April was a remarkably busy one for maritime cyber and physical security news. For this column, the focus will be on the U.S. Coast Guard Cyber Command’s annual Cyber Trends and Insights in the Marine Environment (CTIME) report. A high-level overview of this 60-page report is provided below with some recommendations for actions by shipping companies, seaports and other maritime stakeholders.
Cyber Trends
On April 22, the U.S. Coast Guard announced the release of the third annual CTIME report, available at https://bit.ly/4b19aVg.
The report’s intention is to provide relevant information and lessons learned about cybersecurity risks to maritime security, while also offering best practices to drive defenses, or cyber-hardening actions.
The key takeaways include the following on page 6 of the report:
- There has been a significant uptick in reported Advanced Persistent Threats (APTs) targeting the marine environment.
- Ransomware incidents continued to surge in 2023. Reports of ransomware incidents increased by 80% from 2022 and the average requested monetary ransom more than tripled. The types of organizations targeted by ransomware include:
- Liquid natural gas processors/distributors, and petrochemical companies, and
- Maritime logistics and technology service providers.
- USCG Cyber Command identified similar cybersecurity deficiencies that were previously identified in the two earlier Cyber Trends and Insights reports. This confirms the presence of persistent vulnerabilities within the marine environment.
- Network-connected Operational Technology (OT) introduces cyber-attack vectors to the Maritime Environment. In 2023, USCG Cyber Protection Teams (CPTs) found that OT network segments often contained an organization’s most critical and most vulnerable systems. Also, OT systems often used vulnerable network protocols allowing for further exploitation and privilege escalation by the cyber attacker. Insufficient access controls in OT systems can allow attackers to jump from the information technology (IT) networks to the OT networks.
Page 8 of the 2023 CTIME report includes a graphic to readily highlight 2023 cyber trends and insights. A summary of the information as well as some other key metrics from the report include the following:
Operational Technology Security
As noted in the report summary, there is concern by the Coast Guard about the increased connectivity between OT and IT systems. Previously used mitigations such as physical security controls and complete network segregation/isolation are becoming obsolete as new OT systems are integrated with shipboard systems. Hence, it is easier for the attacker to exploit shipboard and seaport cyber systems.
USCG CPT assessments have identified three common vulnerabilities present in almost every OT network inspected.
Improperly segmented networks
- Lack of necessary access controls making it easy to traverse from IT to OT networks.
- Lack of Demilitarized Zones (DMZs) thus enabling direct connections between IT and OT networks and in some cases between OT networks and the Internet.
- Lack of understanding of interconnections that may exist. Often OT networks are managed by different personnel than IT networks. This can lead to miscommunication and presents significant challenges to securing both IT and OT networks.
Use of end-of-life software
- The most common end-of-life system discovered was the Microsoft Windows 7 Operating System.
- With the use of end-of-life software, intruders can take advantage of unpatched vulnerabilities and gain access to the networks.
Use of legacy protocols
- Legacy protocols such as Telnet and Server Message Block protocol 1 are unencrypted, thus making reconnaissance and lateral movement much easier for an attacker.
So, what does the CTIME report recommend for hardening OT? Here are some key highlights from Pages 25-26:
Improper network segmentation
☑ Audit all communications both to and from the OT network. Limit it to the maximum extent possible.
☑ Implement DMZs between networks.
☑ Implement strict access control to OT.
End-of-life software
☑ Audit all software running in the OT environment.
☑ Replace operating systems or software that are no longer supported where possible.
☑ Implement added controls such as complete isolation or additional monitoring where software cannot be replaced.
Legacy Protocols
☑ Upgrade to newer, more secure protocols such as SSH and SNMPv3.
☑ Upgrade hardware when older hardware is incompatible with the newer, more secure protocols.
Questions to consider
- What are my most critical IT systems?
- What are my most critical OT systems?
- How do I limit communications between IT and OT?
- Who is responsible for OT security?
- Who is responsible for system updates?
- Are we relying on a vendor to do our updates? What problems does that reveal?
- What disaster and recovery and business continuity plans do I have in place?
A Crystal Ball—Looking Ahead
The CTIME report offers some views of future cyber concerns facing the maritime environment. Here is a quick glance.
- Ransomware is on the rise.
- Cybercrime will continue to impact the maritime environment.
- Artificial intelligence may introduce new vulnerabilities and it may aid cyber attackers and nation-states in broadening their cyber-attacks.
- Smart port technologies will connect a diverse range of devices and offer increased automation of port operations; however, this connectivity could lead to a larger impact from a cybersecurity compromise.
Conclusion
The CTIME report helps the reader understand key threats to the maritime environment. It offers a sense of where the trends are headed and gives the reader an understanding of Cyber Protection Team missions. Unfortunately, this only scratches the surface for the actions that need to be taken by shipping companies, seaports and maritime-support communities.
You and your technical staff are strongly encouraged to read and study the CTIME report. If you want more information regarding OT/IT security, here’s some guidance:
- Guide to Operational Technology (OT) Security, NIST SP 800-82 Rev. 3 (https://bit.ly/3UxvRcv)
- The NIST Cybersecurity Framework (CSF) 2.0 (https://bit.ly/4bqKdSX)
- Guidelines on Maritime Cyber Risk Management, International Maritime Organization, MSC-FAL.1/Circ.3/Rev.2 (https://bit.ly/3yieFjN)
- The Guidelines on Cyber Security Onboard Ships, Version 4, BIMCO et al (https://bit.ly/3y6ArqJ)
- Port Community Cyber Security, IAPH et al (https://bit.ly/3wr2pNC)
- USCG Maritime Industry Cybersecurity Resource Center, https://www.uscg.mil/MaritimeCyber/
Ernie Hayden’s background includes management and technical roles focused on cyber and physical security since the 9/11 attacks. He was previously a U.S. Navy Nuclear and Surface Warfare Officer and has published a book, Critical Infrastructure Risk Assessment—The Definitive Threat Identification and Threat Reduction Handbook, that was named the 2021 ASIS Security Book of the Year. Please send your questions or suggested article ideas to enhayden1321@gmail.com.