The maritime industry transports 90% of the world’s trade and cyberattacks on shipping increased 900% between 2017 and 2020, to the tune of one incident on a ship every day. How much of your supply chain runs across the ocean?
Maritime shipping has proven a juicy target for bad actors in recent years. APM-Maersk in late June 2017, suffered $300 million in losses owing to critical systems infected by malware. China Ocean Shipping Company (COSCO) in July 2018, shut down its American IT network to prevent the spread of a ransomware attack.
In April 2020, Mediterranean Shipping Company (MSC) suffered a cyberattack on servers at its headquarters in Geneva, Switzerland, forcing a five-day website shutdown that prevented customers from making bookings through the portal. A ransomware attack against CMA CGM, the giant French maritime transport and logistics company, in September 2020, forced the company to shut down part of its network.
In a more recent incident, on November 25, 2021, Swire Pacific Offshore (SPO), the maritime services division of the Swire conglomerate, issued a notice that it had fallen victim to a cyberattack, resulting in authorized access to IT systems and loss of confidential, proprietary commercial information and personal data. The CL0P ransomware group later claimed responsivity for the hack, a claim deemed credible by BleepingComputer after viewing some of the stolen data, that included bank details and passport scans.
“The disruption of ships, ports, communications and shipping lanes is a genuine threat. This is crippling to the larger economy/larger supply chains—especially with things stretched thin today,” says Steve Moore, chief security strategist at Exabeam. “Amazon is even building its fleet with its own technology to control these problems more effectively.”
Reshoring initiatives notwithstanding, it’s tough to imagine either an immediate future where these sorts of attacks do not remain commonplace or maritime shipping no longer represents such an important aspect of the supply chain. And, some maritime cybersecurity concerns continue to remain almost completely unaddressed.
Three Maritime Cybersecurity Risk Categories
Josh Lospinoso, CEO and co-founder of Shift5, says cybersecurity vulnerabilities on a ship break down into three categories or “flavors” of technology: traditional computer systems, industrial control systems and the communications protocols that control the most critical functions on a ship.
Multiple radio frequency interactions for global positioning systems (GPS) or automatic identification system (AIS) take place while a ship travels. Those signals are not encrypted, creating opportunities for “spoofing,” when cyberattackers feed fake coordinates to a ship at sea. Radios on a ship can also connect to critical subsystems responsible for controlling propellers, rudders and generators.
While at port, connections to shore-based networks take place. If those networks are not secure, they make ship systems vulnerable to attack. “Of the four likely [maritime cyberattacks], on the mind—CMA CGM, Maersk, Mediterranean Shipping, and COSCO—three were confirmed ransomware back on the shore,” Moore says. “This jams up bookings, scheduling, delivery, etc. and is the most common attack.”
Every laptop, storage device and new piece of hardware plugged into the ship’s network represents a potential risk. “We’ve seen ships and aircraft where you’ve got floppy disks and compact flash drives that get swapped in and out and there’s oftentimes poor inventory management, no security around the updates that are flowing off of those systems,” Lospinoso says.
The kinds of IT cybersecurity products businesses use for desktop PCs or servers can mitigate some of these threats, especially where in-port connections or hardware interactions are concerned. Nonetheless, “It leaves you with a kind of a scary picture, honestly, that all of these different access vectors give attackers a huge surface area to work with,” Lospinoso says.
The second category, industrial control systems like PLCs and SCADA systems, require specialized attention. “There’s a whole multi-billion-dollar industry that’s grown up there, companies that focus on defending those sorts of assets,” Lospinoso says. “These companies are distinct from other sorts of cybersecurity vendors and hyper-focused on this problem because it is unique and different.”
It’s the third category that concerns Lospinoso the most, the communication standards that connect marine sensors and display units within vessels. GPS receivers, autopilots, wind instruments, depth sounders, navigation instruments, engine instruments, nautical chart plotters, all of these communicate using the NMEA 2000 standard, using OT called a NMEA 2000 bus.
Even with all the preventative cybersecurity a company may install on shipboard or shore-based networks, or the best inventory management for all the various devices that may interact with a ship’s computer, one maxim of cybersecurity is to accept that a determined attacker will always find a way in. So what happens if an attack succeeds at gaining access to ship systems and then plants malware inside the NMEA 2000 bus?
“Your GPS receiver could course correct the autopilot that’s steering because it’s all sort of one big chat room. What happens if there’s a nefarious participant on that bus? The answer is very, very bad things,” Lospinoso says. “There are virtually no folks that are focused on these serial data networks. This is changing over the past year or two but [still] a huge category of cybersecurity that is waiting to get defined. No one is on the NMEA 2000 bus in a ship, looking to make sure that there isn’t some rogue device that’s got bad firmware that’s taking over that network.”
Fight Maritime Cybercrime With Proven Strategies
So what should a company that depends on maritime shipping do in the face of these realizations? First, demand that your logistics partners use proper cybersecurity hygiene at the ports where they weigh anchor. Consider mandating third-party verifications of standards. Make sure your shipper has a solid first line of defense.
Next, acknowledge the existence of this special category of OT on maritime vessels. Just as an IT department can probably do a query within 30 seconds and say what version of the Linux operating system runs on servers, someone should be able to answer a question about what firmware versions run on all of a ship’s depth transducers.
Finally, realize that the sorts of IT cybersecurity processes and principles already in place at companies may serve as a template to also monitor the OT assets on ship. Then, take action.
“We haven't adapted those practices and principles and patterns to the ships themselves, to the control planes that run the central nervous system systems of these ships. And that is, to my mind, the biggest latent threat that exists to maritime industry,” Lospinoso says. “There's zero observability into those things at a corporate level and those are arguably the most critical components to generating revenue for the business.”
