By Steven L. Caponi and Kate B. Belmont
The maritime community is sitting on the precipice of disaster. While regarded as one of the oldest and most well respected industries on the planet, the maritime community as a whole has failed to protect itself against the growing threat of cybercriminals. Methods of daily business transactions have failed to evolve and the reliance on out-dated technology with little to no cybersecurity protection has left many sections of the maritime community vulnerable to cyber-attack. The bunker fuel industry, in particular, has been recently faced with growing and continual threats, due to its outmoded business practices and its failure to employ the most efficient and reliable forms of cybersecurity protection.
As technology has evolved, dependence on technology has also increased. While technological advances may make work easier or faster, it has also created new threats and vulnerabilities for industries that rely too heavily on it, without employing the proper protections. Unfortunately, the bunker fuel industry is a prime example of a community that relies on shared technology and communication information, but has failed to implement the appropriate cybersecurity protections. As a result, the bunker fuel industry is a current target for today’s cybercriminals.
Like money, bunker fuel is a highly valuable and fungible commodity. It is estimated that, by 2020, worldwide sales of bunker fuel will reach 500 million tonnes per year. Using an average price of approximately $750 per metric tonne (mt) of MDO, suggests there will be nearly $500 billion in annual bunker fuel sales. Without a doubt, the bunker industry is a critical component of the maritime community and the global economy. That said, industries that are slow to change take significant and daily risks when methods of doing business fail to evolve to meet the growing threat posed by more sophisticated criminals. In common military/security parlance, this makes the bunker fuel industry a ‘soft target’ for cyber criminals.
In the bunker fuel industry, thousands of daily quotations, sales and payment transactions take place electronically. The principle means of communications for these transactions is through email communications. This has been, and continues to be, the Achilles heel for the bunker fuel industry. The bunker fuel industry has been the victim of many recent cyber-attacks, due to its reliance on unsecured email communications for its daily business transactions. The common practice in the industry involves traders receiving emails from buyers requesting quotes. The trader responds to these requests and after a series of email communications with a potential buyer, the transaction is often consummated and confirmed through these same email communications. Eventually, the bunkers are loaded and a new series of emails are exchanged to facilitate payment.
It is at this stage where the cybercrime is usually committed. After the physical supplier provides bunkers to the customer’s vessel, the trader receives an emailed invoice which appears to be from the physical supplier. As this is common practice in the industry, the invoice is submitted for processing and the wire transfer is quickly made. Unfortunately, the invoice is fraudulent, the wire transfer information is fraudulent, and payment is made to the cybercriminal’s account. When the legitimate invoice does arrive from the supplier with the real wire information, in many cases the trader is forced to pay twice. This is just one example of how the bunkering community is so easily susceptible to cyber-attacks.
While a convenient method for transacting business, emails can represent a significant vulnerability that will be readily exploited by cybercriminals. The fundamental flaw with e-mail transactions is the unavoidable reality that each communication travels over multiple unsecured networks and passes through numerous computer systems, all of which are unknown to the email sender and recipient. This presents cybercriminals with the opportunity to intercept communications, dissect how a particular business manages its transactions and allows them to send e-mails impersonating legitimate individuals or businesses. Too frequently, businesses ignore these risks by falling victim to a false sense of security caused by three erroneous assumptions: (i) that cybercrime requires a high level of sophistication; (ii) that a successful attack is a time consuming endeavour; and (iii) that they are not big enough to be worth the criminals’ effort.
Make no mistake, cybercriminals are smart, determined and have a good understanding of how to use a computer. But they are far from the image of a highly sophisticated group of computer geniuses sitting in a dimly lit room using banks of cutting edge computers to sift through lines of source code. Rather, most cybercriminals are members of an organised crime group who have concluded they can steal more money using a mouse than a gun. Geographically, these groups operate out of Africa, Russia, South East Asia and various countries in Eastern Europe. They prefer locations that are economically challenged, and where local politicians and law enforcement can be compromised. Contrary to popular belief, they are not highly educated because they buy rather than develop the software used to facilitate their crimes.
The second and third assumptions are perhaps the most easily exposed. Cybercrime is not solely focused on large targets, because such targets necessitate time consuming effort requiring weeks of preplanning. In fact, cybercrime is the complete opposite – it is a crime of opportunity. This is reflected in the cybercriminals’ use of phishing emails. Phishing involves the use of what otherwise appears to be legitimate email messages or websites that trick users into downloading malicious software or handing over your personal information under false pretences. For example, by unknowingly downloading malware, a user provides the criminals with the ability to access their computer, read their files and send messages from their email account. Or, an employee may receive an email allegedly from the IT department stating they are performing routine security upgrades and asking that user confirm their user name and password in order to not be locked-out of the system.
Many reading this article may question the utility of using such an approach and believe reasonable people would not fall victim to a phishing attack. The figures tell a different story. Over 156 million phishing emails are sent every day. They are randomly generated using very basic software programs and transmitted 24/7 across the globe. Around 16 million of these e-mails make it past company security systems and 8 million are opened and read. This results in over 80,000 people, every day, clicking on the corrupted link, unknowingly downloading malware and providing user identification and log-on credentials. As a result, after an evening of sending millions of emails, cybercriminals have 80,000 new victims to choose from.
By now, many in the maritime community are aware of the cyber-attack that cost World Fuel Services (WFS) an estimated $18 million. The scam exposed the numerous flaws in the way most bunker fuel is sold. Impersonating the United States Defense Logistics Agency, cyber criminals used fake credentials to send an email seeking to participate in a tender for a large amount of fuel. WFS received the offer to participate in the tender, took the email at face value and purchased 17,000 mt of marine gas oil from Monjasa that was then delivered to a tanker known as the Ocean Pearl while it was off the Ivory Coast. Upon submission of the invoice, the government agency responded that it had no record of the fuel tender.
There are several facts about the bunker fuel industry that we know to be absolutely true: (i) the industry involves hundreds of billions of dollars in annual transactions; (ii) the transactions are consummated almost exclusively through electronic communications; (iii) there are minimal security protocols used to validate these transactions; (iv) cyber criminals pursue crimes of opportunity that present low risk; and (v) every organisation will at some point be compromised by malware or a phishing scam. This begs the question, what should be done to combat this threat? Fortunately for the bunker industry, there are several common sense steps that will dramatically reduce the potential for falling victim to a cybercrime.
The first and most obvious step is to retain professionals who can help harden your company against a cyber-attack. Both cybersecurity lawyers and consultants can provide assistance in developing systems and protocols to protect your company from cybercriminals and the potential liability that results from a cyber-attack. Being a hardened target means adopting the policies and procedures that will make your company less susceptible to an attack. Present cybercriminals with a choice between expending resources trying to overcome your defences or moving on to a more vulnerable victim. More often than not, they will choose to the path of least resistance.
Unfortunately, there is not one simple solution for becoming a hardened target, because each business operates differently with a different clientele. But there are things nearly all companies can do to become more secure and hardened. For example, do not rely solely on email communications to consummate large purchases or transactions. In addition to email, require a second channel of communication with the buyer, such as a phone call, fax or form of identification/authorisation not readily accessible to cybercriminals. There are other options such as utilising a secure web portal for bunker fuel transactions. Whatever path is taken, it is wise to remember that the more sophisticated and varied your procedures for consummating a transaction, the more work required by the criminals. The more work required by the criminals, the more likely they will select a different target.
To avoid the continued targeting by cybercriminals and the tremendous financial implications that result therefrom, the bunker fuel industry must evolve to meet the threats posed by reliance on unsecured shared technology and communication information, and work with cybersecurity professionals to develop or strengthen its cybersecurity practices. To date, the bunker fuel industry has failed to even moderately protect itself from cyber-attacks but must now act to arm itself or suffer continued disastrous financial implications.
“Old dog new tricks” appeared in Petrospot‘s December 2014/January 2015 edition of Bunkerspot. To read the article, please click here. Reprinted with permission from Petrospot.