The Weekly Reflektion 50/2023

10. December 2023

The principle of identifying dangers and threats to your operation and establishing barriers to prevent these causing an incident and/or reducing the consequences of any incident is well established in the world of process safety. Even then we still experience serious accidents and people get hurt. This principle is also relevant to cyber safety. Our increased use of IT (Information Technology) and OT (Operational Technology) systems and our focus on digitalisation that increases the connectivity between these systems makes us more vulnerable to cyberattacks. Just as we learned from major accidents like Texas City, Piper Alpha, Bhopal, we need to learn from cyberattacks.

Do you have holes in the barriers in your IT systems?

Thank you for the feedback on our Reflektion on cyber safety in week 47/2023. We register that this is an area of interest and we decided to follow up with a Reflektion around the ‘NotPetya’ cyberattack in 2017 that affected among others Mærsk Shipping.

In 2013 the chief of the General Staff of the Russian military, General Valery Gerasimov gave a speech where he made the following statement.

‘In the 21^st century we have seen a tendency towards blurring the lines between the states of war and peace. Wars are no longer declared and having begun, proceed according to an unfamiliar template.’

One of the points he used to illustrate this was long-distance contactless actions, e.g. cyberattacks and disinformation.

In 2017 the most serious cyberattack ever launched led to financial losses of more than USD 10 billion. The ‘NotPatya’ malicious software affected among others Mærsk Shipping, responsible for around 25% of maritime container traffic worldwide. In just 7 minutes, 56000 devices were affected and key databases for shipping information were encrypted and the information effectively inaccessible. The domain controllers were compromised, and access was not possible. At a New Jersey port in the USA 3000 road trailers daily normally pick and deliver containers. Long lines of lorries built up and there was chaos. Shippers had to wait until the crisis was over or pay dearly to get their goods delivered on time.

The cyber attackers utilised a ‘hole’ in an accounting system delivered by the Linkos Group, a small Ukrainian family-run business. Their M.E.Doc accounting software was used by many people and companies filing taxes or doing business in Ukraine. The attackers hacked the update servers to allow them a hidden ‘backdoor’ into the thousands of PCs in Ukraine and around the world that used the software. PC’s that were attacked displayed a message that their files were encrypted and demanded USD 300 in bitcoin. The payment however could not be completed. It is almost certain that the intention of the attack was disruption and not extortion.

It took Mærsk nine days to return their systems to normal. It would have taken significantly longer but for an extraordinary piece of luck. Two hours before the attack a Mærsk office in Ghana experienced a power cut and their servers were off-line. Their domain controller was not only unaffected but the only controller available worldwide and could be used to reestablish the systems. The cost to Mærsk was more than USD 350 million.

Cyberwarfare is already with us even though no war has been declared. Cyberattacks that compromise our safety systems will happen. At best the safety systems will fail safe and weonly experience a financial loss. At worst the cyberattack can create a Major Accident and people will die and be seriously injured. We need to be prepared.