Securing Vessels at Sea: Frontline Insights on Maritime Cybersecurity

After a string of cyberattacks affecting leading maritime companies like Maersk, CMA CGM and Cosco, cyber threats have become a top priority for maritime regulators. As nation-states and sector organizations pass measures to bolster the industry’s cyber resilience, shipowners and operators are often left scrambling to keep up. The 2021 compliance deadline with the IMO resolution on cyber risk management is no different.

Are the threats real? How are owners and operators addressing cyber risks on vessels? And are these actions sufficient for certification and IMO compliance?

To learn more, TME spoke with Mission Secure, an OT cybersecurity leader helping clients in the maritime, defense, and other critical infrastructure industries stop OT cyber threats head-on. Mission Secure's Don Ward, Senior Vice President of Global Services, and Weston Hecker, Senior Ethical Hacker, Researcher, and Penetration Tester, gave an inside view of what they see on the front lines as they help the industry manage cyber risks in day-to-day operations.

TME: Can you tell us what you’re seeing today in the cybersecurity threat environment?

Don: Maritime operators have been seeing serious threats in the position, navigation, and timing (PNT) arena. For example, one organization takes ships through the Strait of Hormuz and is constantly affected by GPS jamming signals; they’re very concerned that it could lead to a grounding, or at minimum, idling in place and stalling a voyage.

Most of our maritime clients are also concerned about the separation between the operational technology (OT) environments on the ships and the ship’s business (IT) network. In many cases, the owners of the vessel don’t have access to third-party operational technology networks. These are the networks designed by maritime equipment OEMs, and they control everything from water and electricity to ballast water and the main engines. Managing third-party vendors is a significant challenge for many operators.

Weston: The entire attack surface has had - no pun intended - a sea change over the last few years. Nation-state and non-state threat actors are becoming more and more active, and the ability to perform attacks remotely is increasing. Hackers can have custom malware developed, often by professional programmers who cross legal and moral boundaries. The threats are definitely escalating, and we saw that last year across the industry.

TME: Are the IMO 2021 cybersecurity requirements leading shipowners to address these vulnerabilities?

Don: Definitely. IMO released resolutions and guidelines in 2017 centered around integrating cyber risk management into ships’ safety management systems (SMS) by this year. The rule provides guidelines, but there’s a lot that one has to address. The big fear among shipowners is that they don’t have a full checklist of what it will take to achieve compliance.

We’re also seeing owners and operators looking to reconcile the IMO requirements that point to the major tenets of NIST with other industry standards/frameworks, like BIMCO, ISO 27001, and IEC 62443. There’s a lot of interest in addressing and mitigating cyber risks. Part of that is, of course, driven by compliance. But some companies are also using the opportunity to get ahead of cyber threats and make their operations resilient. The resulting actions range from multi-standard, deep-dive assessment and security architectures to full-blown 24/7 managed cybersecurity services, depending on the organization’s requirements.

TME: Can you tell us about what you do when you go aboard a ship and evaluate its security?

Don: We usually try to put a team on-site, both control systems experts and IT cybersecurity experts. We go aboard and do a full walk-down, tracking all cables and validating network diagrams, among other actions. It’s a comprehensive process covering technology but also processes and people. Interviews with the crew and reviewing plans and incident response flow are just as important as looking at the network architecture.

And we often find that systems that were supposed to be on an island — for example, cargo management systems — were improperly back-connected to the rest of the ship’s network with serial or other network connections back-ended into engineering workstations and HMIs. We’ve noticed that often the network infrastructure for switches and wireless access points might have been chosen and deployed over time in an ad hoc manner, without regard to standardization, and often involving three or four different vendors — all contributing to more Product Security Incident Response Teams (PSIRTs) and unpatched attack surfaces. They might have multiple vendors for the same technology, like firewalls, and some of these vendors provide consumer-grade rather than enterprise-grade equipment.

There are also physical vulnerabilities that anyone who boards the vessel could compromise — unlocked equipment cabinets, sticky notes with passwords, modifications to cabling, and other physical avenues of attack. Crew members also bring in their own technology, like streaming or Roku devices, wireless access points, and wireless printers and mice, which can be easily hacked, and sometimes, those devices will circumvent the firewall between the IT and OT networks.

Weston: I can’t stress enough how many times I’ve gotten into a network by hacking a wireless printer. That’s one of the most significant points of exploitation that we come across on ships. Wireless keyboards and mice are also very vulnerable. By hijacking a wireless mouse connection, I can inject keystrokes and commands into a target computer and potentially even capture the user’s keystrokes — including usernames and passwords.

We’ve also seen vulnerabilities in wifi repeaters designed to expand the ship’s wireless networks. The operator will install subpar repeaters, and I’m able to spoof my way onto those networks. In some cases, it’s possible to gain access from up to a quarter of a mile away from the ship using directional wireless capabilities. The attack surface is massive, and these comprehensive assessments identify the holes and weaknesses.

TME: How do you get crew buy-in when you go in to do an assessment?

Don: That’s certainly a challenge throughout the industry. Let’s say that the CISO or CIO approves the assessment plan. When you get on the ship, the entire crew may be looking at you and thinking, “Why are you here? I’m not doing anything; I’m not going to allow you access.” For any company doing assessments, you need to have free and open access, and you want to have the comfort to talk to personnel on board and understand their workflow. Do they have an incident response plan or a cybersecurity plan in place? If you don’t get honest answers, you can’t provide a holistic picture back to your customer.

That’s where having both control systems OT experts and IT cybersecurity experts comes into play. Our OT experts know precisely what’s going on because they had the same mentality when IT teams would enter their plant or facility – don’t mess anything up, stop things from running, etc. Cybersecurity and operations still have an IT versus OT mentality. It’s necessary to bring those two groups together to get buy-in and make progress - or at least establish a level of trust to complete an accurate, thorough assessment. Our diverse team and multi-faceted skillset have allowed us to bridge that gap for organizations.

TME: How do you help the customer to reduce their risk?

Don: It varies by the company, their requirements and their cyber maturity level. But our objective with every customer is to get them past merely visibility and detection stages to a point where they’re able to actually protect their operations and stop OT cyber threats. An analogy I use often is that a security camera will tell you you’re being robbed, but a security guard will stop it. We help create that security guard for operations.

In action, we often start with an assessment to help the client understand their current cyber posture. Then, we prepare a secure cyber architecture design that allows for greater protection — more segmentation of the IT and OT networks and the building of enclaves. We help the customer transition to a zero-trust model that eliminates enterprise-centric or consumer-centric multicast or broadcast protocols and a running list of other vulnerable and easily hacked protocols. For example, by implementing a white-listing rule set and using firewalls and intrusion prevention technology, you can eliminate many unauthorized devices and programs from production control systems.

The third-party OT networks are often most challenging and cannot be done right away. These networks are all behind the vendor’s own “iron curtains” — the vendor won’t allow you in, and they void the warranties on their equipment if you go in and attempt to patch a vulnerability yourself. Sometimes the only way to address these vulnerabilities is to install a “virtual patch” through deploying in-line OT/IT firewalls/IPS systems to isolate a third-party vendor’s control network. That’s also part of what we cover with the Mission Secure Platform.

Many of our clients have larger fleets. For sister ships, we often assess one vessel of each type (i.e., LNG/LPG, FSRUs, Drillships, Tankers) and come up with a secure architecture, and then they move forward and apply that design to the other ships in the same series.

TME: How easy is it to achieve significant improvements?

Don: In a typical process with a maritime customer, if they can get 50 percent of what we recommend addressed, they are in a much better position. Many of the actions are cyber hygiene best practices; upgrade some of the network infrastructure — the switches, the routers, the wifi — to something enterprise-grade, or patch their existing products. However, the need to continue to “virtually patch” through the deployment of Purdue Level 0 to 3.5 visibility, detections, and protections will always be necessary for almost all OT/ICS environments.

Weston: Our remediation advice is very actionable. We know the limitations of shipboard equipment because some of our technicians have set them up for the last 25 years. They know the specifics of those systems, their engineering, and how they have changed over the years. We come up with a usable and realistic plan for the shipowner.

TME: How can you help shipowners who are investing in new vessels?

Don: In the case of a first-in-class newbuild, we go straight into a secure architecture design process; there’s no need to do any pen-testing because it’s a brand new infrastructure. And often, the same design can be used for the whole series. This is ideal because security can be built in from the start, and then owners and operators just need to monitor and maintain their operation like one would with safety.

We’ve also had a couple of customers that have built new sister ships in a vessel series, which we’ve already assessed and designed a secure cyber architecture. They just incorporated some of the changes that we’ve suggested previously into the newbuilds.

TME: Seaports aren’t covered by the IMO guidelines, but are you seeing interest from port operators as well?

Don: In the U.S., ports are considered critical homeland security infrastructure. Many of them have cranes that can be hacked and cargo management and transportation systems that could cause economic damage if they were compromised. Or they could infect vessels coming to their port. Even though the IMO guidelines don’t cover them directly per se, ports are considered critical supporting infrastructure, and many ports we’re working with want to ensure they’re doing their part as well. It’s vital to their business and clients – ship operators.

Weston: During the COVID-19 pandemic, many ports reduced their IT and OT staff; the operators we’ve been talking to are worried because they’ve lost some critical skillset and functions. Some operators even lost some background knowledge about how assets or systems are set up in their facilities. Currently, part of what ports need is help in getting their documentation right. For industrial, defense, and critical infrastructure operations, we’re uniquely qualified to help because we have teams with the experience, certifications, and clearances to work on docks and industrial equipment. Not a lot of pen-testing or security companies have that capability.

TME: What about the seaports that are making plans to switch their OT systems to 5G?

Weston: Especially when you’re an early adopter, it’s essential to get good advice. When the project is not properly managed, the new network might be built with security loopholes from the outset, just because of loose configurations and a “security through obscurity” approach; I’ve seen that firsthand. But if it’s set up properly, it’s amazing how much security you can build in from the beginning. We have years of in-house experience in cellular network design and can provide that guidance.

Don: As an example, we have one port project focused on a brand new port expansion, and they have the foresight to incorporate defense-in-depth from the start. Expertise is essential in setting up these new port systems. For example, some of these networking products’ default settings rely on an unmanaged IPv6 communications protocol. We find that all the time, and that’s an easy attack vector.  

TME: What are the biggest risks you’re looking at going forward?

Don: We’re particularly concerned about malware and ransomware. Again, the number of third parties on these vessels amplifies the threat. The vessel itself might be secure, but you’ve got multiple SSL-encrypted tunnels that are coming into the ship and going to each of the third-party networks. This is an avenue of attack for a hacker.

The third parties’ technicians can also create serious problems if they make a mistake. We saw one situation where an OEM tech was working on a shipboard network remotely and tried to close a valve. It nearly caused a spill. The Mission Secure Platform can force authentication, then track, audit, and log third-party activity to manage this risk.

We also consider more deliberate insider threats. A nation-state could pay crewmembers or technicians to plug in a device or apply a “patch” that could propagate an advanced persistent threat. You can see from the recent SolarWinds attack in the enterprise space how serious this danger might be. There’s a massive concern in the maritime industry with control system vendors, those third parties, being impacted by something similar to SolarWinds.

I tell all of our customers that we try to protect against four types of threats: you from the outside, you from you, you from your third parties on the ship, and the third parties from each other. At a minimum, we try to create barriers around and between the third-party networks so that if there is damage, it’s localized and controlled. Cybersecurity is an on-going journey, but with new technologies and digital transformation, it’s really table-stakes now to be cyber secured and resilient.

This post is sponsored by Mission Secure. To help owners, operators, and ports learn more about complying with the 2021 IMO cyber risk management guidelines, Mission Secure has created an IMO regulatory overview. This regulatory overview summarizes key parts of the IMO 2021 cybersecurity measures, complete with cross-references to ISO/IEC 27001 and the Guidelines on Cyber Security on Board Ships. For more information, please visit https://www.missionsecure.com/imo-cyber-risk-management-regulatory-overview.