Is the Global Supply Chain the Next Big Cyber Target?
(Article originally published in Sept/Oct 2021 edition.)
“Cyberwarfare is the greatest threat to the maritime transportation system,” warns U.S. Coast Guard Rear Admiral John Mauger, Assistant Commandant for Prevention Policy. “The safe flow of global commerce relies on the seamless movement of information, and cybersecurity threatens that.”
After two years of stress, ports are congested, labor is scarce, and the International Chamber of Shipping warns of a global transportation system collapse – all while China’s Xi Jinping asks his military to “make preparations for war.”
Cyber attackers are wielding political and economic warfare through ransomware, intelligence gathering and technological theft. In a highly digitized and networked “smart” society, cyber risks threaten energy grids, water treatment, governments, defense infrastructure and medical services as well as transportation, financial, electoral and corporate information technology (IT) systems.
Over the past three years, Maersk, Mediterranean Shipping Company (MSC), COSCO, and CMA CGM have all been victims of cybersecurity. So what can maritime executives do?
Coast Guard Readiness
Rear Admiral Mauger discusses his command's efforts in securing the U.S. maritime transportation system: “Valued at $5.4 trillion and employing 30 million (1 in 12) Americans, this is a key economic and strategic issue. Cybersecurity is a risk just like many other operational functions. The key difference is managing. There must be accountability. Organizations must conduct a thorough assessment, understand the threats, identify gaps, then plan how to close and mitigate them."
He says threats are everywhere and becoming more challenging: "Ordering ransomware is almost as easy as ordering a pizza, and bad actors are aggregating their efforts." Therefore, reporting and information-sharing with all stakeholders are critical.
To this end the USCG maintains a blog called “Maritime Commons.” It’s established Information Sharing and Analysis Centers and increased grant monies through local Area Maritime Security Committees. Mauger says the industry needs to form standards for a cyber response organization like those created from the Oil Pollution Act of 1990 (OPA-90), following the Exxon Valdez oil spill.
Deploying Cyber Protection Teams (CPTs) – maritime cybersecurity specialists for "boots on the ground" impact – has been a big success, he adds. CPTs work with facilities to help review, implement and comply with requirements for Facility Security Plans as mandated by the Maritime Transportation Security Act. For guidance, when implementing a Cyber Risk Management Program, the Coast Guard recommends facilities utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication 800-82.
“Although the port congestions we see today aren't related to cyberattacks,” Mauger says, “they highlight the fragility of the entire supply chain system and the consequences it could face in an all-out attack. We have the strategy and the necessary support from Congress and the Administration. The system is safe now, but it’s a challenge that everyone needs to work together to address."
"Attack vectors from the energy and infrastructure sectors have now penetrated maritime," says Ian Bramson, Global Head of Industrial Cybersecurity for ABS. Cyberattacks against Colonial Pipeline, JBS Foods and water authorities should be warning bells for the industry. Right now they’re dinner bells for the bad guys. Advances in digitalization and autonomy have made networks more susceptible.
"Owner/operators need to inventory what systems are digital that weren't ten years ago,” Bramson notes, “and ask themselves what risks they now pose."
The greatest risk is that companies have little or no visibility into their systems, he adds: "Businesses are confused at the board level. They concentrate on IT like ransomware and not enough on operational technology (OT) like physical equipment and components. The primary modus operandi is IT penetration that then hijacks OT. So if your ship gets stranded and hacked with valves open and spilling overboard, it's both an IT and OT problem."
He says the market must go beyond a set of standards or compliance: "If the government is telling me to do it, I'll do the least. You can be compliant and not secure. But if it's a market driver for competitive advantage, I'll do the most."
ABS’s Cyber Squared concept provides an industry cybersecurity rating (like Moody’s) with broad stakeholder involvement that includes risk analysis and research. Bramson emphasizes the need for higher levels of training for management, cultural change and enforcement of company policies to ensure companies go beyond bare compliance and achieve meaningful security.
How do you do this? By applying training (behavioral change), segmentation of networked systems and supply chain vetting, particularly the design security for newbuild requirements. Managers need to ask vendors questions related to cyber-acceptance testing for components. While onboard, they need to perform vulnerability assessments (risk rating) and configuration management (valve or perimeter changes) and monitor abnormality detection.
"Data is the new oil," states Max Bobys, Vice President of New Jersey-based HudsonCyber. "There’s a huge underground market for raw data, and it’s become a regional and national security issue."
Bobys cites how hackers and organized crime have accessed the Port of Antwerp to facilitate the illegal smuggling of drugs, weapons and humans into the E.U.: "It's a regional security concern with organized crime and syndicates representing a huge threat vector for the global maritime industry."
When asked how recent attacks translate into maritime threats, he replies, "SolarWinds, for example, was an aggregated cyber risk. Threats originate on land. If a vessel is attacked, it means that the entire system has been compromised. For example, supply chain system flaws that affect electronic chart display and information systems (ECDIS) from the source could compromise all fifty units onboard the fleet."
Other common threat vectors include people making honest mistakes. To make a difference, you must become "cyber aware," Bobys says. “Build out posture and resilience. Investments in training will yield the highest return. Train people to challenge email attachments, social media, abandoned thumb drives, or a stranger sitting outside in a car with a laptop (who may be hacking the Wi-Fi network).”
“If you see something, say something,” urges Bobys.
The objective is, "Protect, detect, respond, mitigate, then recover." Bobys references the Cybersecurity Guide for Ports and Port Facilities by the International Association of Ports and Harbors (IAPH) for additional resources.
Cyprus-based Epsco-Ra and its Director of Technology, Gideon Lenkey, also believe the greatest threat is the industry itself: "This is based on previous life experiences where nothing happened before. Management isn't yet buying into it."
As former head of the FBI's InfraGuard program, Lenkey's opinion on the level of integration of cybersecurity planning in maritime, beyond anti-virus and firewalls, is laughable: "It’s no longer sufficient to simply be good at your business – you also must be good at protecting your data and network. Hackers are limited only by imagination. Attack surfaces increase as vessels become more intelligent and sophisticated."
A single point of entry, such as a phished password (emails believed to be from trusted parties) or opened hyperlinks, are all that is needed to crash a system. Paradigm shifts are compulsory in order to think about the things you don't anticipate. "Before 9/11, no one thought of a commercial airliner as a kinetic weapon,” he says. “‘No one would ever do that,’ you say? What if someone could shut the chillers down on a liquid LNG? Do this in port and cut the engines…."
Targeted attacks against ports have become honeypots for ransom. Attack scenarios don't have to be super sophisticated. "Often, intrusion occurs from poor policy, lack of use of two-factor authentication methods (secondary measures like hardware tokens or mobile text confirmations), phishing and compromised IT & OT vendors,” Lenkey adds. “Once inside, attackers can lock down port management systems and then issue ransoms. As you can't clear documents, paper trails and ports shut down.”
However, Epsco-Ra views the supply chain as the newest cybersecurity risk for maritime. To defend, Lenkey says, "You have to be on top of threat intelligence and share information. Our clients weren't affected by SolarWinds or Kaseya because we were on top of it."
In addition, attackers don't want to waste energy, so hardening defenses often makes you less desirable for confrontation: "To prepare, companies need actionable, scenario-based playbooks, then tabletop exercises." Lenkey suggests adopting free standards like NIST 800-61 Rev. 2, Computer Security Incident Handling Guide and NIST 800-63 Rev. 5, Digital Identity Guide.
When performing risk analysis, identifying potential hazards and their negative impact on operations are ranked according to their probability and severity. Unfortunately, in this instance, the probability and severity rank high. To survive, companies must mitigate. We aren’t necessarily saying the sky is falling, but communications could soon be disru…. < transmission terminated >
Sean Holt is a frequent contributor on technology topics.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.