Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Coast Guard Warns Shipping Firms of Maritime Cyberattacks

A commercial vessel suffered a significant malware attack in February, prompting the US Coast Guard to issues an advisory to all shipping companies: Here be malware.

In February 2019, a large ship bound for New York City radioed the US Coast Guard warning that the vessel was "experiencing a significant cyber incident impacting their shipboard network." 

The Coast Guard led an incident-response team to investigate the issue and found that malware had infected the ships systems and significantly degraded functionality. Fortunately, essential systems for the control of the vessel were unimpeded.

On July 8, the military branch issued an alert to commercial vessels strongly recommending that they improve their cybersecurity in the wake of the incident, including segmenting shipboard networks, enforcing per-user passwords and roles, installing basic security protections, and patching regularly. 

"It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep-draft vessels," the Coast Guard's alert stated. "However, with engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery."

The focus on the security and safety of maritime networks is not new. Following the Stuxnet attack in 2009, which decimated the ability of Iran to enrich uranium ore and demonstrated the ability of cyber operations to impact physical infrastructure, government and industry began to look to their own defenses. Among those scrutinized sectors were maritime and shipping.

The European Network and Information Security Agency, now known as the European Union Agency for Cybersecurity, analyzed the state of maritime cybersecurity in 2011, releasing a report late that year. The report found that cybersecurity awareness in the maritime sector was "low to non-existent" and the focus of nearly all security measures were on physical systems. 

Six years later, the industry had woken up to the threats but still moved at a slow pace, says Markus Schmitz, managing director of SOFTimpact, a Cyprus-based IT solutions provider to the maritime industry. In 2017, however, the NotPetya ransomware attack hit computers at shipping firm AP Moller-Maersk, requiring the firm to reinstall 4,000 servers, 45,000 workstations, and 2,500 applications in less than two weeks, costing the firm between $250 million and $300 million.

The incident spurred the industry to greater efforts, focusing on cybersecurity issues, including establishing industry groups and vetting initiatives. Yet companies in the sector are still not ready, says Schmitz. 

Incidents like NotPetya are "bound to happen and such random incidents will happen to other shipping companies as well as companies of any other industry," Schmitz says. "In this regard, the shipping industry is neither more nor less vulnerable than any other globally operating business."

Yet more than 90% of the world's trade is carried by shipping, according to the United Nations' International Maritime Organization, and that puts the industry in the crosshairs of potential targeted attackers. Because the shipboard systems mix IT and operational technology (OT), companies are vulnerable to losing control of ships due to a cyberattack. 

In addition, the business model of global shipping makes the vessels even more vulnerable, SOFTimpact's Schmitz says. Crew tend to be temporary — independent contractors on voyage contracts — an arrangement that makes them hard to train and usually unfamiliar with a specific company's information security policy. In fact, most ships are operated with crew contracted through multiple levels of outsourcing, making assigning responsibility for information systems — and incidents to those systems — nearly impossible. Good luck telling the captain or a port pilot that they cannot use a USB stick, he says. 

"The role of the in-house IT must be extended to include the OT systems," Schmitz says. "The in-house IT must be trained on OT systems, must spend time onboard, must be included in purchasing processes, and must take responsibility."

The issues apparently plagued the commercial ship mentioned in the US Coast Guard alert. The ship's crew knew, but did not care, that the entire system was insecure.

"Prior to the incident, the security risk presented by the shipboard network was well known among the crew," the alert stated. "Although most crew members didn't use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business — to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard."

The US Coast Guard recommends that owners of vessels and the shipping firms that use the vessels require regular cybersecurity assessments. Other recommendations can be found on the Coast Guard's cybersecurity page.

For the most part, shipboard networks do not pose a great risk until they are specifically targeted by attackers who aim to compromise the operational networks. While those attacks are not common, they will come, says SOFTimpact's Schmitz.

"There is no reason to panic, but there is a problem and in many shipping companies, it has not been dealt with in an adequate (or organized) manner," he says.

Related Content

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11674
PUBLISHED: 2019-10-22
Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to 4.4.0.4. The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
CVE-2019-12967
PUBLISHED: 2019-10-22
Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control.
CVE-2019-17189
PUBLISHED: 2019-10-22
totemodata 3.0.0_b936 has XSS via a folder name.
CVE-2019-4523
PUBLISHED: 2019-10-22
IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 165481.
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.