Long focused on mitigating physical risks such as piracy, the maritime shipping industry is currently grappling with a new challenge: how to respond to a dramatic spike in cybersecurity threats.
From February to June 2020, cybersecurity consulting firm Naval Dome documented a 400% growth in attempted hacks against maritime targets. Driven by increased numbers of remote access paths onboard vessels and the convergence of new information technology (IT) targets into traditionally operational technology (OT) environments — as well as the perceived value in targeting an industry that carries nearly 90% of the world’s trade — these attacks represent a serious new threat to the backbone of global commerce.
“This convergence is increasingly more pervasive because of the nature of digitalization trends, like using onboard sensors and tracking data off operational systems for predictive maintenance purposes, that open more attack surfaces on the IT side that can enter into the OT environments,” said Don Ward, senior vice president of Global Services at Mission Secure, a global provider of OT cyber-protection solutions. “We frequently see that clients think they have certain portions of their system on islands – inevitably, in every assessment we find a backdoor into these environments.”
It’s a balancing act that all digitally maturing industries face: deriving efficiency gains from integrating today’s latest technology while limiting the potential vulnerabilities from doing so. The maritime sector is still catching up to its aerospace and automotive counterparts in implementing modern cybersecurity best practices, but malicious actors will not be waiting idly for it to arrive there.
“The maritime industry in general is quite an easy target, as it’s somewhat behind the curve in terms of preparation, protection and detection,” said Keith Chappell, technical director with Cyber Prism, which provides cybersecurity services to protect OT for enterprises, government and Critical National Infrastucture.
That hasn’t stopped operators from adopting technology that reduces shipping time and provides more accurate data about a vessel’s condition. But doing so without secure integration, protection and rapid response strategies may risk increasing the danger of cyberattacks.
“Cybersecurity protection is of course a cost, but I also see it as an enabler for these digitalization features — either you disconnect your vessel totally or you implement barriers and get to see the benefits of digitalization,” said Jarle Coll Blomhoff, group leader, Cyber Safety and Security, for DNV, an international accredited registrar and classification society that provides risk management solutions for the maritime industry.
Increased Connectivity Creates Challenges
“A decade ago, a modern shipping vessel may not have had any computers of note. Now you have all kinds of digital systems — GPS, automatic identification systems (AIS) and electronic chart display and information systems (ECDIS) — that sometimes connect to back-end cloud systems for data processing or data analysis,” said Nate McFeters, Transport Assurance Practice director for NCC Group, a global security firm that assesses and manages cyber threats for industrial and government clients.
Threats to IT have been common for decades across all industries and are met with robust, frequently updated protections that enable safe connection to the internet. Operational technology that manages physical functions such as propulsion and power control is a different matter entirely.
Built for specific industrial and mission-critical purposes by third-party vendors that cling tightly to their proprietary protocols and often insist on making software changes themselves — “Meaning you have third-party technicians poking through your firewall and leaving you vulnerable to whatever laptop or device they plug in that could already have been hacked,” says Ward — these systems represent a more easily penetrable target if they’re able to be accessed externally.
“In OT networks, you’ll find lots of outdated Windows- and Linux-based operating systems that are running on older versions because the control system software is tied to that,” said Ward. “The update process in the OT world is infrequent, once every three to five years, if not longer.”
“In OT networks, you’ll find lots of outdated Windows- and Linux-based operating systems that are running on older versions because the control system software is tied to that,” said Ward. “The update process in the OT world is infrequent, once every three to five years, if not longer.”
This represents a marked difference from IT software, which is updated for security reasons on a monthly, weekly and occasionally an ad hoc basis. While OT is “very robust in terms of environmental factors,” says Chappell, noting that the onboard equipment is designed to function through physical shocks like wetness, large vibrations or interference from high-voltage equipment, it’s far less equipped to deal with network traffic it’s not expecting.
“There’s a misguided belief that OT systems are completely isolated from the internet,” said Chappell. “That is still true in maritime for some organizations and on some vessels, but it’s becoming less true all the time. As demands for business information increase, more and more systems are getting connected.”
The blend of IT and OT systems utilized by today’s shipping vessels has expanded the attack surfaces available to motivated parties, whether independent criminals or state-sponsored actors. More data is being transmitted to and from ships, crewmembers have new ways to create access paths through personal devices, and 21st century connectivity technology is often added piecemeal to vessels built in the 20th century.
McFeters contrasts maritime with the automotive industry, which he says has quickly matured over the last decade in its understanding of security vulnerabilities caused by adding remote access paths such as infotainment systems and Bluetooth compatibility.
“We’re seeing the same increase in attack paths to the OT on ships – the difference is that maritime isn’t as far along as other industries in terms of understanding that risk and designing their vessels with that in mind,” said McFeters.
Trouble on the Horizon
The risk of cyberattacks on IT targets are well-documented, including several high-profile cases within the maritime industry.
Perhaps the most famous incident was the June 2017 NotPetya attack on Ukrainian targets that spread beyond the country’s borders to hit international companies including Danish shipping giant Maersk, decimating the firm’s data and ultimately costing it more than $300 million. A 2018 attack on the China Ocean Shipping Company (COSCO) using SamSam ransomware, in which the company’s isolated networks allowed it to quickly return to normal operations, has become a go-to case study for the importance of network segregation and proactively developing response plans.
But what happens when an OT system is affected?
“We’ve been on board vessels where access to the ECDIS is lost after being hit by a malware attack. The worst example is the vessel’s automation system onboard going down and they had to revert to manual operations,” said Blomhoff, adding that the manual backups built into seafaring operations and skill of experienced seamen reduces the danger in these situations. “And that’s always a facet, not only due to cyber security – it could also be from a short-circuit or bug crashing the software.”
Blomhoff says the key difference between IT and OT threat levels is that with IT, attacks happen frequently but with limited consequences, whereas OT faces, so far, a more limited number of attacks that have the potential to severely impact safety.
“We’ve been on board vessels where access to the ECDIS is lost after being hit by a malware attack. The worst example is the vessel’s automation system onboard going down and they had to revert to manual operations,” said Blomhoff, adding that the manual backups built into seafaring operations and skill of experienced seamen reduces the danger in these situations. “And that’s always a facet, not only due to cyber security – it could also be from a short-circuit or bug crashing the software.”
“The main risk is that now you’re connecting more and more of your control systems onboard, and they were not necessarily designed to be connected,” he said. “If malware arrives onboard the vessel because you connect via your phone or USB directly to a bridge system, it’s certainly plausible to see viruses coming onto critical systems and in that scenario it’s only a matter of time before they cause damage.”
Cyberattacks can also be deployed to facilitate more traditional crime, such as accessing email exchanges between a vessel and shore, identifying an invoice from a brokering company and generating another invoice that looks the same but with different details. They can also be used to give pirates precious information that, if able to board the ship, gives them an advantage in procuring targeted goods and departing quickly.
“There are certainly examples where pirates have boarded vessels and they know exactly which containers they wanted to access and where they are, which means they have far less contact time on board the vessel,” said Chappell. “That can only be enabled by manifests being leaked or exfiltrated, potentially by people gaining access to that data nefariously.”
The Best Defense is a Good Offense
Maritime security consulting firms offer a variety of proactive measures to give vessel operators peace of mind about their preparedness for cybersecurity threats. Strategies will vary from company to company, but they typically include network segmentation, risk analysis (including assigning experts to discover vulnerabilities through penetration testing and adversarial “red teaming”) and cyber awareness training for crewmembers.
“We try to work with vendors to build in good cybersecurity mechanisms in their system as the first layer of defense, then we have another section of it with the network segregation — keeping IT and crew welfare systems away from OT systems — and finally there’s a third level with the physical security procedures the ship owner implements to keep the vessel safe,” said Blomhoff.
Network segmentation is a critical foundational element to a robust security infrastructure, says McFeters, particularly as maritime environments lag behind more digitally mature industries’ security standards.
“Within maritime in particular, I’d operate under the premise that a system will be compromised at some point,” said McFeters. “The most important thing you can do is segregate your networks so something like malware can’t spread to OT systems, because generally those systems will lack patches and be an easier target.”
While network segmentation is a top priority, it shouldn’t scare operators away from converging data to maximize the value of onboard technology.
“It’s easy to say we’re safe because all our systems are air gapped, but that’s a self-defeating view,” said Chappell. “Operators get real benefits from taking that data from the operational systems and using it to augment bussiness information, or being able to look at fuel consumption and tell the team on shore precisely how much fuel they need to buy on the next bunkering stop. It’s hugely valuable but integration needs to be done in a controlled manner.”
Proactive defense strategies also include security exercises designed to test firewalls and segmentation, such as the use of “white hat” hacking and tabletop scenarios to identify weak points. As part of its security assessment offerings, DNV deploys certified ethical hackers to verify defenses and requirements based on class notation, and to do exploratory penetration testing to find uncommon gaps.
“It’s a good exercise to keep your defenses up against a constantly evolving risk picture,” said Blomhoff. “The owner doesn’t have to be a cyber security expert because our advisory units can show the defenses during testing,”
Even the most intense security analysis might prove to be fruitless, however, if crewmembers aren’t given proper cybersecurity training. Human behavior always bypasses security, says Ward, noting that the increased use of personal devices and growing trend of support staff working remotely affect maritime cybersecurity readiness as much as any industry.
“People inevitably make mistakes that create avenues of access in OT environments. This can include a shift worker streaming media devices during downtime or bringing in a personal printer. They plug in their own access points and if they don’t have any security encryption, it’s wide open,” said Ward.
Cybersecurity education shouldn’t be about punishment, says Chappell, but rather about making crewmembers aware that decisions such as using a shore-purchased USB stick to watch movies could impact their personal safety and that of their fellow crewmembers. Putting them in a position to succeed also means streamlining the response processes in case of a cyber incident.
“It’s all about making it easy for people to do the right thing,” said Chappell. “When things do go wrong, it should be just like lifeboat drills. Our response plans take the format of ‘If this happens, do that’ on a single-page, laminated A4 sheet. Really simple stuff you can do at 3 a.m. in the morning when you’re tired and dragged out of your bunk — preparation could be as simple as re-cabling areas of the bridge or engine room to use different color cables, then ‘If you no longer trust the ECDIS for whatever reason, remove the blue cables in cabinets 3, 4 and 5.’”
Making Cents of the Problem
Cybersecurity awareness is only part of the battle; the ability, or desire, to allocate funding is equally important to maintaining a strong security infrastructure. Ward notes that maritime firms have a cost per day target they’re looking for, which doesn’t necessarily include funds for cybersecurity.
In the past this has sometimes resulted in “hodgepodge systems” made up of shoehorned equipment lacking coherent system design and sometimes even including dangerously vulnerable consumer-grade electronics. But Weston Hecker, Lead Cyber Evangelist and Ethical Hacker for Mission Secure, says that attitudes are shifting toward a more defensive posture.
“Customers are catching on to the severity of these threats,” said Hecker. “Part of it is that the topic is unavoidable these days – there’s seemingly always a big hack coming out, compared to years past when it was barely in the headlines.”
“Customers are catching on to the severity of these threats,” said Hecker. “Part of it is that the topic is unavoidable these days – there’s seemingly always a big hack coming out, compared to years past when it was barely in the headlines.”
The International Maritime Organization (IMO), the UN’s regulatory body for the maritime shipping industry, has made it clear that cybersecurity should be a key consideration moving forward. Beginning in Jan. 2021, its revised cyber guidelines expanded the standards of cybersecurity preparation that must be met during audits.
It’s a strong message that will boost industry awareness, says Chappell, but may inadvertently lead to box-checking complacency.
“The IMO requirements establish a minimum threshold, but cyber-mature organizations will be doing much more,” he said. “There is a real risk that we end up in a situation similar to many regulated industries where relatively low mandated standards actually stimulate a drive to the bottom, and the historical best performers reduce their spend and effort to simply comply.”
This could have broader economic and geopolitical ramifications that go beyond any one company’s balance sheet. As the March 2021 Ever Given incident made painfully clear, any disruption to maritime shipping has ripple effects that impact every country and industry.
“With container terminals or shipping vessels, we’re talking about a choice target for state-sponsored actors,” said McFeters. “The amount of difficulty you can cause to an economy in these environments is severe.”
The implications of this threat have yet to be fully displayed to the public, partly because company confidentiality policies make it impossible to know the full number and scale of attacks on OT systems, and partly because the industry is built on layers of redundancies — industrial and human-powered — that minimize the likelihood of a catastrophic event.
For example, McFeters says that from an operator perspective, risks resulting from attacks such as GPS spoofing “might be getting overblown to some degree.”
“When you talk to captains, if they don’t trust GPS or ECDIS or one of their instruments, they’ll just move to dead reckoning or some other form of analog navigation — after all, we’ve been navigating the seas by stars for a long time,” he noted.
What concerns McFeters more is the risk that outdated embedded systems in the vessel may be externally accessible or become so when they come into port. Worst-case scenarios such as an engine takeover near shore may be remote, but even the possibility warrants rigorous examination.
“I think a lot of these increased attacks we’re seeing are far more like opportunistic attacks — such as malware outbreaks — that have been effective because you have a largely OT environment that’s still getting its feet underneath it from an IT perspective,” said McFeters. “My biggest fear is that one of these more opportunistic attackers will realize what they’ve gotten access to and cause operational outcomes. Could that pivot into something that allows you to control part of the vessel, such as the engines or propellers, and cause safety-critical issues? That’s an area where we still have a lot of unanswered questions.”