Cyber Crime on the High Seas

Israeli cybersecurity research specialist Naval Dome reports that attempted hacks on maritime networks have increased 400 percent since February 2020. Naval Dome has been warning about maritime security threats since 2020, which was at the peak of a three-year 900-fold increase.

“… many operators believe they have this protected with traditional cybersecurity, but the firewalls and software protecting the IT side do not protect individual systems on the OT network,” said Robert Rizika, Naval Dome’s Boston-based head of North American operations in 2020.

“There will be a whole series of new cybersecurity openings through which people can attack if systems are not properly protected. If just one piece of this meticulously managed operation goes down, it will create an unprecedented backlog and impact global trade, disrupting operations and infrastructure for weeks if not months, costing tens of millions of dollars in lost revenues,” Rizika said in 2020.

Naval Dome CEO Itai Sela attributes the recent increase in malware, ransomware, and phishing attacks to the expanded use of technology amplified by the COVID-19 pandemic.

“As budgets are cut and in the absence of service engineers, we are seeing ship and offshore rig staff connecting their OT systems to shoreside networks, at the behest of OEMs, for brief periods of time to carry out diagnostics and upload software updates and patches themselves. This means that their IT and OT systems are no longer segregated and individual endpoints, critical systems, and components may be susceptible. Some of these are legacy systems which have no security update patches and are even more susceptible to cyber-attack,” he said.

“Our philosophy is that all systems must be protected using a risk ranking. If they are, then the entire platform is protected from both internal and external attack vectors. If only the network is protected, then whatever enters the net (such as an unintentional attack from authorized personnel) will infect all connected systems,” said Sela.

SOS

A recent report from the Atlantic Council describes the scope of the risk. It describes the maritime transportation segment (MTS) as a system of systems, composed of “individual ships, ports and terminals, shipping lines, shipbuilders, intermodal transport operators, cargo and passenger handlers, vessel traffic control, maritime administrators, and more. Each system has its own organizational peculiarities and dependencies. Moreover, regulation of the MTS is often indirect because of the interwoven nature of ship management, where many different states and entities might own, lease, sail, register, and crew one ship. Vulnerable systems control communications, propulsion, power, cargo management, passenger services, and bridge operations.

To help the maritime industry implement risk-based analysis, BIMCO, the world’s largest direct entry shipping organization, updated its The Guidelines on Cyber Security Onboard Ships in January of 2021. It explains why and how cyber risks should be managed in a shipping context, lists all supporting documentation required for a risk assessment and outlines the risk assessment process. It also advises on how to respond to and recover from cyber incidents.

The BIMCO guidelines, which take U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1 (April 2018), into account, call out the following points of vulnerability that may be in existing and new ships:

• obsolete and unsupported operating systems
• unpatched system software
• outdated or missing antivirus software and protection from malware
• inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords
• shipboard computer networks, which lack boundary protection measures and segmentation of networks
• safety-critical equipment or systems always connected with the shoreside
• inadequate access controls to cyber assets, networks, etc. for third parties including contractors and service providers
• staff inadequately trained and/or lacking the skills to manage cyber risks
• missing, inadequate or untested contingency plans and procedures.

While most OT systems in the marine industry are still not connected to networks that allow external access, BIMCO says that it is important not to overlook or underestimate the increasing integration of the Industrial Internet of Things (IIoT) on ships, which are increasingly being deployed for remote monitoring and operational efficiency improvement. They warn that threat actors can scan for these systems and use them as the initial point of infiltration to a ship’s network, from which they can pivot as outlined previously.

Into the deep

The guidelines provide criteria for identifying the criticality assessment for every system on board. “For OT systems,” they write, “such an impact assessment also forms part of the list of equipment and technical systems, the sudden operational failure of which may more or less promptly result in hazardous situations.”

This focus on individual systems is very much in keeping with Naval Dome’s calls for protecting individual systems on the OT network.

“It is not sufficient to protect only networks from attack. Each individual system must be protected. If networks are penetrated, then all connected systems will be infected,” Naval Dome President Sela said.

The BIMCO guidelines will get you as far as identifying which OT systems are most critical. But stop short of recommending replacement. They do, however, warn that purchasing of IT and OT systems must be coordinated because IT managers are not usually involved in the purchase of OT systems and may or may not have a thorough understanding of cyber security.

“Updating of OT software requires a thorough compatibility check and class approval as opposed to IT software, which is normally updated routinely. To obtain an overview of potential challenges and to help establish the necessary policy and procedures for software maintenance, it can be an advantage for the party responsible for cyber security onboard the ship to have an inventory of OT systems,” they write.

Unfortunately, even the most cyber-savvy OT buyers are not familiar with the cyber security issues that must be addressed at the factory, deep within the system’s electronics. Bedrock Automation’s white paper series, including Chapter 3, Fundamentals of Intrinsic Cyber Security will help with that process, on land or sea.