Have you ever seen the bridge of a commercial cargo shipping vessel? It is like a dream come true for every kid out there–a gigantic PlayStation. Unfortunately, maritime computer systems are also attractive to malicious cyber actors.
Illustrating this interest by malicious individuals, the U.S. Coast Guard issued a safety alert warning all shipping companies of maritime cyber attacks. The incident that led to this warning happened in February 2019 when a large ship on an international voyage bound for the Port of New York and New Jersey reported “a significant cyber incident impacting their shipboard network.”
The Coast Guard led an incident-response team to investigate the issue and found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.” The shipboard network was used for official business like updating electronic charts, managing cargo data and communicating with shore-side facilities, pilots, agents and the Coast Guard.
Despite the significance of the onboard computer systems, the Coast Guard investigation found that “the vessel was operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.” For this reason, the alert strongly recommends that commercial vessels improve their cybersecurity such as by segmenting shipboard networks, enforcing per-user passwords and roles, installing basic security protections and patching regularly.
This isn’t the first time the US Coast Guard has released a cyber safety warning. In May 2019, they released a bulletin to raise the awareness of maritime stakeholders “of recent email phishing and malware intrusion attempts that targeted commercial vessels.” In accordance with the same bulletin, “Cyber adversaries are attempting to gain sensitive information including the content of an official Notice of Arrival (NOA) using email addresses that pose as an official Port State Control (PSC) authority.”
The attack surface of modern commercial vessels is vast since they are equipped with engines controlled by computers, and they heavily rely on electronic charting and navigation systems. Hence, the U.S. Coast Guard warns that “protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery. It is imperative that the maritime community adapt to changing technologies and the changing threat landscape by recognizing the need for and implementing basic cyber hygiene measures.”
Back in 2011, the European Union Agency for Cybersecurity, formerly known as ENISA, released an analysis of the cyber security challenges in the maritime sector. The main finding of the analysis was that “Maritime cybersecurity awareness is currently low, to non-existent.” Six years later, in 2017, the NotPetya ransomware attack hit computers at shipping firm AP Moller-Maersk, an incident which required the firm to reinstall 4,000 servers, 45,000 workstations and 2,500 applications in less than two weeks. The attack ended up costing the firm between $250 million and $300 million. Clearly, digital security lessons are being learned the hard way.
With more than 90% of the world’s trade being carried by shipping, according to the United Nations’ International Maritime Organization, the maritime industry is an attractive target for cyber attackers. Because the shipboard systems mix IT and operational technology (OT), companies are vulnerable to losing control of ships due to a cyber attack. However, maritime vessels are not the exception to the rule. Markus Schmitz, managing director of SOFTimpact, a Cyprus-based IT solutions provider to the maritime industry, said that “the shipping industry is neither more nor less vulnerable than any other globally operating business.”
According to Schmitz, the business model of global shipping makes vessels even more vulnerable. Crew tend to be temporary and on voyage contracts, an arrangement that makes it hard for them to receive proper security training. This means they usually end up being unfamiliar with a specific company’s information security policy. In fact, most ships are operated with crew contracted through multiple levels of outsourcing, thereby making the task of assigning responsibility for information systems and incidents nearly impossible. “The role of in-house IT must be extended to include the OT systems,” Schmitz says. “The in-house IT must be trained on OT systems, must spend time onboard, must be included in purchasing processes, and must take responsibility.”
That’s exactly the reason why the U.S. Coast Guard notes in the alert that “Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational imperative in the 21st century maritime environment. The Coast Guard therefore strongly encourages all vessel and facility owners and operators to conduct cybersecurity assessments to better understand the extent of their cyber vulnerabilities.”
Cybersecurity is everyone’s business.