An international shipping company manages a large fleet of vessels that are often offline, or with limited network connectivity. The company, whose crew have access to the ships’ computers, sought a way to address malware and other security risks quickly, even when the ships are at sea with no connectivity, in order to prevent the loss of internal data.

The challenge:

  • Legacy solution failed to detect malware and ransomware multiple times.
  • Signatures for the legacy solution almost never updated, due to bandwidth and connectivity restrictions.
  • Unable to monitor 24x7 due to unavailability of internet connection.
  • No cybersecurity staff on board and crew not trained.
  • Unauthorized devices often plugged into ships’ computers.

 

Ships represent a unique environment, as they can be at sea for months at a time and away from the main base for extended periods of time. Internet connection is intermittently available, and often the bandwidth is limited and expensive. Crews often have no cybersecurity training and may end up bringing on board unsafe and insecure devices containing malware and ransomware. Due to established internal processes, it’s not possible to block external devices without creating other issues. Such devices are also essential to normal operations and they might be replaced at a moment’s notice under a variety of contingencies. Response time is critical but real-time access is seldomly available because ships are often sailing in unfavorable conditions or isolated areas.

Over the course of three months, IBM Security ReaQta prevented

24
ransomware attacks

Avoided data loss by tracking and remediating

dozens
of other attacks

Detection and remediation

The solution:

  • IBM Security® ReaQta provided a solution to be installed on every ship’s endpoint.
  • Low data usage allowed ground crews to monitor ships in real time and respond when connections were available.
  • Automated response and remediation were activated to remove threats while internet connection was not available.

 

After a series of ransomware attacks that created severe issues on board, the international shipping company asked IBM to secure its infrastructure. An initial hygiene check showed a large number of ships already infected with a variety of malware, including RATs, Trojans and reverse shells. All identified infections were assessed and removed, and the ReaQta solution was then reconfigured to align with the specifications of the company: risk of interruption of business continuity had to be reduced to a minimum while ensuring that no data could be destroyed when there was no internet connectivity. Data transfer had to be kept to a minimum to avoid saturating the satellite connection essential to daily operations. The figure (below) shows the deployment setup.

Container cargo ship full speed with beautiful wave pattern

Hygiene check

After the initial deployment, ReaQta immediately flagged a variety of anomalous behaviors and quickly addressed and remediated them. The majority of malware were brought on board by the crew, while the remaining instances had their origin in content downloaded from internet-connected endpoints. A threat hunting campaign was initiated and it brought to light the presence of few “dormant” malware instances that were waiting for a remote operator to connect and take control. Those, too, were remediated, and an observation period of seven days followed. After confirming the absence of further anomalies, IBM reconfigured the platform to operate within the company’s parameters of optimal data usage and low risk of interruption of business continuity.


Day-to-day operations

The management dashboard was installed within the main base infrastructure, in order to centralize the ships’ management. While the network on board was unified, only a single endpoint had internet access, the others, including crews’ devices, had no internet connection. This peculiar environment required IBM to create a secure channel to allow every endpoint to deliver ReaQta data (and nothing else) to the main base. A team of analysts was in charge of monitoring and responding to possible incidents.

When a ship was scheduled to go offline, the ransomware protection was enabled, as that was the only malicious vector that could endanger the data. An infection by means of a RAT or Trojan would have had no immediate impact, due to the absence of connectivity. All other behaviors were monitored and their tracking data archived locally, to be delivered immediately after an internet link was available again.

Preventing data loss

Over the course of the next three months, ReaQta prevented a total of 24 ransomware attacks, tracked and remediated a few dozen different threats—mostly RATs—and prevented the loss of data. Without it, the ships’ operations would have been compromised, and critical data would have been made unavailable in less-than-ideal conditions for the crew. The repercussions of ransomware, and their impact on a single ship, were well known to the company. In this scenario ReaQta managed to prevent delays, avert data loss and avoid costly emergency response operations.

About the international shipping company

The major international shipping company manages over 200 ships that transport goods around the world.



Solution component
IBM Security® ReaQta

 

© Copyright IBM Corporation 2022. IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504

Produced in the United States of America, October 2022.

IBM, the IBM logo, ibm.com, and IBM Security are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at https://www.ibm.com/legal/copytrade.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.