Monetising hacking by shorting commodity shipments

I’m continually asked by the maritime industry about the motivations of hackers. “Why would anyone hack us, we operate ships?”

It strikes me that many of the public and a lot of maritime businesses still think of the ‘hacker’ as a solo operator in a dark hoodie in a basement of their parents’ house. Yes, perhaps, but hacking has moved on so much more. Think of hacking more of as business – organisational structure, suppliers, customers, HR etc. Organised crime are very much present, as are some hostile nation states.

It’s almost exclusively about money. Less about hacktivism, more about dollar signs.

Probably the most familiar money-related hack is ransomware. Hijack data, demand money. Often receive it. Few ransomware incidents are genuinely targeted. A small number are very carefully targeted, but most will be opportunistic, even random.

The revenues from ransomware are significant, enough to fund structures where solo operators use scanning tools to find ingress points to organisations networks, then sell that access on to others to monetise further.

Bunkering invoice fraud is also a lucrative source of funds for criminals: by convincing firms to change banking details, $millions could be stolen.

Stock price manipulation

But this misses perhaps the most sinister opportunity to monetise hacking: shorting stock in advance of a ransomware incident or breach.

I haven’t seen much evidence of this yet, but it will happen if it hasn’t already. A public, large ransomware incident is often accompanied by a drop in the stock price of the victim firm, if it’s publicly listed.

Double extortion, where the threat is also to publish stolen data is even more likely to generate a stock price drop.

If criminals want to capitalise, they might short the stock of the victim too. Want to avoid the eyes of the SEC? Target companies that are already being shorted by others who believe the stock is overpriced.

However, this creates some interesting conflicts of interest. A market activist investor who is shorting stock now has a perverse incentive to see the organisation be breached.

I recall that several years ago, a hedge fund was mooted to short stock of listed firms that were perceived to have poor security. A breach follows and the stock drops.

This got me on a train of thought that ended up in some dark places. What other opportunities are there for shorting stock or influencing futures?

Containerised and bulk transport

The Suez incident was not a hack, it was attributed to poor helmsmanship either by the captain or the Suez pilots. However, it did demonstrate the vulnerability of our supply chains to such incidents.

Over numerous ship security exercises, we have been able to take remote control of the helm, main engine or feed incorrect navigation data to the bridge. Based on our own experience, it is very plausible that a Suez-type incident could be caused by motivated hackers.

The incident brought in to sharp relief the exposure of our global just-in-time shipping operations and saw product shortages and price spikes result.

So could criminals buy commodities that are in relatively short supply, perhaps a result of just-in-time manufacturing, cause a blockage in a critical shipping channel through a cyber security weakness in a vessel, then profit as those commodities leap in value?

Liquified natural gas

I’ve been speaking publicly for several years about our reliance on maritime supply chains. In the UK, we’ve relied heavily on gas for heating and power since decommissioning our coal fired power stations. Whilst we have good renewable energy generation, a cold, overcast and windless day in winter leaves us very reliant on gas imports. We sometimes rely on LNG shipments during the coldest days of winter when demand is highest.

We get asked to test and assess the cyber security of many vessels. In almost every exercise, we’ve eventually had remote control of the helm or main engine, or of other systems that could be used to bring the vessel to a standstill.

Another route for criminals to make some serious money? Buy gas futures. Hack an LNG carrier whilst it’s en route, not far from its destination terminal. Bring it to a standstill. Watch as the price of gas spikes, then let it get under way again.

Cruising

One of the UK’s busier ports is Southampton. It has one, relatively narrow dredged channel. Through misloading and resulting gross metacentric error the Hoegh Osaka capsized in the channel on  3^rd January 2015. Through good fortune, winds blew the crippled ship out of the dredged channel and on to the shallows of the Bramble Bank, preventing complete capsize and blocking of the shipping lane.

Multiple car manufacturers ship vehicles from Southampton, it is also a large container port. However, it is also the main embarkation point for several cruise lines.

A blockage of a port like Southampton could create multiple opportunities for destabilising business operations of publicly quoted firms and thereby affecting the stock price.

Image credit: Paul Coueslant / Car transporter Hoegh Osaka leaning against Bramble Bank in the Solent

Recommendations

If you need to ‘monetise’ cyber in order to convince your board that security is important, put the risks in terms they will be familiar with. Explain cyber in terms of outages:

The Maersk incident cost around $300M, though reports vary

The Evergreen Given incident in the Suez canal exposed the owner to a claim for ~$916M

The Hoegh Osaka incident fortunately did not result in extensive consequential loss claims, but salvage cost ~£10M and the cargo ~£30M

However, it’s also wise to review the stock price movements during and after these incidents. How long did it take for the stock price to recover?

Insurance limitations

Typically, one partly manages risk through insurance. However, Clause 380 and its replacement LMA5402 will likely exclude cover for cyber-related events.

It’s also worth being aware of IACS UR E26/27 which comes in to force for new builds 1^st Jan 2024. Seaworthiness and being in class may depend on cyber security in future. This has implications for insurance cover also.

Mitigation

I can’t stress enough the need to proactively start addressing cyber security on vessels. We’ve evaluated the security of well over 50 vessels, some fresh out of the yard. Not one came close to a standard of cyber security that we believe would defend against a motivated attacker.

Where to start?

In our experience, vessel cyber security issues stem from three main areas:

• Maritime technology vendors and their installers not understanding cyber security.
• Piecemeal refits; some systems are updated, but other older systems that they connect to are left untouched.
• Breakdown of intended security controls over time, a result of crew bypassing systems or unmanaged changes being made.

This is a good starting point: Tactical Advice for Maritime Cyber Security – Top 10