When MSC's website when dark April 9, rumblings began among industry stakeholders and analysts: Is it a cyberattack? Is this a repeat of the 2017 NotPetya attack on Maersk?
Less than a week later, MSC confirmed it was a malware attack. But beyond that, it hasn't offered many details, "as this would be counter-productive from a security perspective," it gave as the rationale.
Subodha Kumar, professor of marketing and supply chain management at Temple University's Fox School of Business, said the cyberattack most likely was ransomware, in which hackers lock a system and require payment rather than stealing data. He estimated the cost impact may be in the hundreds of millions of dollars.
The attack wasn't "catastrophically bad for MSC nor the customers," Lars Jensen, maritime security advisor at Improsec, told Supply Chain Dive, particularly in comparison to the cyberattack on Maersk that hindered port, depot and terminal operations and cost the carrier up to $300 million.
Still, the MSC incident points to a pattern. In three years, three major container lines have been hit by cyberattacks:
- June 2017: Maersk
- July 2018: COSCO
- April 2020: MSC
Ocean carriers, historically slow to digitalize, have started to embrace online booking, instant quotes, real-time data transfer, traceability and sensors — but with those advancements comes increased cyber risk, especially if the carriers rely on legacy systems, Kumar said.
Shipping lines must prioritize cybersecurity, experts told Supply Chain Dive, but shippers and freight forwarders also have a role to play in vetting their supply chain partners' risks and protecting their data and cargo.
2017 NotPetya: The wake-up call
Before NotPetya, the maritime industry's approach to cybersecurity was "complete denial," Jensen said, even though ports and shipping lines had been breached and seen their systems taken offline before 2017.
Cyberattacks such as NotPetya and WannaCry were a wake-up call for large logistics firms, Joe McMann, strategy lead for Capgemini Cyber North America, told Supply Chain Dive. "There was an impact to actual operations, to actual business," he said. "It wasn't just back office."
After NotPetya, shipping lines started to implement security measures, such as creating silos within integrated systems, said Hariesh Manaadiar, author of Shipping and Freight Resource. That way, when one part of the network goes down, it doesn't cause outages in everything from booking to track and trace, he told Supply Chain Dive.
How MSC's outage unfolded
The attack on MSC affected its administrative network but not its customer front, Manaadiar said, reflecting the carrier's silos.
MSC has implemented cybersecurity training for personnel and is "in the process of continuous evolution" of its IT software and infrastructure, the carrier said in its FAQ statement released after the attack. The Swiss firm is also a founding member of the Digital Container Shipping Association, focused on data standards and cybersecurity.
"While we consider this incident to be resolved, we are not complacent and we remain focused and cautious in our approach to information technology," the carrier stated.
Carrier at risk, shipper at risk
Shippers, forwarders and carriers are often connected via integrated APIs and ERP systems, Manaadiar said. "One attack on somebody can boomerang and impact others as well."
Problems can arise when cargo has arrived at the port, but the port can't release the container until the carrier gives the go ahead. But if the container line's system is down, it cannot see where the container is and therefore can't authorize release, Jensen said. "Then you have to work manually with this and that becomes a bottleneck," he said.
"How much do you know about that partner that you're doing business with? How much do you trust their security practices?"
Joe McMann
Strategy Lead for Capgemini Cyber North America
If the risk does not affect cargo flow or terminal operations, experts said breached or compromised data is the most pressing risk for shippers during a carrier cyberattack.
Hackers could gain access to sensitive cargo information. Or they could alter data on a shipment or change temperature and humidity settings on a reefer container, according to Manaadiar.
"If cybercriminals encrypt or destroy data, shippers won't know where their cargo should end up, or how to get there — and with network downtime being another potential consequence of a cyberattack, they may have no way to find this information out," Sam Roguine, director of solution marketing and enablement at Arcserve, a data protection software company, told Supply Chain Dive in an email.
MSC, following the attack, said it was not aware of any lost or compromised data.
Know your partner and your plan B
Shippers should have contingencies in case of a disruption, whether cyberattack or otherwise, and plan B must be laid out ahead of time. "When something bad happens, you're not in information gathering mode, not in scramble mode," McMann said.
Experts recommended shippers retain cargo data in a local system rather than relying exclusively on the shipping line or freight forwarder.
They also need to include carriers in their risk assessments. "How much do you know about that partner that you're doing business with? How much do you trust their security practices?" are questions to ask when assessing risk, McMann said.
Shippers can look for subtle hints based on their interactions with carriers, Jensen said. He gave the example of shippers able to create an account and log in to a carrier's e-commerce tool using a simple password, such as X. "Dealing with a company that thinks the password 'X' is perfectly secure, that in itself does not prove that their back end systems aren't secure — but it's a sign. That would leave me worried."
There's no comprehensive list of containers ranked by their cyber health or risk, Jensen said.
Shippers can also ask forwarders and carriers directly about their security protocols and what plans the container lines have in place in case an attack happens, Kumar said. He recommended shippers take it a step further and push carriers to tighten and secure their systems.
"Changes come when they have a real push from customers," Kumar said. "Otherwise, they're very resistant to change."