-logging
devices onto computer terminals
► They then dispatched their own drivers
to retrieve the containers ahead of the
scheduled collection time.
The scam has echoes of a plot in the hit US crime thriller, The Wire, in which a drug smuggling gang at a port in the city
of Baltimore hire corrupt dockworkers to alter the computer records of containers with drugs planted in them.

11. Page 11
Global Information Security Survey
Maritime industry
► Careless or unaware employees
► Outdated information security
controls or architecture
► Unauthorized access
► Malware
► Cyber-attacks to steal financial
information
► Phishing
What are your prorities?
1 Cyber Resilience
2 Data leakage / data loss
prevention
3Security awareness
Top
Threats
Top
Vulns
Source: EY - Global Information Security Survey 2017-Transportation Sector results
44%
of responders
► Do not have any type of SOC function
► Do not have a threat intelligence program
► Do not have or have an informal vulnerability management program
87%
of board members and C-level
executives have said they lack
confidence in their organisation’s level
of cybersecurity
of responders say they need up
to 50% more budget
86%
of responders have had a
recent cybersecurity
incident
57%

12. Page 12
Global Information Security Survey
Maritime industry
► Ports, vessels and infrastructure becoming increasingly
connected

13. Page 13
Going forward
Enterprise
strategy
Incubation
and
innovation
Continuous
Experience
Implementati
on
Operations
Grow Optimise
Trust
Protect
In order to make this performance breakthrough, companies
need to reinvent themselves in five capability areas

14. Page 14
Cyber defence
Cyber security transformation
Security
architecture
Change
programmes
Identity & access
management
Education
& awareness
Cloud /
digital / mobile
Cyber
exercises
Application
security
Penetration
testing
Technical
security
modules
Incident
response

15. Page 15
EU Cyber Security
Strategy (COM) 
eIDAs Directive –
article 19 
EU Cloud Computing Strategy
and Partnership (COM) 
Telecom Package –
article 13 a, art. 4 
ENISA II – new mandate 
The NIS Directive

EU’s CIIP action plan 
General Data
Protection
Regulation (GDPR)

Digital Single Market Strategy
(DSM)
cPPP 

16. Page 16
Emerging technologies
What to expect?
► IoT applications that improves the safety of ship operations and
improves crew well-being - applied to smart ships by 2019
► Block chain technology to improve operations in the global
supply chain by increasing data and information sharing (e.g.
smart contracts, increase security, cost saving, full transparency,
etc.) - joint venture between EY and Guardtime
► Crewless ships that will be computer controlled vessels by
2020. Safer, cheaper and less polluting
► R&D projects will include a new marine fleet management center
to allow remote monitoring and data analysis
► Big Data on fuel consumption, navigational information, system
performance, optimization

17. Page 17
Thank you
Q
& A
Fotis.Sofronis@gr.ey.com
gr.linkedin.com/in/fsofronis

18. EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services.
The insights and quality services we deliver help build trust and confidence
in the capital markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better working
world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the
member firms of Ernst & Young Global Limited, each of which is a separate
legal entity. Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more information about
our organization, please visit ey.com.
About EY's Advisory Services
In a world of unprecedented change, EY Advisory believes a better working
world means solving big, complex industry issues and capitalizing on
opportunities to help deliver outcomes that grow, optimize and protect
clients’ businesses. From C-suite and functional leaders of Fortune 100
multinationals to disruptive innovators and emerging market small and
medium sized enterprises, EY Advisory teams with clients — from strategy
through execution — to help them design better outcomes and deliver long-
lasting results. A global mindset, diversity and collaborative culture inspires
EY consultants to ask better questions. They work with the client, as well as
an ecosystem of internal and external experts, to co-create more innovative
answers. Together, EY helps clients’ businesses work better.
The better the question. The better the answer. The better the world works.
© 2015 EY
All Rights Reserved.