Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Supply Chain Security
Threat Landscape
Transportation
Vulnerabilities

Navigating rising storm of maritime cyber threats, as cyber adversaries strike port systems and networks

August 13, 2023
Navigating rising storm of maritime cyber threats, as cyber adversaries strike port systems and networks

The escalating frequency of cyberattacks on port systems and networks has become a major concern, causing significant operational disruptions and widespread supply chain ramifications. These cyber adversaries exploit vulnerabilities in digital infrastructure, often targeting critical operational components such as container tracking, cargo handling, and communication systems. Additionally, the interconnected nature of global supply chains amplifies the impact, affecting industries far beyond maritime operations

Ports, as essential hubs in the supply chain, face growing pressure to fortify their cybersecurity defenses. Collaboration among port authorities, government agencies, shipping companies, and cybersecurity experts is essential to develop comprehensive strategies for threat prevention, incident response, and system resilience. Proactive measures, continuous monitoring, and investments in cybersecurity technologies are crucial to counter this evolving threat landscape, to bring about the smooth functioning of port operations and global commerce.

Industrial Cyber reached out to cybersecurity experts to discuss the key cybersecurity threats faced by port maritime systems and networks today. They also shed light on how cybercriminals have changed their attack tactics to exploit vulnerabilities in port maritime systems and networks, providing some notable examples of successful attacks in this sector.

Mike Spear, global operations senior director, Honeywell OT Cybersecurity
Mike Spear, global operations senior director, Honeywell OT Cybersecurity

The United Nations’ International Maritime Organization (IMO) estimates that more than 90 percent of world trade is carried by shipping, and because of that, maritime has become a high-profile target, Mike Spear, global operations senior director, Honeywell OT Cybersecurity, told Industrial Cyber. “Many of the OT threats involve similar ones that we see in industrial operations such as malware.” 

Spear added that many of these cybercriminals are taking malware designed for targeting industrial control systems and using it to attack assets in maritime facilities. “A notable example of a maritime attack was the NotPetya malware attack in 2017 which hit shipping company Maersk, FedEx, and others. Although that incident targeted IT systems, it caused more than $10 billion in damages.”

Marco Ayala, director and ICS cybersecurity section lead with 1898 & Co., part of Burns & McDonnell, identified that port maritime systems and networks face cybersecurity threats such as cyber-physical attacks, ransomware, phishing, unsecured IoT devices, supply chain attacks, insider threats, outdated software, weak authentication, data breaches, and nation-state cyber espionage.

Marco Ayala, director and ICS cybersecurity section lead with 1898 & Co.
Marco Ayala, director and ICS cybersecurity section lead with 1898 & Co.

“Cybercriminals are casting wider nets including third-party service companies such as integrators and vendors,” Ayala told Industrial Cyber. “While this isn’t anything new as a tactic, the matter of fact is that more and more maritime domain companies are specifically being targeted by the use of business email compromise directed to specific users, sometimes posing as vessel operators or federal regulatory entities. The threats come in the form of credential harvesting, vulnerable connected systems, and specific shipping applications and crane technology.”

He cited that in August of 2021, Port Houston quickly identified an attempted intrusion into their business systems and was able to isolate the system while working with their security vendors and local federal agencies. 

“The attempt used what is known as a zero-day exploit which is an undocumented or publicly known vulnerability in software and hardware in which detection algorithms or patches do not exist for the vulnerability,” according to Ayala. “It is very important to note that Port Houston was lucky that they took the anomaly they had and questioned it while confirming and escalating, then pulling the plug on the adversary’s attempt.”

He also pointed to the Maersk cyber disruption that occurred in June 2017 when the NotPetya malware attacked A.P. Moller-Maersk, causing widespread disruption to their global operations and supply chains as an example.

Blake Benson, senior director for cybersecurity practice lead at ABS Group
Blake Benson, senior director for cybersecurity practice lead at ABS Group

“Threats are a tricky subject to talk about when we’re discussing port infrastructure. The reason for this is because both environments (digital and physical) are incredibly diverse at any given port,” Blake Benson, senior director for cybersecurity practice lead at ABS Group, told Industrial Cyber. “Furthermore, it’s difficult to compare ports to ports because they inherently have different functions, based on their purpose and geographic locations.” 

He added that since these ports have different functions, the components and ‘systems of systems’ environment that carry out safety-critical functions or operations may vary from port to port, even if they share commonalities with similar port types across the globe. 

“So the threats that are applicable to the OT landscape at ports depend on what critical infrastructure sectors are being represented there,” Benson highlighted. “Recently you might have seen the report on federal security concerns related to ship-to-shore cranes manufactured in China that are in use at several US ports (a good example of a threat that may disproportionately impact ports that have large container loading/unloading operations).”

Michael DeVolld, a maritime Business Information Security Officer (BISO) for Royal Caribbean Group
Michael DeVolld, a maritime Business Information Security Officer (BISO) for Royal Caribbean Group

In the ever-evolving digital landscape, the maritime sector faces an escalating array of cybersecurity threats, Michael DeVolld, a maritime Business Information Security Officer (BISO) for Royal Caribbean Group, told Industrial Cyber. “As port facilities and shipping vessels become increasingly interconnected, the risk of cyber incidents continues to grow.” 

DeVolld pointed to some key cybersecurity threats based on recent data. These include ransomware attacks, targeting of specific industries, Internet of Things (IoT) and cloud technology, while automation and artificial intelligence (AI) advances in port operations can create new vulnerabilities by increasing the opportunities for adversaries to access sensitive systems.

“Cybercriminals are continually refining their attack tactics to exploit vulnerabilities in port maritime systems and networks. As technology avances and connectivity increases, the maritime sector faces an ever-growing threat landscape,” he added.

Addressing some recent changes in attack tactics, DeVolld pointed to targeting backup systems, sophisticated spear-phishing campaigns, and centralization of software and managed service providers (MSPs). 

He added that cybercriminals continually adapt their attack tactics to exploit vulnerabilities in the maritime sector’s systems and networks. “Spear phishing, multi-stage attacks, and Ransomware-as-a-Service have become prominent strategies. The maritime industry must remain vigilant and continuously enhance its cybersecurity measures to thwart these evolving threats. Learning from notable past attacks and sharing threat intelligence across the sector can help improve overall cyber risk management and safeguard critical maritime operations.”

The executives address the challenges faced by port authorities and maritime organizations in effectively securing their networks and infrastructure from cyber threats. They also look into the role of advancements in technology, such as IoT and automation, increasing the vulnerability of port maritime systems to cyberattacks.

“One challenge is that you have a lot of different systems used onboard ships and at the ports. It’s often a blend of OT and IT systems with varying methods of connectivity,” Spear commented. “At the same time, we have increasing automation and digitalization that have made ports and maritime organizations more vulnerable to malware specifically designed for OT systems. Many of the OT systems are legacy systems that may be infrequently updated and poorly secured.” 

Spear pointed out that even worse, sometimes these systems are interconnected to logistics companies, port authorities, and others, so one weak link can cause a lot of chaos. “The biggest challenge is securing all assets which may lack proper segmentation and architecture or effective security controls.”

Ayala highlighted that some of the challenges faced by maritime ports to date have been lean staff resources specific to cybersecurity in both enterprise and operations and secondly is funding for cybersecurity technology, from design and implementation to run and maintenance. “Historically speaking most security budget or federal grant money prior to NVIC 01-20 went to physical security technology and resources. Thankfully, since early 2020 when the US Coast Guard added ‘cyber’ to MTSA 33CFR 105 and 106, grants have been received for cybersecurity and have been implemented or are in process.”

“I truly believe that the maritime ports have grasped the concept that critical digital systems they rely on and enable their operations not only need to be risk assessed but that fixing digital problems with digital fixes only transfers vulnerabilities and risk,” according to Ayala. “New Cyber-informed Engineering (CIE) design for maritime ports has shifted a ‘rethink’ of new system design and migrations to design more resilient cyber systems.”

Benson identified that this trend isn’t limited to port environments; it applies to the entire landscape of OT for the most part, minus a few distinct operations which aren’t candidates for increased integration. “The rapid (somewhat forced, either by business optimization use cases or external drivers like clean energy initiatives) integration of previously discrete systems and components with IT business networks and systems or IIoT sensors and devices is certainly a contributing factor to risk.” 

He added that the same problems that exist in other sectors exist in the Maritime Transportation System (MTS) as well, such as a lack of trained staff who understand OT risks in the environment, but some problems are magnified in the port environment due to the number of stakeholders represented at any given port. 

DeVolld said that securing port authorities and maritime organizations against cyber threats presents a complex and ever-evolving challenge. “The maritime sector’s interconnectedness, reliance on technology, and diverse stakeholders create a unique cybersecurity landscape.”

Some of the challenges in securing networks and infrastructure identified by DeVolld include timely information sharing, increased targeting, transition to cloud-based solutions, assessment and hardening, expanded attack surface, insecure IoT devices, lack of standardization, increased dependency on connectivity, insider threats amplification, cyber-physical risks, and supply chain complexity. 

“Advancements in technology, particularly IoT and automation, have undeniably brought transformative changes to the maritime sector,” DeVolld observed. “However, these developments have also amplified the vulnerability of port maritime systems to cyberattacks. The expanded attack surface, insecure IoT devices, lack of standardization, increased connectivity dependency, insider threat amplification, cyber-physical risks, and supply chain complexities are pressing concerns that port authorities and maritime organizations are challenged to address.”

The executives analyze port maritime organizations as they collaborate with government agencies, industry partners, and cybersecurity vendors to enhance their cybersecurity posture. They also outline the latest regulatory and compliance requirements that are specific to port maritime cybersecurity. Additionally, they guide how organizations can ensure adherence to these standards.

Ayala said that maritime ports and marine terminals operators collaborate monthly at a joint Area Maritime Security Committee (AMSC) and InfraGard cross-sector council for example that has direct collaboration with numerous federal partners. He added that around the world many other industry organizations have a connection to their governments’ cybersecurity resources and also cross-coordinate with U.S. federal agencies as a global effort.

Benson said that “there’s a large roster of regulatory players and stakeholders responsible for various elements of security within a port environment, and generally speaking many of these authorities were established and delegated on the heels of 9/11 to combat terrorism and protect critical infrastructure from physical attacks.” 

“The Maritime Security Transportation Act of 2002 (MTSA) requires port authorities and ship owners/operators to enact security measures to protect against terrorism,” according to Benson. “The Department of Homeland Security (DHS) does have a designated sector risk management agency assigned to support sector-specific risk management, lead sector coordination, facilitate information and intelligence sharing, support incident management, and contributes to emergency preparedness efforts—but DHS delegates SMRA duties for the MTS to the U.S. Coast Guard (USCG).” 

Benson added that the federal interagency coordinating committee for the MTS is the US Committee on the Maritime Transportation System within DOT, which was established as part of the Coast Guard and Maritime Transportation Act of 2012. “In more recent memory, the USCG put out facility guidelines as part of NVIC 01-20 which had cyber elements required as part of the Facility Security Assessment and Facility Security Plans in 2020.”

“The Trump Administration also put out the National Maritime Cybersecurity Strategy in 2020, which was an effort to try and encourage more collaboration between federal and industry stakeholders to manage cyber risk in the sector,” Benson commented. 

He also pointed to a Cyberspace Solarium Commission (CSC) 2.0 report on Maritime Safety that highlights many of these efforts and is more comprehensive on federal initiatives. “The big ‘nonfederal’ drivers in the space have been mostly vessel-centric, things like the new International Association of Classification Societies (IACS) requirements (IACS UR26/27 and 22), the International Maritime Organization (IMO) 2021 and 2023 guidance.” 

“The USCG also put out a work instruction (CVC-WI-027) for marine inspectors to be able to evaluate US flagged vessels for compliance with IMO 2021 guidelines, which requires shipowners to include cyber as part of their safety management system,” according to Benson. “Area Maritime Security Committees are another vital point of collaboration between industry and federal stakeholders and the MTS-ISAC is probably the most recognized industry-centric entity responsible for promoting the safety and security of maritime transportation by providing approaches and analysis to better understand and define risk, including cyber, to the various industry stakeholders.”

“In the face of growing cyber threats, port maritime organizations recognize the importance of collaborative efforts to bolster their cybersecurity posture,” according to DeVolld. “Cooperation with government agencies, industry partners, and cybersecurity vendors is essential for sharing knowledge, threat intelligence, and best practices.”  

He identified some of the key ways to collaborate include information sharing; engagement with Coast Guard Cyber Command (CGCYBER), collective deterrence and response, third-party vendor considerations, increased collaboration between government and industry to face cyber threats head-on, collaboration with industry associations, joint training and exercises, cybersecurity vendor partnerships, participation in cybersecurity conferences and workshops, and regulatory compliance initiatives.

DeVolld added that as cyber threats continue to evolve, regulatory bodies have taken steps to strengthen cybersecurity measures in the port maritime sector. “Adherence to these standards is crucial for safeguarding critical infrastructure and maintaining the integrity of port operations.”  

He identified regulatory requirements as the Maritime Transportation Security Act (MTSA) of 2002, 33 Code of Federal Regulations parts 105 and 106, and Navigation and Vessel Inspection Circular (NVIC) 01-20.

Addressing compliance requirements, DeVolld listed Cyber Annex for regulated port facilities and facility security plan (FSP) renewal, as the existing FSP is valid for five years and audited annually. He pointed out that cybersecurity vulnerabilities can be addressed as part of the renewal process.

When it comes to ensuring adherence to standards, DeVolld pointed to a Cybersecurity Officer (CySO), defining cybersecurity vulnerabilities and protections, mapping physical security vulnerabilities to cybersecurity vulnerabilities, collaboration between FSO and CySO, and understanding IT and OT systems. He also covered regular compliance audits, internal policies and procedures, training and awareness programs, incident response planning, third-party assessments, and continuous improvement.

DeVolld added that the regulatory landscape for port maritime cybersecurity continues to evolve to combat the ever-changing cyber threat landscape. “Adhering to the latest regulatory and compliance requirements is crucial for port maritime organizations to protect their critical infrastructure and operations.”

The executives also address the role of cybersecurity awareness training and education becoming crucial in preventing cyberattacks within the port maritime sector. 

Spear said that cybersecurity training is as critical for maritime personnel as it is for, let’s say, employees in an oil and gas facility. “Training supplements the Facility Security Plan (FSP) in identifying and accessing cybersecurity vulnerabilities at facilities. Training should focus on educating personnel on how to avoid cyber malware, phishing and more.” 

He added that the U.S. CISA (Cybersecurity and Infrastructure Security Agency) offers web-based and instructor-led ICS (industrial control systems) training, which is really good across industries. “Many of those same principles may not only help personnel better identify and avoid potential threats to their assets and infrastructure but also educate them on how to respond when an event is suspected in order to reduce loss and propagation.”

Ayala identified that maritime-specific cybersecurity awareness and training have been of big benefit to port operators. “Having trained a large amount focused on maritime security it is beneficial to have the right approach and training syllabus.”

Benson said that “it is the single most valuable tool the MTS has. Experts in this space are a phenomenal resource and it’s why the USCG is focused on workforce development to better address evolving threats and risks (like cyber) in this space.” 

“The USCG has been developing operational cyber teams (commonly called Cyber Protection Teams in the other uniformed services) as part of that, which will be a critical resource now and into the future, including additional new rates and positions specific to cyber,” according to Benson. “Awareness and training are everything in this space and it takes everyone from the MTS-ISAC all the way to risk management firms like ABS Group to pitch in and help share knowledge and approaches to help protect some of the most critical environments to our national security.”

With the port maritime sector becoming increasingly interconnected and digitized, the role of cybersecurity awareness training and education has become indispensable in preventing cyberattacks. As cyber threats continue to evolve, human error remains a significant vulnerability, DeVolld said. “Cybersecurity awareness training and education is essential to help fortify the port maritime sector’s defenses against cyberattacks.”

He also pointed to recognizing social engineering attacks, understanding the cyber threat landscape, mitigating insider threats, secure the use of IoT and automation, reporting cyber incidents promptly, promoting a cybersecurity culture, compliance with regulations and standards, and reducing downtime and financial losses.

“As the port maritime sector embraces digital transformation, the role of cybersecurity awareness training and education has become crucial in preventing cyberattacks,” according to DeVolld. “Equipped with the knowledge of recognizing social engineering attacks, understanding the threat landscape, mitigating insider threats, securing IoT and automation, and promoting a cybersecurity culture, employees become a valuable line of defense against cyber threats.” 

He concluded that by investing in comprehensive cybersecurity awareness programs, the sector can enhance its cyber resilience and safeguard critical infrastructure, ensuring the continued safety and integrity of port operations.

Anna Ribeiro

Related

Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution
Claroty details ‘blind spot’ in traditional vulnerability management for CPS assets, debuts new solution
US administration rolls out international cyberspace and digital policy strategy focused on digital solidarity
US administration rolls out international cyberspace and digital policy strategy focused on digital solidarity
DHS, CISA announce changes to Cyber Safety Review Board membership 
DHS, CISA announce changes to Cyber Safety Review Board membership 
Russian APT28 hackers exploit Outlook flaw to target Czech, German, Polish organizations
Russian APT28 hackers exploit Outlook flaw to target Czech, German, Polish organizations
North Korean hackers exploiting weak DMARC security policies to mask spearphishing efforts
North Korean hackers exploiting weak DMARC security policies to mask spearphishing efforts
Growing threat of malware and ransomware attacks continues to put industrial environments at risk
Growing threat of malware and ransomware attacks continues to put industrial environments at risk
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
CISA and FBI issue secure by design alert to urge manufacturers to remove directory traversal vulnerabilities
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
GAO report indicates that NASA should update spacecraft acquisition policies and standards for cybersecurity
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity
Global cybersecurity agencies issue alert on threat to OT systems from pro-Russia hacktivist activity