Maritime cyber security risks are increasing for both ships and seaports. These risks and their consequences negatively impact national economies, shipping companies and seaports. There is increased attention on this by national governments, national coast guards and agencies abroad such as the International Maritime Organization (IMO). We also need a sense of how the U.S. Coast Guard is reacting to these threats.
About a year ago, the Coast Guard published its Cyber Strategic Outlook to raise awareness and reemphasize the agency’s role in cyber security. Admiral Karl L. Schultz, Commandant of the U.S. Coast Guard, observed in his introduction to the Outlook:
“The events of the last five years, including the exploitation of U.S. Coast Guard networks and information, the attacks on maritime critical infrastructure and adversarial efforts to undermine our democratic processes—not just by exploiting networks, but by negatively shaping information—reinforce that cyberspace is a contested domain.”
From 2015 to 2021, attacks on the Maritime Transportation System (MTS) have reflected “interesting” statistics which were identified in the Outlook (page 3):
- 500-plus—Major operational technology cyber-attacks in the maritime industry in 2020
- 39 Seconds—That’s how often a hacker attacks—on average 2,244 times a day
- $3.86 Million—Average cost of a data breach in 2020
- 36 Billion—Records exposed by data breaches in the first half of 2020
- 207 Days—Average time it took to identify a data breach in 2020
- 280 Days—Average lifecycle of a data breach
- $10.5 Trillion—Amount of damage related to cybercrime projected annually by 2025
Why Are Maritime Cyber Threats Increasing?
There are several reasons why cyber risks and attacks are expanding in the maritime industry. Here are some aspects to consider and add to your “worry list:”
- The maritime industry globally offers a “soft underbelly” of vulnerabilities that can be exploited by digital attackers. These vulnerabilities can include increased digitalization of ship and seaport systems and equipment. The weak spots can be due to software errors, inadequately hardened digital systems and components, limited crew cybersecurity training and preparedness, and even insider threats.
- A cyber-attack on seaport or shipboard networks could result in lost cargo, seaport disruptions, environmental releases, physical damage and even death. These could impact ships and seaports for days or weeks. For instance, in January 2022, port facilities across northern Europe endured a spreading cyberattack targeting 17 oil hubs/ports and their operations. Reports from The Netherlands and Belgium observed that the cyberattacks affected loading and unloading barges when the oil market was already under duress due to upcoming winter weather and the pending war in Ukraine. This resulted in re-routing tankers and significantly disrupting supply chains. The NotPetya attack on Maersk in 2017 affected 76 ports globally and 800 ships, costing the company over $300 million.
- Some commentary has raised questions about who is responsible for cyber security on board ships and at seaports. For ships is it the captain? The chief engineer? Operations? And for seaports is it the stevedoring services company or the owner of the jetty? This confusion or lack of assigned accountability may lead to large gaps in cyber defenses of your ship and seaport.
- Future maritime innovations—such as autonomous vessels —add to the attack surfaces of the MTS. Autonomous vessels have the advantages of reduced operating costs and elimination of human casualties in dangerous missions such as minesweeping. However, these vessels could be taken over by physical or digital pirates who could alter the ship’s course, launch suicide attacks, steal cargo, use the vessel for financial extortion or steal shipboard technology.
CASE STUDY: TYPOSQUATTING—A SUBTLE THREAT
Here is a subtle but direct threat that could ultimately lead to ransomware attacks on your ships or seaports, or a loss of control of sensitive information.
Typo—what? Typosquatting is a subtle way to redirect a web page user from a legitimate web page to a malicious one. It is a form of social engineering attack targeting internet users. It normally involves tricking someone into visiting a malicious webpage with an internet address (aka URL) that is a common misspelling of legitimate web pages.
Typosquatting is also known as URL hijacking, domain mimicry, sting sites or fake URLs.
The ‘typo’ in typosquatting refers to the small mistakes people make when typing on a keyboard. For instance, transposing some letters in a URL could redirect you to a dark location on the internet—sometimes without you recognizing your error.
In a Nov. 7, news item, SAFETY4SEA reported that hackers spoof or fake US port facility URLs using typosquatting. “Misspellings of several US port facility domains have recently been registered, likely for malicious purposes,” the publication stated.
One way to defend your seaport or maritime organization from being a victim of typosquatting is to register your URL as a .com and .org, etc. For instance, imagine you are the Port of Dune. First, recognize that your registered URL is “portofdune.org” but someone may type in “portofdune.com.”
Unless you also register “portofdune.com” and redirect the address to the .org site, a miscreant may take advantage of “portofdune.com” and make it a place housing deceptive web pages, web forms, etc. It could look identical to your website, but it isn’t!
Also, some people transpose “D’s” and “G’s.” So, someone may type “portofgune.org.” Again, a digital vandal may take advantage of this and redirect the victim to a malicious site.
According to Microsoft, adding, or removing, an “s” at the end of the domain name is another common typosquatting trick.
So, what do you do to protect yourself? Check out the ideas provided by Microsoft at https://bit.ly/3UwP650.
Simply put, for your important web sites, like a particular seaport or vendor, use the web address from your saved favorites. If you do need to type an address into your browser, type carefully and double-check your address to ensure it is correct.
Never click a link you weren’t expecting in an email or other message, even if it appears to come from a trusted person or organization.
What should you do if you think you’ve arrived at a page you didn’t want to go to via typosquatting? Close that browser tab and start again.
CYBERSPACE WILL NOT BE IGNORED BY THE U.S. COAST GUARD
In its Outlook, the Coast Guard has established three lines of effort in recognition of the need to defend the MTS both physically and in cyberspace. These include:
- Defend and operate the U.S. Coast Guard Enterprise Mission Platform
- Protect the Maritime Transportation System
- Operate in and through cyberspace.
In the last line of effort, the Coast Guard intends to leverage relationships with the U.S. intelligence community, Department of Defense, federal law enforcement and foreign allies. The Coast Guard will also extend cyber operations in support of operational commanders.
These lines of effort will be supported by four key areas—partnerships, intelligence, workforce and innovation.
NEW INITIATIVE: U.S. COAST GUARD AUXILIARY CYBER FLOTILLA
The U.S. Coast Guard Auxiliary is the civilian uniformed volunteer component of the Coast Guard. The auxiliary’s mission includes search and rescue, disaster relief, recreational boating safety and marine environmental safety and protection.
Beginning in 2022, the auxiliary is working with key Coast Guard partner organizations to formalize the establishment of an Auxiliary Cybersecurity Augmentation Program, or AUXCYBER. The program is being established to allow qualified auxiliary members with a broad range of experience in cybersecurity and cyberspace operations to augment the Coast Guard cyberspace workforce.
Auxiliary members in the AUXCYBER program may support Coast Guard Cyber Command (CGCYBER), its units and commands in cybersecurity activities. These actions may include:
- Cybersecurity outreach, awareness, education and training.
- Facilities/vessel Inspections with cyber-emphasis.
- Review of cybersecurity amendments of facility security plans and assessments
- Cyber-exercise support.
- CGCYBER Cyber Protection Team (CPT) augmentation.
- CGCYBER Maritime Cyber Readiness Branch (MCRB) augmentation.
- Cybersecurity for recreational boating safety missions.
The auxiliary is planning to form Flotilla 22-12 as an innovative Coast Guard Auxiliary unit based out of Fort Meade, Maryland. This flotilla will have the primary purpose of recruiting and retaining cybersecurity professionals to support the Coast Guard’s missions in the cyber domain.
To learn more about new USCG/Auxiliary plans, visit https://tinyurl.com/yc7jb2h4.
INNOVATION AND FLEXIBILITY ARE IMPORTANT
Unfortunately, the cyber-threat environment is complicated and ever-changing. Attackers are always looking for new ways to steal money, identity and valuable cargo. They will inspect and dissect information technology and operational technology systems and components and look for any vulnerabilities.
Also, they will take advantage of seamen’s and employees’ lack of cybersecurity knowledge and savvy.
As evidenced by the new changes and innovations with the U.S. Coast Guard and Auxiliary, cyberspace has numerous opportunities for improvement and attention. Take advantage of all available resources available to help on your cyber security journey.
It is critical that you have someone identified to be responsible and accountable for cybersecurity on your ship or for your seaport. This can’t be an issue that you ignore and hope it goes away.
Ernie Hayden, MIPM CISSP GICSP (Gold) PSP, is an industrial control systems cyber and physical security subject matter expert. He has extensive experience in industrial controls security, the power utility industry, critical infrastructure protection/information security, cybercrime and cyberwarfare.