The digitization of the maritime industry has led to advancements in offshore communications and industrial control systems. As the industry becomes more digitized, critical systems onboard vessels are becoming increasingly vulnerable to cyberattacks.
Shipping is becoming more reliant on digital solutions for the completion of everyday tasks.
The rapid developments within information technology, data usage and availability, processing speeds, and data transfer present shipowners and other maritime industry players with increased possibilities for optimized operations, cost savings, safety improvements, and sustainable initiatives. These developments rely on increased connectivity often via the internet between servers, IT systems, and OT systems, which increases the potential for cyber vulnerabilities and risk.
In Inmarsat’s 2022 Beyond Compliance report, cyberattacks that target the maritime sector increased by 168% in the Asia-Pacific region alone, especially with the rapid pace of digitalization in the maritime industry through new technologies.
How do seafarers view this threat and what measures are marine companies taking to prevent it?
A 2020 Safety at Sea and BIMCO Maritime cybersecurity survey found 77% of respondents view cyberattacks as a medium or high risk to their organizations. Within that same survey, only 42% of respondents’ organizations had operational technology cyber protection.
The International Maritime Organization Resolution MSC.428 (98) requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system.
Since every vessel company and ship is unique to its own operations, approaches to cyber risk management will be company and ship specific. These approaches, however, should be guided by the requirements of relevant national, international, and flag-state regulations and guidelines.
It is imperative that ship owners look at all aspects of their ship operations to ensure their protection against growing cyberthreats.
There is a need for the contradistinction between industrial control systems (ICS), operation technology (OT), cyber-physical systems (CPS), and the Internet of Things (IoT). Understanding how these systems differ will help distinguish their specific cybersecurity system requirements.
Almost all technology discussed falls within the ICS category, from electronic control systems to associated information used for process control.
Operation technology deserves its own distinction, representing hardware or software that invokes a change through direct monitoring of physical devices, particularly in production and operations.
Where ICS and OT overlap is designated as the Industrial IoT, encompassing devices such as actuators or sensors. Examples of IoT are real-time analytics, commodity sensors, sophisticated embedded systems, 5G networks, and cloud storage and computing.
Cyber-physical systems engirdle all the above, defined as programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). CPS examples are becoming increasingly prevalent on the water, like autonomous vessels, automatic pilot systems, and smart grids.
When it comes to cybersecurity, IT and OT differ in several ways.
From a staffing perspective, IT professionals have been trained and certified in security disciplines, whereas those tasked with OT security are generally operational technology people. The addition of security in their job responsibilities is not an area that they’re specialized in.
The outcomes of being hacked through either system are also drastically different. An IT attack can lead to data theft: OT attacks could lead to asset damage, environmental impacts, personnel injury, or even death.
A hacker that compromises an IT network will likely steal personnel data, credit card numbers, and other confidential information. More likely than not, this data will be held for a hefty ransom to be paid out. Programmable logic controllers (PLCs) on maritime vessels are an easy mark for hackers due to their lack of built-in security. In the past, vessels were reliant on air-gapping as their primary security solution. The digitization of the industry and increased connectivity lacking segmentation between IT and vessel networks have increased a vessel’s vulnerability.
Hackers targeting OT environments that support manufacturing, transportation, defense, and utility infrastructure is a whole different realm of cyberattacks. In this area, hackers target satellite communications, open Wi-Fi networks, IT networks, and maritime-specific systems. Spear phishing email campaigns are the most common, while compromised control systems and stolen credentials are alternative forms of OT attacks. If a hacker is on board the vessel, they can gain access directly using something as simple as a corrupted USB drive. Once infected, hackers will gain control over critical control systems that run navigation, communication, valve operations, propulsion, and rudder control.
Josh Lospinoso, CEO of Shift5, said in a November article in The Record, “Maintenance tools used on vessels in U.S. ports are a vector for malicious activity that bridge maritime IT and operational technology, which could give attackers root access to systems without physical access to the ships or ports themselves.”
Consider a modern maritime vessel and all its connectivity features.
A vessel has technology outfits for bridge control systems, operations security, propulsion and power, network security, communications, safety systems, navigation, physical security, crew network, loading and stability, shipping network, and supply chain. Break each of those categories down further into segmented inputs and you have dozens of ways that hackers can infiltrate and infect your onboard systems.
The complexities in merging IT, ICS, and OT while protecting a vessel’s critical operations from cyber threats pose unique challenges for operation centers and fleets spread across the world.
Hackers are becoming increasingly better at their malicious craft. The most common attack vector by hackers is crew interaction with phishing attempts. Eric Griffin, VP of offshore energy at Inmarsat, notes crew welfare and IoT availability is the biggest driver of increased data usage, rising over 200% within the last two years. This increase in internet users onboard vessels allows hackers to cast a wide net in hopes that a single crewmember will take the bait.
The Danish shipping company Maersk was the victim of one of the largest cyberattacks to date. The world's largest container shipping company with offices in 130 countries and 80,000 employees, was infected by NotPetya malware in 2017. Once the malware infiltrated Maersk’s systems, it spread through the entire network in seven minutes, leading to damages estimated at over $300 million. Following the attack, and to prevent emerging threats, Maersk now employs a separate internal threat team that studies these threats and works on response mitigation for future attacks.
A year later, in 2018, the China Ocean Shipping Company (COSCO) had its North and South American regions taken out by SamSam ransomware. The attack took place right after COSCO acquired rival OOCL. The monetary damages have not been disclosed. COSCO was able to return to normal operations within five days after activating its contingency plans. The segmentation of COSCO’s networks across the globe allowed this damage to be limited. The isolation of its western sector minimized the surface of the attack, and the separation of OT and IT networks stopped the spread of the ransomware from reaching its critical vessel controls.
It is crucial that a vessel’s network and critical control systems are protected, but there also needs to be a data protection and recovery plan in place. That way, if the network is kicked offline, the vessel can still operate. If the backup is attached to the network, it is still susceptible to attack. The ability to reconstruct your database after data loss is an important feature for vessel companies to consider.
The Department of Homeland Security noted last November that the most significant threat to U.S. ports is cyberattacks. There are over 900 ports in the U.S. that need cybersecurity. Many of those ports are critical to domestic energy infrastructure. Ports are considered an easy target for cyberattacks since much of their workforce is outsourced.
Results from Jones Walker LLP's 2022 Ports and Terminals Cybersecurity Survey reflect the responses of 125 c-suite executives, directors, security and compliance officers, and general counsel, and confirm that cybersecurity remains a top concern for the ports and terminals sector within the maritime industry. The findings show that 90% of respondents report that they are prepared to withstand cybersecurity threats in 2022. However, the 2022 survey show's a big increase from 2018 in reported cyberattacks — from 43% in 2018 to 74% in 2022,
A BBC article from July 2022 revealed that cyberattacks on the Port of Los Angeles have doubled since the pandemic. The number of monthly attacks targeting the port is around 40 million.
Developing a cybersecurity action plan
Cybersecurity responsibilities fall on every member of the company for the plan to be effective. Mission Secure offers a short-term maritime cybersecurity action plan to establish a baseline for vessel companies.
- Crew education remains a top priority as phishing scams are the most common vector for attack.
- Segmenting networks between your bridge, engine room, crew, Wi-Fi, and business will ensure critical systems are not susceptible for lateral spread if infected.
- Separating critical systems and devices to a private IP address space will prevent hackers from reaching your systems over the internet.
- Update the admin password on critical systems within the OT network, as well as updating your passwords regularly with multi-factor authentication whenever possible.
- Provide software updates on critical systems and devices, and secure USB ports on all ship systems. If critical systems can only be updated by a USB, keep the USB keys in a secure location.
- Lock up the IT and OT equipment onboard. Given the transient nature of crews aboard maritime vessels, it is best to keep critical devices locked up and secured.
- Have strong encryption passwords for Wi-Fi networks and eliminate any unsecured wireless devices and services on those networks.