Besides the impact of COVID19, the news of 2021 has been full of headlines regarding cyber attacks on critical infrastructure. For instance, you’ve probably heard about the Colonial Pipeline ransomware attack or the attack on the JBS meat processing plant; however, are you aware that the maritime sector is also under cyber-attack? For instance, as of July 2020, cyber-attacks on the maritime industry have increased by 900% in three years according to cyber defense solutions provider Naval Dome.
Basically, threats to maritime computer systems are on the rise, and are here to stay. As such, this magazine has asked me to provide a bi-monthly column regarding maritime cyber security issues thus helping you be more aware of the risks and offer ideas on ways to mitigate your vulnerabilities.
Terms of Art
As I write these articles, you’ll be introduced to different terms of art related to cybersecurity in general. Here are some of the key terms you’ll hear:
• Cyber Security: Cyber security is defined as the collection of tools, policies, security concepts and safeguards, risk management, training, best practices, and technologies used to protect the cyber environment, organization, and user’s assets.
• Information Technology (IT): Think of IT as the equipment and systems used in processing, handling, and storing digital information used for the administrative and commercial operation of an enterprise. This would include email systems, databases, communication systems, and enterprise resource planning (ERP) systems.
• Operational Technology (OT): OT are those digital or analog systems used to operate or guide the ship or seaport to perform its intended function. For instance, maritime OT systems include Vessel Integrated Navigation Systems (VINS), Global Positioning Systems (GPS), Automatic Identification Systems (AIS), radar systems, electronic charts, crane operations, traffic control, cargo handling, and vessel berthing systems.
• Hacker: A hacker is an unauthorized user who attempts to or gains access into an IT or OT system/component. The hack can be of malicious intent to damage the systems and steal data, or, the hack can be a political protest (e.g., “hacktivist”).
• Malware: Malware can be a digital virus, worm, Trojan Horse, or other code-based malicious entity that successfully infects an IT or OT system or components. This malware can hijack, alter, steal, encrypt, and/or delete sensitive data in an IT or OT system without the knowledge or permission of the user.
• Phishing Emails: These are the most used techniques to either place ransomware on a system or illegally steal data from users. The phishing email is disguised to look like it came from a legitimate and reputable company or person; however, the message contains malicious attachments or links that can lead to theft or unauthorized encryption of sensitive data.
• Social Engineering: This is an approach where people are manipulated to violate security procedures, thus allowing the attacker to gain access to a facility, system, or network.
• Back Door: This is a secret method of bypassing normal authentication and verification when accessing a system. Sometimes vendors insert “back doors” into digital systems to allow for remote troubleshooting.
Essentially, when you look at a ship or seaport, you can divide the digital assets and systems into IT and OT. According to Naval Dome (www.navaldome.com), several recent attacks have raised concern in the maritime community. For instance, the US-based gas pipeline operator and shipping company MSC was hit by malware which shut down the shipowner’s Geneva headquarters for five days. Also, Iran’s Shahid Rajee port was hacked thus restricting all infrastructure movements and creating a massive backlog.
Key Governing Organizations
The predominant international organization guiding maritime cyber security is the IMO; however, each country’s coast guard or maritime security agency may also have some requirements.
• International Maritime Organization (IMO): Since shipping and port management are related to international trade, a key agency governing maritime cyber security is the IMO. According to the IMO website (www.imo.org), the IMO is the United Nations’ specialized agency with responsibility for the safety and security of shipping and the prevention of marine and atmospheric pollution by ships. International maritime security became an integral part of IMO’s responsibilities on July 1, 2004.
IMO has recognized that a ship’s onboard IT and OT systems can be hacked just as easily as shore-based systems. Such security breaches have the potential to do considerable harm to the safety and security of ships, ports, marine facilities, and other elements of maritime transportation systems. Hence, IMO has taken initiative to raise awareness across the industry on ways to tackle the cyber threat by promoting a maritime cyber risk management approach. In fact, IMO has issued Guidelines on Maritime Cyber Risk Management (MSC-FAL.1/Circ.3) tasking shipping industry owners and key stakeholders to read, understand, and follow as much as practical.
• The Guidelines on Cyber Security Onboard Ships has been produced and supported by such organizations as the Chamber of Shipping of America, Digital Containership Association, International Association of Dry Cargo Shipowners (INTERCARGO), International Union of Marine Insurance (IUMI), and the World Shipping Council (WSC). These guidelines are referred to by the IMO and aim to help in developing proper cyber risk management strategies in accordance with relevant regulations and best practices on board a ship. The document focuses on work processes, equipment, training, incident response, and recovery management.
United States Coast Guard certainly has jurisdiction for any ships and port activities in the United States. The USCG has published Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities. This document provides clarity around existing MTSA regulations in 33 CFR parts 105 and 106.
Overall, for general knowledge and training, I would suggest beginning with the second document – The Guidelines on Cyber Security Onboard Ships.
A Call to Action
The intent of this column is to raise awareness on maritime cyber security events and issues. But it certainly is an occasion for all maritime stakeholders to better understand the cyber threat environment. There’s a large opportunity to train your crews on cyber-safe policies and guidelines. Also, training staff on critical thinking to help improve threat awareness and threat detection can minimize inadvertent human errors and exposures.
In parallel with the training and orientation you provide on maritime cyber security, begin to perform risk assessments of your ship or seaport. Take a hard look at the vulnerabilities you have and look for ways for hackers to break in and attack your systems. Use trained professionals to aid in ship/facility and seaport walkdowns to identify areas needing corrective action and improvement.
Lastly, for an interesting read, take a few minutes to scan An Overview of Maritime Cyber Security Challenges, by Androjna, et al.
Thanks for reading this first article on maritime cyber security. If you have any questions or have suggestions for future column content, please send your thoughts to enhayden1321@gmail.com.
Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the tragedy of 9/11. He was previously U.S. Navy Nuclear and Surface Warfare Officer, and has published a book entitled Critical Infrastructure Risk Assessment – The Definitive Threat Identification and Threat Reduction Handbook which has been awarded the 2021 ASIS Security Book of the Year.