In February 2019, a large ship bound for New York City radioed the US Coast Guard warning that the vessel was "experiencing a significant cyber incident impacting their shipboard network."
The Coast Guard led an incident-response team to investigate the issue and found that malware had infected the ships systems and significantly degraded functionality. Fortunately, essential systems for the control of the vessel were unimpeded.
On July 8, the military branch issued an alert to commercial vessels strongly recommending that they improve their cybersecurity in the wake of the incident, including segmenting shipboard networks, enforcing per-user passwords and roles, installing basic security protections, and patching regularly.
"It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep-draft vessels," the Coast Guard's alert stated. "However, with engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery."
The focus on the security and safety of maritime networks is not new. Following the Stuxnet attack in 2009, which decimated the ability of Iran to enrich uranium ore and demonstrated the ability of cyber operations to impact physical infrastructure, government and industry began to look to their own defenses. Among those scrutinized sectors were maritime and shipping.
The European Network and Information Security Agency, now known as the European Union Agency for Cybersecurity, analyzed the state of maritime cybersecurity in 2011, releasing a report late that year. The report found that cybersecurity awareness in the maritime sector was "low to non-existent" and the focus of nearly all security measures were on physical systems.
Six years later, the industry had woken up to the threats but still moved at a slow pace, says Markus Schmitz, managing director of SOFTimpact, a Cyprus-based IT solutions provider to the maritime industry. In 2017, however, the NotPetya ransomware attack hit computers at shipping firm AP Moller-Maersk, requiring the firm to reinstall 4,000 servers, 45,000 workstations, and 2,500 applications in less than two weeks, costing the firm between $250 million and $300 million.
The incident spurred the industry to greater efforts, focusing on cybersecurity issues, including establishing industry groups and vetting initiatives. Yet companies in the sector are still not ready, says Schmitz.
Incidents like NotPetya are "bound to happen and such random incidents will happen to other shipping companies as well as companies of any other industry," Schmitz says. "In this regard, the shipping industry is neither more nor less vulnerable than any other globally operating business."
Yet more than 90% of the world's trade is carried by shipping, according to the United Nations' International Maritime Organization, and that puts the industry in the crosshairs of potential targeted attackers. Because the shipboard systems mix IT and operational technology (OT), companies are vulnerable to losing control of ships due to a cyberattack.
In addition, the business model of global shipping makes the vessels even more vulnerable, SOFTimpact's Schmitz says. Crew tend to be temporary — independent contractors on voyage contracts — an arrangement that makes them hard to train and usually unfamiliar with a specific company's information security policy. In fact, most ships are operated with crew contracted through multiple levels of outsourcing, making assigning responsibility for information systems — and incidents to those systems — nearly impossible. Good luck telling the captain or a port pilot that they cannot use a USB stick, he says.
"The role of the in-house IT must be extended to include the OT systems," Schmitz says. "The in-house IT must be trained on OT systems, must spend time onboard, must be included in purchasing processes, and must take responsibility."
The issues apparently plagued the commercial ship mentioned in the US Coast Guard alert. The ship's crew knew, but did not care, that the entire system was insecure.
"Prior to the incident, the security risk presented by the shipboard network was well known among the crew," the alert stated. "Although most crew members didn't use onboard computers to check personal email, make online purchases or check their bank accounts, the same shipboard network was used for official business — to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard."
The US Coast Guard recommends that owners of vessels and the shipping firms that use the vessels require regular cybersecurity assessments. Other recommendations can be found on the Coast Guard's cybersecurity page.
For the most part, shipboard networks do not pose a great risk until they are specifically targeted by attackers who aim to compromise the operational networks. While those attacks are not common, they will come, says SOFTimpact's Schmitz.
"There is no reason to panic, but there is a problem and in many shipping companies, it has not been dealt with in an adequate (or organized) manner," he says.