Maritime cyberthreats reflect expansion of vulnerable systems, shifting focus to boosting cybersecurity posture

Emergence of cyber threats in the maritime sector has become a growing concern, as hackers target this critical lifeline posing a significant risk to the safety and security of maritime operations. Increasing digitization and connectivity of maritime systems, vessels, and ports has led the maritime sector to become more vulnerable to cyber attacks, as they can potentially disrupt essential services, compromise sensitive data, and even put lives at risk. 

Adversaries may target various aspects of the maritime industry, including navigation systems, communication networks, cargo management systems, and port infrastructure. Prevailing threat landscape highlights the importance of investing in cybersecurity measures, employee training, secure network architecture, and collaboration with experts to safeguard operations against cyber threats. Despite this, the maritime industry faces cybersecurity challenges when it comes to investment, regulation, supply chains, organizational culture, and access to talent.

Hackers may gain unauthorized access to a vessel’s systems, by potentially taking control of essential functions, leading to dangerous situations like loss of control over propulsion or steering. Additionally, they may target port infrastructure that can lead to disruptions in cargo handling, customs clearance, and logistical operations, impacting the flow of goods and potentially causing significant economic losses. Maritime operations involve complex supply chain structures, exposing systems to cyber attackers for compromise or malicious software introduction.

Cybersecurity breaches that target critical systems on a vessel can have severe consequences on the vessel’s stability, safety, and overall operations. Ransomware hackers have found ways to encrypt a vessel’s critical data, making it inaccessible until a ransom is paid. Such cybersecurity attacks can disrupt ship systems, navigation, and communication, leading to significant safety risks for the crew and the vessel. 

Unsecured connected devices on vessels can create vulnerabilities if they are not adequately secured, which could allow attackers to exploit weaknesses in the network. GPS spoofing can send false signals to the ship’s navigation systems, leading to incorrect positioning and navigational errors, resulting in collisions, groundings, or other hazardous incidents.

Cyber attackers may target the maritime industry to steal sensitive data, leading to identity theft, cargo theft, or other security vulnerabilities; malware infections on critical shipboard systems can disrupt vessel operations, communication, and navigation, affecting the overall safety of the crew and the ship; and phishing is a common method used to trick crew members or personnel into revealing sensitive information or credentials. 

In a two-part feature article, Industrial Cyber reached out to experts in the maritime cybersecurity sector to discuss the types of cybersecurity threats faced by vessels in the maritime industry. Additionally, they address the impact of integrating IT and OT on the cybersecurity posture of shipowners, as well as how the increasing digitization and connectivity in the maritime industry affect cybersecurity.

“Greater reliance on digitization, integration, automation, and network-based systems has created an increasing need for cyber risk management in the shipping industry,” Andrew Clarke, technical officer in the International Maritime Organization (IMO) Maritime Safety Division, told Industrial Cyber. “For example, from 1 January 2024, it will be compulsory for ports around the world to operate Maritime Single Windows (MSWs) for the electronic exchange of information required on ships’ arrival at a port, their stay, and their departure. This mandatory change follows the adoption by IMO’s Facilitation Committee of amendments to the FAL Convention.”    

Clarke identified that vulnerable systems could include: bridge systems; cargo handling and management systems; propulsion and machinery management and power control systems; access control systems; passenger servicing and management systems; passenger-facing public networks; administrative and crew welfare systems; and communication systems. 

“If operational and/or information technology vulnerabilities are exposed or exploited, there can be implications for safety, particularly where critical systems (eg., bridge navigation or main propulsion systems) are compromised,” he added.

The most common threat onboard vessels today are ‘untargeted’ ransomware attacks that typically hit the IT network handling business administration, such as email communication, planned maintenance, and custom/port state approvals, Svante Einarsson, head of cyber security maritime at DNV, told Industrial Cyber. 

“In some cases, the threat spreads into the operational technology (OT) network of the vessel making critical control systems unavailable, such as ballast water, cargo control, and power management,” Einarsson detailed. “A second common threat is directed towards the GPS receivers of the vessels which can manipulate displayed location of the vessel on the automatic identification system (AIS) and Electronic Chart Display and Information System (ECDIS), which could cause navigational challenges and potentially lead to a collision.”

Einarsson added that a growing roll call of malicious and inadvertent threat actors is targeting maritime companies’ IT and OT networks. “Their specific methods vary, comprising everything from phishing tactics that trick employees into downloading malware to collaborating with insiders with access to restricted networks. Whether they are nation states attacking critical infrastructure, criminal gangs looking for ransom pay-outs, or politically motivated hacktivists using tools from the dark web, a growing number of threat actors are targeting IT and OT systems as a way to achieve their goals.”

Until relatively recently, operational systems, particularly aboard vessels, were not connected to wider IT environments, meaning that OT was protected by an air gap that insulated it from connected networks, Einarsson said. “This air gap is now closing as industry assets and infrastructure become more networked and connected. Attacks on IT environments can and do disrupt normal shipping operations, but it is through direct attacks on OT that the greatest threat to physical safety and infrastructure becomes possible.”

He added that as the frequency of cyber-attacks on OT and IT grows, and as regulatory requirements around cyber become more exacting in response to heightened awareness of the threat, maritime leaders are taking steps to strengthen their security posture. 

“Digital and connected technologies are enabling a greener, safer and more efficient global shipping network. With these advances, maritime businesses face a choice between connecting their assets and infrastructure at pace or potentially underperforming relative to their peers on several key metrics,” Einarsson pointed out. “However, simply put, the more connections that a system has, the likelier it is that a breach will occur. And when it does occur, the breach spreads further, wider, and quicker than ever before,” he added.

More specifically, newer vessels are getting remote connectivity to extract performance monitoring data or execute remote maintenance and software updates, Einarsson observed. “Sometimes, this is centrally managed by the ship manager, but sometimes it is managed individually by system vendors, connecting the vessel’s systems to third parties. Older vessels are also affected as systems are upgraded or new systems are installed with remote connectivity, passing via the IT network to the outside world. A good example of this is so-called scrubbers that clean exhaust gases to reduce pollution on older vessels with existing engines.”

Rick Tiene, vice president of smart cities, government, and critical infrastructure for Mission Secure said that oceangoing vessels are filled with critical systems that are vulnerable to cyber attack even if the shipboard systems rarely or never are connected to the internet. 

“There are many other creative ways that viruses can be introduced, but of course, vessels are becoming more connected every day,” Tiene told Industrial Cyber. “Bridge controls, propulsion systems, navigation systems, loading and stability systems – a compromise to any one of these creates potential safety and environmental hazards, in addition to putting hundreds of millions of dollars’ worth of investment at risk.”

“As maritime vessels become more and more digitalized, they also become more lucrative targets for cyber attacks, and indeed, we see an exponential increase in cyber attacks on vessels,” Nir Ayalon, CEO of Cydome, told Industrial Cyber. 

However, from a cyber security perspective, Ayalon pointed out that protecting a vessel is a challenge on several levels. “Many vessels still contain many legacy systems that are hard to replace. We’re talking about things like critical ship infrastructure running on legacy OS that is ‘end of life’ from the software vendor perspective but has well-known vulnerabilities; maritime devices (IT, OT, and communications) have unique characteristics and operational patterns that are not covered by standard cyber protection solutions – their usage behavior is very different to that of an office environment.” 

Ayalon added that another challenge is that for a long time, maritime communication had a very low bandwidth, and recently (especially with the introduction of StarLink), the bandwidth available at sea is becoming much bigger and at a lower cost, driving externally-connected activity than before (both IT and OT). “And finally, maritime regulation is now imposing many specific cyber protection demands on ship owners that need their cyber solutions to help manage the compliance aspect as well.”

The executives discuss how cyber attackers exploit the systems of ships and maritime companies. They also delve into the impact of ransomware threats, rising geopolitical tensions, and how they have affected the cybersecurity landscape in the maritime industry.

“Typically, ransomware attacks are untargeted. Such attacks have halted operations of vessels during both uncritical situations, such as on the open sea, as well as in critical situations, such as in highly trafficked areas like ports and channels,” Einarsson said. “Manual operation is possible as an alternative but time-consuming and if multiple systems are down at the same time, this can put the vessel at elevated risk as manpower is not sufficient and communication is slow.”

He added that prominent ransomware attacks and geopolitics have significantly raised awareness of the threats of cyber-attacks in the maritime industry. “On geopolitics, we can look to DNV’s recent Maritime Cyber Priority research. Two-thirds of the 800 maritime professionals we surveyed believe Russia’s invasion of Ukraine has made the industry more sensitive to the threat of cyber security incidents than it was before.”

Einarsson also said that in response, system vendors are improving their systems such as building in security and safety measures to protect against cyber-attacks and to detect if an attack is ongoing. An example here is GPS receivers being equipped with spoofing detection and notification.

“Regulation is another factor that is changing the maritime cybersecurity landscape. Some vessels, such as floating storage regasification units (FSRUs), are already considered part of Europe’s critical infrastructure as they are needed to handle the import of liquefied natural gas into the EU,” according to Einarsson. “As critical infrastructure, these vessels will need to comply with NIS and upcoming NIS2 regulations.”

“The basic attack vectors are the same we see in other industrial environments—default credential, open ports, and insecure protocols, for example,” Tiene said. “But maritime operators are also vulnerable to unique threats, like attempts to block or spoof positioning signals. And even a simple ransomware attack, which on land would have purely financial consequences, has the potential to put lives at risk by disabling a vessel at sea.”

Ayalon said that looking back on the past year, “we see a significant increase in the number of cyber attacks on maritime companies and maritime vessels. In parallel, the attacks are getting more severe as well.” 

“For example, after several months of multiple DDoS incidents, we now see highly sophisticated and targeted ransomware attempts – and in the case of the port of Nagoya recently, that caused a complete halt of operation for three days in Toyota’s global export gateway,” according to Ayalon. “This is a sophisticated attack, and we also see many hacking attempts targeting legacy systems, as well as trying to manipulate the human factor with phishing attacks that are getting more and more sophisticated.” 

He added that unfortunately, with new AI tools and even ChatGPT, malicious players can more easily automate their human-focused attacks with much higher quality. “So if in the past you’d see phishing emails that were obviously nonsense, current phishing scams can take two or even three looks to be recognized as such.”

The executives analyzed the role of human error in maritime cybersecurity when it comes to dealing with vessels and how proper crew training can mitigate this risk.

“It is important to mitigate against and prevent human errors when it comes to both cyber and non-cyber related security threats,” Clarke said. “IMO offers a number of in-person and virtual security training courses for maritime authorities, security officers (company security officers, ship security officers, and port facility security officers), and security staff, as well as security awareness courses for seafarers and port facility personnel.” 

He added that these courses include threat identification, recognition, and response. Cyber attacks are among the threats covered. “IMO is in the process of developing new training courses specifically designed to improve cyber security for ships and port facilities.”

Einarsson said that the “crew is the first and last line of defence on board vessels today. They are unfortunately sometimes the reason why a ransomware attack is enabled onboard the vessel, but they are also able to handle incidents independent of onboard control systems.”

He added that the crew need extensive training on how to recognize a cyber-attack. ”On the OT network/system side, most vessels are not equipped with threat detection, and the only way to notice that something is wrong is through the vigilance of the crew. They also need training on how to handle cyber incidents in the best possible manner. Crew also needs training on Do’s and Don’ts in order to reduce incidents from happening.”

Cydome’s Ayalon said that “in cybersecurity in general, and that’s also our experience within the maritime industry, the most important security measure is employee knowledge and training.” 

“Our digitized work environment, where we need to process so much more information that flows in many more channels, creates an attention deficit that attackers can easily exploit,” according to Ayalon. “And now, with the recent advances in generative AI, even “simple” phishing attacks become much more believable and hard to detect. Still, the combination of proper training that is specific to the maritime environment, together with cyber protection solutions that focus on usability, can be very effective at protecting vessels, their crew, and the cargo,” he concluded.

Be sure to catch the next part of this feature, scheduled to be published on Monday. It will delve into the latest guidelines released by the IMO for maritime cybersecurity and how maritime asset owners and operators have been able to meet these guidelines in terms of risk management around vessels. It also discusses common flaws in maritime cybersecurity that increase vessels’ vulnerability to cyber attacks.