Maritime Cybersecurity

Maritime Cybersecurity… A few years ago, a spate of attacks captured the world’s attention as Somali pirates hijacked ships and held crews for ransom. The attacks grew more frequent, peaking around 2011, around the time of the dramatic hijacking of the Maersk Alabama— that incident was even adapted into a film starring Tom Hanks. But patrols began to secure the waters, and today, pirate attacks are exceedingly rare outside of the odd dinghy that wanders too close to the Yemeni coast. 

Instead, a different (and admittedly less flashy) piracy is on the rise.

For years now, the US Coast Guard has been quietly building its capabilities in maritime cybersecurity. In fact, protecting marine vessels from hacking attacks has become a core operational domain. Cyber risks in operational technology– the increasingly common and complex software used to run a vessel– are linked to serious safety, financial, and environmental consequences.

There are no firm figures on attacks as shipping companies are understandably reluctant to announce maritime cybersecurity incidents. But between attacks this year, a rise in ‘spear-phishing,’ and the IMO’s recently issued guidelines, now is the time to start taking maritime cybersecurity seriously.

What’s Happened So Far

In February, a cargo vessel approaching the Port of New York radioed in to say that it was in distress. This was not a failure of equipment or a patch of rough weather: a computer virus had taken its shipboard systems offline. For the first time, the Coast Guard deployed its cyber protection team.

The malware onboard had “significantly degraded the functionality of the onboard computer system,” according to the Coast Guard investigation. This is the network used for official business like updating electronic charts, managing cargo data and communicating with shore-side facilities. The Coast Guard investigation found that the vessel was operating without any effective cybersecurity measures in place.

Then, over the summer, the Coast Guard published a marine safety alert to raise awareness of recent email phishing and malware intrusion attempts, specifically targeting commercial vessels. They warned that hackers were trying to gain sensitive information, including the content of an official Notice of Arrival, by posing as official Port State Control authorities.

And last month, Pen Test Partners– who do penetration testing and security services– tested various vessels across different fleets and operators. What they found was fairly shocking: they reported that “in every single test to date we have unearthed a system or device, that of the few crew that was aware, no one could tell us what it was for.”

One ship even had a monitoring system that was running and connected to the main engine which nobody understood the purpose of. The hardware was unlabeled, and they could find no record of the system’s purchase or installation. In any other industry, a mystery box like this would have raised huge red flags. At last, the testers determined it had been installed by a third party that the shipping company had stopped working with years before.

How Would an Attack Happen?

The attacks which have been on the rise this year are phishing scams. Phishing scams are when a malicious would-be hacker sends a message pretending to be someone else– a client, a banker, an official– to try to get sensitive information, or intercept payments. They may try to get you to open a link, which then distributes malicious software designed to disrupt shipboard computer systems.

Now, it’s worth keeping in mind that hackers interested in money– not just chaos– are probably less keen to take over a ship, as it would be a complicated way to get funds. The main threat would be to a head office, through which they could access company finances, as well as access to ports and brokers.

But a ship doesn’t have to be the intended target of an attack to be affected. Recall the infamous malware attacks that did millions of dollars in damage to AP Moeller Maersk in 2017. Though the shipping industry wasn’t the target, they still had to completely rebuild their network of 4000 servers and 45,000 PCs, a massive undertaking.

Last month, Lloyd’s put out a report exploring a hypothetical cyber-attack in an extreme scenario. The ‘Shen attack’ imagined a computer virus carried by ships that scrambles the cargo database records at major ports, causing widespread disruption. In the scenario, 15 ports across Asia were crippled, causing over $110 billion in damages.

How to use Maritime Cybersecurity to Protect Yourself

It’s difficult to establish minimum standards for cybersecurity since actors range from small, single-ship businesses to multinational shipping lines. But IMO is leading the charge to include cybersecurity as part of a ship’s risk assessment.

They remind us that effective cyber risk management starts at the senior management level. A good first step is to get a Chief Information Security Office (CISO).

You absolutely also want to ensure that administrative staff can recognize a phishing attempt: make basic cybersecurity training a comprehensive policy.

Onboard, there should be a strict protocol enforced, which includes blanking off USB ports, ensuring no crew equipment is plugged into any ship computer systems, network segmentation, and network profiles for each employee with unique login credentials.

There will be more resources in the future: the International Maritime Cyber Centre of Excellence, a global industry collaboration, has recently launched, offering training for companies that operate in the maritime domain. They also have a Maritime Emergency Response Team, a 24/7 operations center that aims to share info. 

The bottom line is that a bit of basic cybersecurity training and common sense will go a long way. The maritime sector is worth trillions and has an unmatched reach across international waters– it’s high time it protects itself against cyber attacks.

Your Trusted Partner