Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Coast Guard Warns Shipping Firms of Maritime Cyberattacks

A commercial vessel suffered a significant malware attack in February, prompting the US Coast Guard to issues an advisory to all shipping companies: Here be malware.

In February 2019, a large ship bound for New York City radioed the US Coast Guard warning that the vessel was "experiencing a significant cyber incident impacting their shipboard network." 

The Coast Guard led an incident-response team to investigate the issue and found that malware had infected the ships systems and significantly degraded functionality. Fortunately, essential systems for the control of the vessel were unimpeded.

On July 8, the military branch issued an alert to commercial vessels strongly recommending that they improve their cybersecurity in the wake of the incident, including segmenting shipboard networks, enforcing per-user passwords and roles, installing basic security protections, and patching regularly. 

"It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep-draft vessels," the Coast Guard's alert stated. "However, with engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery."

The focus on the security and safety of maritime networks is not new. Following the Stuxnet attack in 2009, which decimated the ability of Iran to enrich uranium ore and demonstrated the ability of cyber operations to impact physical infrastructure, government and industry began to look to their own defenses. Among those scrutinized sectors were maritime and shipping.

The European Network and Information Security Agency, now known as the European Union Agency for Cybersecurity, analyzed the state of maritime cybersecurity in 2011, releasing a report late that year. The report found that cybersecurity awareness in the maritime sector was "low to non-existent" and the focus of nearly all security measures were on physical systems. 

Six years later, the industry had woken up to the threats but still moved at a slow pace, says Markus Schmitz, managing director of SOFTimpact, a Cyprus-based IT solutions provider to the maritime industry. In 2017, however, the NotPetya ransomware attack hit computers at shipping firm AP Moller-Maersk, requiring the firm to reinstall 4,000 servers, 45,000 workstations, and 2,500 applications in less than two weeks, costing the firm between $250 million and $300 million.

The incident spurred the industry to greater efforts, focusing on cybersecurity issues, including establishing industry groups and vetting initiatives. Yet companies in the sector are still not ready, says Schmitz. 

Incidents like NotPetya are "bound to happen and such random incidents will happen to other shipping companies as well as companies of any other industry," Schmitz says. "In this regard, the shipping industry is neither more nor less vulnerable than any other globally operating business."

Yet more than 90% of the world's trade is carried by shipping, according to the United Nations' International Maritime Organization, and that puts the industry in the crosshairs of potential targeted attackers. Because the shipboard systems mix IT and operational technology (OT), companies are vulnerable to losing control of ships due to a cyberattack. 

In addition, the business model of global shipping makes the vessels even more vulnerable, SOFTimpact's Schmitz says. Crew tend to be temporary — independent contractors on voyage contracts — an arrangement that makes them hard to train and usually unfamiliar with a specific company's information security policy. In fact, most ships are operated with crew contracted through multiple levels of outsourcing, making assigning responsibility for information systems — and incidents to those systems — nearly impossible. Good luck telling the captain or a port pilot that they cannot use a USB stick, he says. 

"The role of the in-house IT must be extended to include the OT systems," Schmitz says. "The in-house IT must be trained on OT systems, must spend time onboard, must be included in purchasing processes, and must take responsibility."

The issues apparently plagued the commercial ship mentioned in the US Coast Guard alert. The ship's crew knew, but did not care, that the entire system was insecure.

"Prior to the incident, the security risk presented by the shipboard network was well known among the crew," the alert stated. "Although most crew members didn't use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business — to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard."

The US Coast Guard recommends that owners of vessels and the shipping firms that use the vessels require regular cybersecurity assessments. Other recommendations can be found on the Coast Guard's cybersecurity page.

For the most part, shipboard networks do not pose a great risk until they are specifically targeted by attackers who aim to compromise the operational networks. While those attacks are not common, they will come, says SOFTimpact's Schmitz.

"There is no reason to panic, but there is a problem and in many shipping companies, it has not been dealt with in an adequate (or organized) manner," he says.

Related Content

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10374
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
CVE-2020-11104
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
CVE-2020-11105
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
CVE-2020-11106
PUBLISHED: 2020-03-30
An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
CVE-2020-5284
PUBLISHED: 2020-03-30
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...