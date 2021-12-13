US Coast Guard Academy cadets participate in NSA cybersecurity exercise, 2021 (USCG file image) Posted on December 12, 2021 at 7:58 PM by

Sean M. Holt







(Article originally published in the September / October 2021 edition)







“Cyber ​​warfare is the greatest threat to the shipping system,” warns Rear Admiral John Mauger of the US Coast Guard, deputy commander of prevention policy. “The secure flow of global commerce relies on the smooth flow of information, and cybersecurity threatens it. “

After two years of stress, ports are congested, manpower is scarce, and the International Chamber of Shipping warns of a collapse of the global transport system, while China’s Xi Jinping calls on his army to “Prepare for war”.

Cyber ​​attackers wage political and economic warfare through ransomware, intelligence gathering, and technological theft. In a highly digitized and networked “smart” society, cyber risks threaten energy grids, water treatment, governments, defense infrastructure and medical services, as well as transportation, financial, electoral systems. and IT.

Over the past three years, Maersk, Mediterranean Shipping Company (MSC), COSCO and CMA CGM have all fallen victim to cybersecurity. So what can maritime executives do?

Coast Guard readiness

Rear Admiral Mauger discusses his command’s efforts to secure America’s shipping system: “Valued at $ 5.4 trillion and employing 30 million Americans (1 in 12), this is an economic issue. and key strategic. Cyber ​​security is a risk like many other operational functions. The main difference is management. There must be some accountability. Organizations need to do a thorough assessment, understand threats, identify gaps, and then plan how to close and mitigate them. “

He says threats are everywhere and are getting harder and harder: “Ordering ransomware is almost as easy as ordering pizza, and the bad actors are coming together.” Therefore, reporting and sharing of information with all stakeholders is essential.

To this end, the USCG maintains a blog called “Maritime Commons”. It established centers for information sharing and analysis and increased grants through local maritime safety committees. Mauger says the industry needs to set standards for a cyber response organization like those created from the Oil Pollution Act of 1990 (OPA-90), in the wake of the Exxon Valdez oil spill.

The deployment of Cyber ​​Protection Teams (CPT) – specialists in maritime cybersecurity for a “boots on the ground” impact – has been a great success, he adds. DTCs work with facilities to help review, implement and comply with the requirements of facility security plans, in accordance with the Marine Transportation Security Act. As a guideline, when implementing a cyber risk management program, the Coast Guard recommends that facilities use the National Institute of Standards and Technology (NIST) Cyber ​​Security Framework (CSF) and special publication NIST 800-82.

“Although the port congestions we see today are not linked to cyber attacks,” says Mauger, “they highlight the fragility of the entire supply chain system and the consequences it could face. during an all-out attack. We have the strategy and the necessary support from Congress and the Administration. The system is secure now, but it’s a challenge that everyone has to tackle together. “

Attack Vectors

“The attack vectors from the energy and infrastructure sectors have now penetrated the maritime sector,” says Ian Bramson, global head of industrial cybersecurity for ABS. Cyber ​​attacks on Colonial Pipeline, JBS Foods and water authorities should be a wake-up call for the industry. Right now, it’s dinner bells for the bad guys. Advances in digitization and autonomy have made networks more sensitive.

“Owners / operators need to identify digital systems that were not digital ten years ago,” notes Bramson, “and ask themselves what risks they present now”.

The biggest risk is that companies have little or no visibility into their systems, he adds: “Companies are confused at the board level. They focus on IT like ransomware and not enough on operational technology (OT) like physical equipment and components. The modus operandi is computer penetration which then hijacks OT. So if your ship is stranded and hacked with valves open and spilling overboard, it is both a computer and an OT problem.

He says the market has to go beyond a set of standards or compliance: “If the government tells me to do it, I will do the least. You can be compliant and not secure. But if it’s a market driver for competitive advantage, I’ll do my best. “

ABS’s Cyber ​​Squared Concept provides an industry cybersecurity assessment (like Moody’s) with broad stakeholder engagement that includes risk analysis and research. Bramson emphasizes the need for higher levels of training in management, culture change and the application of company policies to ensure that businesses go beyond mere compliance and achieve meaningful security.

How do you do that? By applying training (behavior change), segmentation of networked systems and supply chain control, especially design safety for new construction requirements. Managers should ask vendors questions about component cyber acceptance testing. On board, they must perform vulnerability assessments (risk assessment) and configuration management (valve or perimeter changes) and monitor the detection of anomalies.

Data protection

“Data is the new oil,” says Max Bobys, vice president of New Jersey-based HudsonCyber. “There is a huge underground market for raw data, and it has become a regional and national security issue.”

Bobys quotes how hackers and organized crime gained access to the port of Antwerp to facilitate the illicit trafficking of drugs, weapons and people to the EU: “It’s a regional security issue with crime organized and unions representing a huge threat vector to the global maritime industry. ”

When asked how recent attacks translate into maritime threats, he replied, “SolarWinds, for example, was an aggregate cyber risk. Threats come from the land. If a ship is attacked, it means the whole system has been compromised. For example, supply chain system faults that affect Electronic Chart Display and Information Systems (ECDIS) from source could compromise the fifty units on board the fleet.

Other common threat vectors include people who make honest mistakes. To tell the difference, you have to become “cyber-aware,” says Bobys. “Develop your posture and resilience. Investments in training will produce the highest return. Train people to challenge email attachments, social media, abandoned USB drives, or a stranger sitting outside in a car with a laptop (which can hack into the Wi-Fi network).

“If you see something, say something,” Bobys urges.

The goal is “Protect, Detect, Respond, Mitigate, Then Recover”. Bobys refers to the International Association of Harbors and Harbors (IAPH) Cyber ​​Security Guide for Ports and Facilities for additional resources.

Industry buy-in

Cyprus-based company Epsco-Ra and its chief technology officer, Gideon Lenkey, also believe the biggest threat is the industry itself: “This is based on past life experiences where nothing has happened. happened before. The management does not yet adhere to it. “

As a former head of the FBI’s InfraGuard program, Lenkey’s opinion on the level of integration of cybersecurity planning in the maritime domain, beyond antivirus and firewalls, is laughable: “It It’s no longer enough to just be good at your business – you need to be good at protecting your data and your network, too. Hackers are only limited by the imagination. Attack surfaces increase as ships become smarter and more sophisticated. “

A single point of entry, such as a phishing password (emails supposedly from trusted parties) or open hyperlinks, are all that is needed to crash a system. Paradigm shifts are mandatory in order to think about the things you don’t anticipate. “Before September 11, no one thought of a commercial airliner as a kinetic weapon,” he says. “No one would ever do that,” you say? What if someone could shut down the coolers on liquid LNG? Do it at the port and shut down the engines … ”

Targeted attacks on ports have become honeypots for ransom. Attack scenarios don’t need to be very sophisticated. “Often the intrusion is due to bad policy, lack of use of two-factor authentication methods (secondary metrics such as hardware tokens or mobile text confirmations), phishing, and IT and OT providers compromise, ”adds Lenkey. “Once inside, attackers can lock down port management systems and then issue ransoms. Since you cannot erase documents, paper trails and ports are closed. “

However, Epsco-Ra considers the supply chain to be the newest cybersecurity risk for the maritime industry. To defend himself, Lenkey says, “You need to be aware of threat intelligence and share information. Our customers were not affected by SolarWinds or Kaseya because we knew about it. “

Additionally, attackers don’t want to waste energy, so strengthening defenses often makes you less desirable for confrontation: “To prepare, companies need actionable, scenario-based game manuals and then table exercises. Lenkey suggests adopting open standards such as NIST 800-61 Rev. 2, Computer Security Incident Handling Guide and NIST 800-63 Rev. 5, Digital Identity Guide.

Fall from the sky

During risk analysis, the identification of potential hazards and their negative impact on operations are classified according to their likelihood and severity. Unfortunately, in this case the likelihood and severity are high. To survive, businesses must mitigate. We’re not necessarily saying the sky is falling, but communications could soon be disrupted…. < transmission terminated >

Sean Holt is a frequent contributor on technology topics.

The opinions expressed here are those of the author and not necessarily those of The Maritime Executive.