18 APRIL 2021
On June 27, 2017, during a sunny afternoon at its Copenhagen headquarters, global shipping titan A.P. Møller-Maersk, responsible for nearly 800 vessels, found its operations dead in the water in a matter of minutes. As reported by Wired magazine, within two hours the NotPetya or Nyetya, a ransomware attack on Maersk, caused an emergency shutdown of its entire global network of 4,000 servers and 40,000 PCs – held hostage for $300 million in Bitcoin.
Many western cybersecurity analysts now believe the shadowy attack was a spillover of nation-state cyberwarfare, in which irreversible ransoms are cover for larger geopolitical motives to effect maximum devastation. Often, those who agreed to pay still had terabytes of their master boot records destroyed by “detonating logic bombs,” thus permanently encrypting files or wiping systems clean.
The source of the NotPetya intrusions? A hijacked update within the Ukrainian accounting software M.E.Doc, phishing emails and exploited/outdated Microsoft protocols. Ironically, NotPetya’s origins stem from two exploits working in tandem: A penetration tool developed and leaked from the U.S. National Security Agency (NSA), known as EternalBlue, and the French program Mimikatz.
Overall, NotPetya paralyzed businesses worldwide, caused an estimated $10 billion in damages, and demonstrated nation-states’ ability to wage war through a medium that disregards national borders or collateral damage – all without firing a shot.
In Sun Tzu’s Art of War, the famed Chinese strategist/philosopher stated, “The supreme art of war is to subdue the enemy without fighting.” In a word – cyberwarfare. This evolving conflict is referred to as fourth-generation warfare (4GW). Characterized by the blurring lines between war, politics, combatants and civilians, 4GW is a decentralized, asymmetric, modern form that signifies nation-states’ loss of their near-monopoly on combat forces.
Addressing Cyber Risks
Recognizing a 900 percent increase in maritime cyberattacks over the last three years, the IMO’s Maritime Safety Committee, at its 98th session, adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems.
The resolution encourages owner/operators to ensure cyber risks are appropriately addressed through inclusion in safety management systems no later than the first annual verification of the company’s Document of Compliance after January 1, 2021. To assist in the effort, the IMO published MSC-FAL.1/Circ.3, Guidelines on Maritime Cyber Risk Management, to help in identifying, analyzing, assessing and mitigating threats.
In the U.S., the Coast Guard released Navigation and Vessel Inspection Circular (NVIC) 01-20, Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities, with requirements to assess and document vulnerabilities associated with computer systems and networks in their Facility Security Plan (FSP). Facilities are to submit plans before the October 1, 2021 audit date. The Coast Guard Cyber Command’s Cyber Security Team offers direct assistance to stakeholders.
One can’t manage what one doesn’t measure, so the best way to understand threats is to first be able to recognize and assess them. Last December, in the wake of the U.S. government’s most devastating breach via the Solar Winds network management system, the White House released the National Maritime Cybersecurity Plan.
The plan provides a priority framework for risks and standards, information and intelligence-sharing (between government and stakeholders), and a maritime cybersecurity workforce. Annex C offers a description and matrix of current maritime cyber threats, articulating the usual suspects of China, Iran, North Korea, Russia and non-state proxies conducting increasingly sophisticated cyber-attacks against critical infrastructure.
Type of Threats
What are these cyber threats and where do they originate? Threats may come from individuals, criminal organizations, nation-states, terrorists, industrial spies and business competitors. Cyberattacks come in the form of:
- Malware – Software performing malicious tasks such as corrupting data or taking over a targeted device or network.
- Ransomware – Software that encrypts data on targeted devices/systems and demands a ransom in exchange for decryption keys.
- Distributed Denial of Service Attack (DDoS) – Attackers control thousands of devices to target and overwhelm websites or systems.
- Man in the Middle (MitM) Attack – Attackers establish/fake a position between the sender and recipient of electronic communications, who then intercepts and changes messages in transit without either party being aware.
- (Spear) Phishing – Often email-borne attacks intended to impersonate a trusted party and trick recipients into disclosing confidential information or downloading malware via hyperlinks.
- Trojans – Named after the ancient Greek Trojan Horse, recipients believe they are accepting legitimate software when in fact it releases malicious code once inside a host system.
- (GPS) Spoofing – Effectively takes over navigation systems by transmitting false GPS signals to receivers, thus hijacking authentic satellite signals.
Penetrations can occur via Information technology (IT) and operational technology (OT): Think networked systems vs. programmable logic controllers (PLCs) on equipment. Particular concerns surround vulnerabilities in electromagnetic spectrum (EMS) technologies such as GPS, voice communications and data communications in forms such as WiFi, cellular and satellite phones.
Benson Peretti, Executive Vice President of Global Services, and representatives from the Liberian Registries’ Maritime Operations Team identified specific risks to integrated bridge navigation and power management systems, which are vulnerable due to increased connectivity between shipboard and shoreside servers, IT and OT systems and crew welfare systems.
“While these uses of digital technology and solutions can provide ship owners and managers, shipboard personnel and shore side technicians with increased cost savings and operational enhancements,” Peretti explains, “they also increase the possibility of cyber risks.”
His team adds, “New construction, where frequently automation systems consist of multiple subsystems from numerous vendors, are integrated by shipyards with minimal vetting of the cyber risks posed by vendor subsystems. Operators require the ability to upgrade and/or patch OT systems.”
Derek Tang, Head of Engineering with Singapore-based maritime technology solutions provider SparesCNX, concurs, “The consequences of an onboard attack can have devastating effects if one were to remotely control pumps, machinery or navigation. Owner/operators must work closely with clients and infrastructure vendors to interface. This includes leveraging full-cycle external penetration testing to identify loopholes or security vulnerabilities in the code defense.”
In view of the relevance of cybersecurity to the maritime industry, the Singapore Shipping Association (SSA) is working with thirty participating companies to develop practical procedural documentation and cybersecurity scorecards for readiness. Objectives include providing companies a means of self-help health checks along with a roadmap to optimize defense and a reference source for small-to-medium enterprises for quotations when choosing vendors.
Leslie Yee, Chairman of SSA’s Cyber Security Subcommittee, says participating companies are worried they’re not technically strong or prepared for the typical hacker. A key challenge is trying to understand threats, trends and best practices and even how to integrate with cybersecurity providers.
Yee explains that the IMO 2021 guidelines and framework are not prescriptive and currently don’t offer clear paths to success. That’s why his subcommittee is focused on education and awareness while preparing a white paper to be sent to the Singapore Maritime Institute. SSA hopes to encourage more funding and resources from higher education and institutes to support the industry.
John Jorgenson, Chief Scientist at ABS CyberSafety, offers three main points to consider:
Risk needs to be understood as an event that “might happen.” For example, cyber-induced environmental pollution, in which a ship’s systems, while at port, are hacked via cellular or WiFi networks that then access and override onboard valves and pumps to release hazardous materials, fuel oil or ballast water. Jorgenson says allowing electronic devices in a control room can introduce a failure or intrusion mode that takes over propulsion management.
Cybersecurity is entirely a human activity guided by policy and procedural programs that don’t prohibit the use of technology without providing alternatives (i.e., blocking USB or other attachments). Companies must respect workers trying to do their job and not diminish efficiency, as they will find workarounds. Owners and operators must ensure “Due Care” through physical security, incident-logging and performance-monitoring of systems and equipment as well as “Due Diligence” through managed consistency of monitoring and training and continual improvements.
Cybersecurity is a part of systems engineering that directly supports reliability, data integrity and the robustness of hull, mechanical and electrical systems. It’s essential to identify critical systems, define deterministic parameters for gauging reliability (knowing that insecurity at a monitoring system can work backward to hijack your system) and know with how to recognize and mitigate threats. One must be able to “trust, but verify,” especially given the increasing number of integrated “smart” components with PLCs. Contractually, owners should consider SOC 2 Type 2 external audits for vendors.
Gideon Lenkey, Co-Founder & Director of Technology for maritime cybersecurity firm EPSCO-Ra, warns that many maritime operators are only seeking “paper protection” and not taking the threats seriously – at a time when the pandemic has increased vulnerability with more people working from home. He says the first step in defense is not technical but rather an exercise in calculating what the potential cost to the business of an attack would be.
“This step is commonly skipped and leaves the business in an odd place when trying to set a security budget,” he explains. “How do you know how much it’s worth spending if you haven’t quantified how much you can potentially lose if you don’t? Ask that before you move onto questions about having the right controls and if those controls work properly under the duress of an attack.”
Lenkey says that five years ago maritime cybersecurity consisted of consumer-grade firewalls and not-often-updated anti-virus software. However, as satellite broadband continues to mature, the future looks more like small office infrastructures. This will allow implementation of cybersecurity controls and processes that other industries take for granted – like cloud-based address verification services (used by credit card processors to help prevent fraud and chargebacks) and regular software patching (repairing program bugs).
Lenkey is a twenty-year cybersecurity veteran who’s worked closely with the FBI, co-authored the 2011 book Gray Hat Hacking and was featured in the documentary film Code 2600.
As digital connectivity permeates every facet of life, cyberwarfare now represents one of the greatest existential threats to modern society. Distance is no defense as risk currently looms within every networked device. Barbarians are at the gate. As proclaimed by Thomas Jefferson two centuries ago, “Eternal vigilance is the price of liberty.”
Sean Holt is a regular contributor & He serves on the Board of Directors of Autonomous Unmanned Vehicle Systems International – Cascade Chapter.