Defeating 21st Century Pirates: the Maritime Cyberattacks
The maritime industry faces a not-so-distant future when ships will be completely autonomous, using navigation data that they receive to plot their own courses with only minimal input from shoreside control centers. The efficiencies this could bring are massive, but before this happens, cybersecurity issues must be addressed. Not only are many vessels configured in ways that invite cyberattacks, but security practices also need to be improved before the industry can safely navigate its future.
An increasingly digitized maritime industry
A fleet of 250 autonomous vessels may launch soon. And that would be only the beginning, according to McKinsey and Co. McKinsey sees autonomous ships becoming the norm, spurring consolidation of different shipping branches – trucking, railroads, maritime, port services – into an end-to-end system that combines them all and increases the volume of container trade as much as fivefold.
System vulnerabilities
The benefits of such a digitally driven industry is not without pitfalls, though. Vulnerability of digital systems is a real threat. Michael Mullen, U.S. Navy Admiral and Chairman of the Joint Chiefs of Staff, warns, “We are vulnerable in the military and in our governments, but I think we’re most vulnerable to cyberattacks commercially. This challenge is going to significantly increase. It’s not going to go away.”
Three navigation-critical systems have proven to be vulnerable:
- Global Navigation Satellite System (GNSS) – such as GPS, GLONASS, Galileo or BeiDou – pinpoint the vessel’s exact location, but can be deceived to fool the crew into changing course.
- Electronic Chart Display & Information System (ECDIS) – contains digital charts of ocean routes, but, when fed false information, can lead the crew to plot an erroneous course, or can lead them to believe they are on the correct course when they aren’t.
- Automatic Identification System (AIS) – monitors surrounding traffic and continuously broadcasts its location and avoid collisions, but can be intercepted and modified to give inaccurate information about the ship’s location, movements or identity.
The increasing practice of connecting shipboard systems to shoreside stakeholders via satellite or RF radio offers hackers opportunities to intercept and transmit falsified data, either to the ship or to stakeholders onshore. And anyone who can access system USB ports may – maliciously or unknowingly – download false data or malware.
These critical systems are not the only onboard systems that are vulnerable, either. Others include cargo management systems, bridge systems, propulsion and machinery management and power control systems, communication systems, access control systems, and others.
Compromise of these systems is not theoretical. Such cyber-kinetic attacks have happened. For some examples have a look at my more detailed article on maritime cybersecurity threats. Unfortunately, though, those incidents have not spurred significant security improvements.
Security practice vulnerabilities
Much of that is due to laxity in security practices. Ninety-nine percent of successful attacks on maritime system are through known but unpatched system vulnerabilities. Security is often limited to protecting system perimeters, with thought rarely given to detecting intruders who have penetrated the perimeter or stopping them from penetrating further.
Vessel systems often give all users admin access, which multiplies the number of vectors through which an attacker can compromise systems. Finally, many vessels network both their information technology (IT) and operations technology (OT) systems and then connect both to the internet for shoreside monitoring. This, however, gives any hacker who penetrates the perimeter full access to even the most critical onboard systems.
An attractive target
Maritime companies often fail to recognize what an attractive target they are to cybercriminals. The industry moves large sums of money between shipping lines and bunker suppliers or shipyards, not to mention the sums being paid the shipping companies for their services. Not only that, but compromising maritime systems offers an inviting way for criminals to move illicit goods.
An August 2011 cyberattack on Iranian Shipping Line (IRISL) caused weeks of chaos and severe financial loss. A 2017 attack on A.P. Moeller-Maersk cost them more than $200 million. Organized crime organizations have ensured the unchallenged delivery of their illicit goods by hacking into cargo systems in Netherlands and Australia.
A fraudulent scheme victimized the World Fuel Services (WFS) when cybercriminals forged a fake fuel supply tender to take delivery of $18 million worth of marine gas oil. Similar losses reported across the shipping industry have cost it hundreds of millions of dollars. Combine all this with ransomware attacks, sabotage and industrial espionage and the cost to the shipping industry is astronomical.
Taking steps to reduce vulnerabilities
Vulnerabilities that led to these losses could be reduced by applying to both IT and OT systems the principles recommended for other cyber-physical systems: defense in depth and defense in breadth. Defense-in-depth involves providing multiple security layers, so the more critical a system is, the more security levels protect it. Defense-in-breadth provides multiple security defenses within each level, so penetrating one system is limited to that one system and doesn’t automatically give access to others.
Steps to reduce vulnerabilities:
- Bridge the divide between IT, operational technology, safety and other relevant functions.
- Replace any outdated or obsolete operating systems or antivirus software.
- Stop using default passwords. Assign users separate accounts that possess only as much access as their job needs.
- Practice both defense-in-depth and defense-in-breadth.
- Limit shoreside remote access of critical systems only to when it is needed.
- Give contractors and service providers only as much access as needed.
Ultimately, the most important step to take is to make security decisions a high-level responsibility. When security decisions are delegated downward to IT department or individual ship level, security often becomes a low priority. But when security decisions are addressed near the top of organization, they are carried out.
Facing a digital future
Digitization in the maritime industry is growing, and cyberattacks are growing along with it. Attackers achieve massive paydays when maritime targets leave vulnerabilities open. If the maritime industry is to enjoy the potential that digitization can bring, it must put cybersecurity in the forefront instead of on the back burner.
For a more detailed article on maritime cybersecurity see Navigating a Safe Course Through the Threat of Maritime Cyberattacks
Originally published on CSOonline.com on January 8, 2018.
Marin Ivezic
For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.
He held multiple interim CISO and technology leadership roles in Global 2000 companies.