SoS Musings #51 - The Vulnerability of the Maritime Industry to Cyberattacks

SoS Musings #51 -

The Vulnerability of the Maritime Industry to Cyberattacks

Although not as publicized as attacks on other sectors, cyberattacks are a major threat to the maritime industry. Naval Dome, an Israel-based cybersecurity specialist, found that there was a 400 percent increase in attempted cyberattacks against the maritime industry in the first few months of the COVID-19 pandemic. Cyberattacks on the maritime industry could have significant economic, social, and political impact, with essential products including food, oil, and medicine, relying on the shipping industry to reach people globally. According to the United Nations (UN), more than 90 percent of the world's trade is carried by shipping, making maritime transport critical to the global economy. The increasing number of cyberattacks emphasizes the importance of bolstering maritime cybersecurity. For example, an ultra-large container ship bound for New York City was hit with a cyberattack resulting from an Emotet malware infection. According to the U.S. Coast Guard, the malware could have been introduced into the ship's systems because of poor cybersecurity practices. The crew reported the debilitation of their shipboard network by the Emotet malware. The crew, along with the shipping company's system administrators working onshore, struggled to resolve the issue. If the ship's malware had spread and shut down the Port of New York and New Jersey, which handles $1 billion to $2 billion in cargo per day, the consequences would have been economically disastrous. It is essential for the maritime industry, together with the security community, to explore the cybersecurity challenges and vulnerabilities faced in this realm to get better insight into best practices and the development of new security methods.

There are several fundamental issues that make it challenging for the maritime industry to address cybersecurity. To further highlight the complexity of the maritime industry and how it affects cybersecurity, Professor Keith Martin and former Ph.D. researcher Rory Hopcraft of Royal Holloway University of London described these issues. The first issue stems from the fact that there are various classes of vessels, all of which operate in significantly different environments. These vessels tend to contain different computer systems, with many having been discovered to be running outdated and unsupported operating systems, thus increasing their vulnerability to cyberattacks. The second issue is that the users of maritime computer systems are constantly changing as ship crews often switch at short notice. This means crew members are often using systems with which they are unfamiliar, and this increases the risk of human error that could lead to a cybersecurity incident. In addition, the responsibility of maintaining onboard systems is often distributed to various third-party entities, increasing the possibility of a ship crew having little understanding of the interactions between those systems. The third issue highlighted by Martin and Hopcraft is the connection between onboard and terrestrial systems that is required for maritime companies to communicate with their vessels. This linkage results in the ship's cybersecurity also being dependent on the cybersecurity of land-based infrastructure. As technology continues to advance, the convergence of IT and Operational Technology (OT) onboard ships and their connection to the Internet increases vulnerability to attacks. It is important to explore the challenges associated with the uniqueness of maritime OT systems such as Vessel Integrated Navigation Systems (VINS), Global Positioning Systems (GPS), Automatic Identification Systems (AIS), satellite communications, radar systems, and electronic charts, in order to address cyberthreats. While these technologies offer significant benefits for efficiency in the maritime industry, they also pose risks to critical systems and processes associated with the operation of systems that are important for shipping. These risks may result from intentional and unintentional cyberthreats as well as vulnerabilities stemming from the design of cyber-related systems and issues associated with their operation, integration, and maintenance. It is important to consider these issues and challenges when addressing cyberthreats to the maritime industry that could cause damage to the marine environment, hinder the ship's operation, and endanger the onboard personnel and cargo.

Studies have pointed to the potential impact of maritime cyberattacks and the need to improve cybersecurity in the maritime industry. Naval systems used to track the position of ships were found to contain various vulnerabilities that hackers could exploit for infiltration. Ken Munro and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple methods for interrupting and disrupting the shipping industry, highlighting years-old security issues in enterprise technology used in maritime environments that leave vessels vulnerable to hacking, tracking, and more. Weak default passwords, the failure to apply software updates, and insufficient encryption were mentioned as leading factors behind various attacks against shipping vessels and associated operations. In order to demonstrate how hackers could exploit such weaknesses, the PTP researchers used a ship tracker published by Shodan, the Internet of Things (IoT) search engine, to develop a vulnerable ship tracker that links satellite communication terminal version details to live GPS position data. If the version of software on terminals were known to threat actors, they could find out if there were security weaknesses and how to exploit them. The PTP researchers created a clickable map highlighting the real-time positions of exposed ships. The tracker omitted any data refresh and only featured historical data, so hackers were unable to use it for their own advantage. Many satcom terminals on ships were found to be available on the public Internet with default passwords. The researchers also warned that hackers can cause chaos in the shipping industry by compromising Electronic Chart Display and Information Systems (ECDIS) used for ship navigation. Through the abuse of the ECDIS, hackers might be able to crash the ship in poor visibility conditions (i.e., fog) where the crew might be "screen fixated," instead of looking out the window. They tested over 20 different ECDIS units and discovered many security flaws, such as the use of old operating systems and poorly protected configuration interfaces. Other shipboard controls, such as OT systems that manage the engines, ballast pumps, the steering gear, and more, were found communicating in plain text, with no authentication, encryption, or validation, and this could allow attackers to steer a ship off course by changing its GPS autopilot command. Ruben Santamarta, a researcher at the information security firm IOActive, drew attention to the possibility of cyber-physical attacks called High-Intensity Radio Frequency (HIRF) attacks on satellite communication systems, including those used by ships. These attacks involve turning satellite antennas into weapons that operate like microwave ovens to potentially physically injure ship crew or damage systems in order to cause further havoc for the shipping industry. Weston Hecker, an ethical hacker with the security firm Mission Secure, drew further attention to the importance of exploring maritime cybersecurity by hacking into a company's phone network, IT network, and then its ships via the guest Wi-Fi in a customer's home office within a short time. Hecker showed that attackers could exploit the weaknesses of a ship through a wireless keyboard, an unsecured printer, and more. Such studies should continue to uncover potential cyber risks facing the maritime industry and highlight the dangers of cyberattacks in this realm.

Efforts are being made to improve maritime cybersecurity, but more contributions are needed. The Maritime Institute of Technology and Graduate Studies (MITAGS) recently released a guide to ship cybersecurity, covering the types of cyberattacks that can affect a vessel, the stages of such attacks, the identification of cyber vulnerabilities on a ship, and the creation of a ship cybersecurity plan. According to MITAGS, examples of techniques commonly used by cybercriminals to discover and exploit vulnerabilities in a ship include malware, phishing, water holing, social engineering, brute force, denial-of-service, spear-phishing, and impersonation. To identify cyberattack targets on a ship, MITAGS suggests examining cargo management systems, bridge systems, power control systems, passenger service systems, public networks, communication systems, and other onboard systems. The maritime industry is encouraged to address common flaws, including the use of obsolete operating systems, the use of outdated anti-malware software, the lack of security protocols, insufficient access controls, and more. MITAGS also encourages the development of a cybersecurity plan for all ships that involves identifying threats and vulnerabilities, assessing risk exposure, developing protection and detection tools, and establishing a contingency plan. The International Maritime Organization (IMO) provides guidance on maritime cyber risk management with high-level recommendations regarding the protection of shipping from current and emerging cyber threats and vulnerabilities. IMO calls on the maritime industry to define responsibilities for cyber risk management, identify systems that pose risks to ship operations when disrupted, implement risk control measures, implement activities to quickly detect cyber events, develop plans to restore systems necessary for shipping operations impaired by a cyberattack, identify measures to restore systems needed for shipping services, and more. Another guide on cybersecurity for the maritime industry was produced and supported by Chamber of Shipping of America, Digital Containership Association, International Association of Dry Cargo Shipowners (INTERCARGO), World Shipping Council (WSC), International Union of Marine Insurance (IUMI), and other maritime organizations. Version 4 of "The Guidelines on Cyber Security Onboard Ships" recommends adopting a defense-in-depth approach to protecting critical systems and data of ships, which involves segmenting networks, using firewalls, performing periodic vulnerability scanning and testing, conducting software whitelisting, and other essential cybersecurity practices. The maritime industry and the security community should explore such guides to implement the proper cybersecurity practices and potentially develop new methods for protecting the shipping industry from cyberattacks.