Smooth cyber sailing: Addressing cyber security in the maritime industry

Industry-wide data demonstrate the scale of the problem. The Obrela Security Industries SOC team reported a 33% increase in attacks on ships in Q2 2021 compared to Q2 2020. Recent advances in digitalization have brought a higher degree of connectivity to vessel operations and safety systems resulting in serious ramifications should an attempted cyber-attack be successful.

Cyber attacks today go beyond manipulating navigation or tampering with cargo; they can disrupt local and global supply chains and even put the lives of the crew or passengers on board the ship at risk. Large-scale attacks can be disastrous for the shipping industry as the ecosystem surrounding it remains vulnerable.

Maritime Under Attack

Cyber threat actors have shifted focus from the information technology (IT) networks that run systems to the operational technology (OT) networks that control operations. By infiltrating OT networks and systems, cybercriminals can access industrial control systems (ICS) – both land and vessel-based – and disrupt ships as well as shipping ports and operations. This creates real-world impacts on the safety of people, vessels, and the environment.

For example, in 2019, a U.S. MTSA-regulated facility suffered an IT cybersecurity attack that disrupted the entire network after affecting the ICS used for monitoring and controlling cargo loading and unloading. The incident began when an MTSA facility employee clicked on a malicious link in a phishing email and downloaded ‘Ryuk’ ransomware. The ransomware then jumped to the ICS that monitors and controls cargo transfers, including encrypted files, halting daily operations.

In 2017, Maersk, at the time the world’s largest container line, suffered an IT-based attack that brought its operations to a standstill when the company’s systems were infected with NotPetya malware. It infiltrated the computers of every business unit in the company, including container and tanker shipping, port and tugboat operations, oil and gas production and drilling services. As a result, Maersk lost access to its entire inventory of shipping containers and was only able to recover when they managed to access the data from one offline computer located in Nigeria.

Most recently, in 2021, several Greek shipping companies fell victim to third-party vendor software that introduced vulnerabilities. The IT-based attack targeted specialized software tools utilized for ship management. The attack blocked communication between ships, suppliers, agents, and charterers. As a result, some clients used emergency alternatives to communicate with their ships.

Three Reasons Why Maritime is Vulnerable to Cyber Attacks

1- Vessel Infrastructure

Marine vessel infrastructure is particularly vulnerable to ‘man-in-the-middle’ attacks, a tactic where hackers intercept and selectively modify communicated data. Vendors that support navigation and engineering systems often add remote connections through IT networks onboard ship for diagnostics and maintenance. An unauthorized threat actor can access these connections if security protocols for each connection are not in place. Vulnerabilities in the IT systems of these ships often serve as the initial entry point for attackers and allow them to propagate into OT environments. In addition, vessel systems are prone to attacks such as credential thefts to gain password access, lateral movement to search networks for key data and privilege escalation to secure elevated rights within the system.

2- Lack of Specialized Cybersecurity Professionals

One of the most common obstacles facing the maritime industry is a lack of experienced cybersecurity professionals. There are very few cybersecurity experts who also have the domain expertise to understand, interpret and guide key decision-makers on cybersecurity best practices and ensure all marine-specific vulnerabilities are addressed.

Shipping companies typically have documented processes that assign cybersecurity responsibilities to the ship’s master. However, the master may lack experience in cybersecurity. While they must review the vessel’s cybersecurity documentation, it tends to be too high-level or consists of little more than a checklist of recommendations.

A lack of understanding of the difference between IT and OT cybersecurity presents another significant challenge. Too often, IT professionals need to take over the task of protecting the OT network. IT cybersecurity solutions are very mature and highly effective; however, they do not work in an OT environment and would likely shut down these networks.

3- Absence of Adequate, Domain-Specific Monitoring

OT cybersecurity monitoring is generally not well implemented on ships. While passive monitoring technologies specifically for industrial networks can be deployed on marine vessels, crews are not trained to monitor them for cybersecurity events. Complicating matters further is the fact that there are insufficient resources to ensure the constant monitoring required to protect vulnerable vessels. Monitoring these systems through a third-party Managed Service Provider (MSP) is an effective way for any cyber-related threats to be identified and mitigated before they escalate.

Cyber Hygiene: How the Maritime Industry Can Improve OT Cybersecurity

To keep vessels, ports, and business operations secure, organizations should consider the following cyber hygiene guidelines:

• Top-Down Business Accountability: Preventing cyber attacks requires top-level buy-in. Be sure that the C-Suite and Board of Directors are educated on the cyber threat landscape to ensure the right level of investment is in place to build an effective cybersecurity program.
• Implement Separate Solutions for IT and OT: When assessing the right cybersecurity solution for your vessel operations, risks to both IT and OT networks should be addressed independently. Organizations must find and implement individual solutions that are domain-specific, and that will not leave their vessels or operations susceptible to security bleeds.
• Deploy Automated Monitoring: If attacked, monitoring can help determine where attackers might go next and what they could impact. Organizations should deploy 24/7 detection and response solutions for the IT and OT systems onboard major vessels and ports. It is vital to know when an attack is occurring before it is too late.
• Create a Response Plan: Organizations should have a plan for responding if an attack occurs. This plan should include system shutdowns to prevent further damage and access to backup data.

Effective cybersecurity requires a comprehensive and tailored approach by experts who understand the difference between OT and IT. The maritime industry must proactively implement the necessary steps to improve its existing cyber hygiene to protect operations, crew members, the environment, and the wider ocean business community.

The views presented are only those of the author and do not necessarily reflect those of SAFETY4SEA and are for information sharing and discussion purposes only.