Port and maritime operations are critical to the stability of the global supply chain and the global economy. When terminals cannot move cargo, the costs can escalate. When shipping giant Maersk fell victim to NotPetya malware in 2017, the costs were estimated at between $200 and $300 million. Should we call the Maersk attack an operational technology (OT)-level attack or an information technology (IT)-level attack?
Since the systems affected were controlling the flow of vessels and freight around the world, these can be classified as OT-level supervisory type systems. The line between IT and OT level assets is also blurring with the continued introduction of Internet of Things (IoT) technologies at the operational level. “IT level attacks” will often have consequences at the operational level, which we witnessed with the shutdown of the Colonial Pipeline network when they lost visibility into their billing and accounting systems.
Maritime and port cybersecurity has not received the same level of attention that other industry sectors have, even though the sector has already fallen victim to attacks that have brought supply chains to a halt. The situation is changing, however, and cybersecurity is starting to generate the attention it deserves thanks to new standards and guidelines and an increased focus on the part of certifying bodies like DNV GL, Lloyds Register and TÜV Rheinland.
More standards and guidelines are being developed specifically for maritime and port sector cybersecurity. Many operators and end users will have to make changes to their cybersecurity posture and develop stronger, risk-based cybersecurity approaches. Maritime cybersecurity organizations must incorporate the requirements of operations, while adopting the same technologies and even cybersecurity practices from the IT domain.
OT cybersecurity vulnerabilities abound in ports and maritime
Numerous cybersecurity vulnerabilities exist in the maritime transportation system (MTS) when it comes to OT level technologies, products, and systems, from cranes and container management systems to fuel terminals, shipboard controls, navigation systems, buoys, HVAC controls, and more. These vulnerabilities are becoming more numerous due to the new generation of IoT-enabled devices and systems.
A huge range of connected assets now exists, from cargo movement systems found in cranes to intelligent pumps, positioning, navigation, and timing systems (PNT) and vessels. These are not always installed with cybersecurity in mind. Many ports and facilities also do not have sufficient personnel to manage cybersecurity for the overall port or facility. Nor do they have staff responsible for cybersecurity may have IT experience, but be unfamiliar with OT level systems, networks and assets.
Like the manufacturing sector, the critical OT level assets and network infrastructure found in the port and maritime sector should be properly segmented and some defense-in-depth model should be followed, but this does not always happen, and there are few regulations or standards that have been embraced by this sector to enforce good cybersecurity lifecycle management at the OT level.
Maritime transportation system attacks are increasing
Attacks on the maritime transportation system (MTS) have increased in the past couple of years, in no small part due to the COVID pandemic and the ensuing wave of remote workers, border closures, and supply chain issues. According to a July 2020 report by Israeli cybersecurity firm Naval Dome, “cyberattacks on the maritime industry’s operational technology (OT) systems have increased by 900 percent over the last three years, with the number of reported incidents set to reach record volumes by year end.” The UN International Maritime Organization, which is the primary worldwide governing body of the MTS, was itself the target of a cyberattack in September of 2020, disrupting the organization’s web site and other web-based services.
At least part of this reason is increased reliance on remote monitoring and maintenance of assets that were previously unconnected. Border closures and social distancing mandates have required the increased use of remote technologies to monitor, diagnose, repair, and update assets, systems, and applications.
A complex web of systems
MTS is not only focused on shipping containers, either. LNG carriers, oil tankers, and the offshore oil and gas sector all participate in the MTS supply chain. The MTS supply chain is very complex with many different stakeholders and many potential points of failure.
MTS also straddles the world of defense and private enterprise. In the US, for example, the Coast Guard is charged with protecting all shipping, and that includes issuing recommendations on maritime cybersecurity. Other organizations like the International Maritime Organization (IMO) issue recommendations and best practices. NIST CSF and CISA provide numerous resources for maritime applications. There are lots of guidelines, frameworks, and recommendations, but real prescriptive standards and regulations have been lacking.
IMO cybersecurity guidelines
That recently changed with the latest edition of the IMO’s International Safety Management (ISM) Code, which incorporates many aspects of maritime cybersecurity, including risk management and adoption of a risk-based approach to cybersecurity. The NEW ISM Code “requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system, until the first Document of Compliance after 1 January 2021.” These regulations affect all owners and operators of commercial vessels engaged in international trade.
The IMO has been addressing cybersecurity since 2017 when it adopted Resolution MSC.429: Maritime Cyber Risk Management in Safety Management systems. The resolution states cyber risk should be addressed as part of any safety management plan that addresses risks to people, cargo, or the environment. More importantly, the resolution stated countries should address the requirement no later than January of 2021. IMO’s own guidelines for cyber risk management specify guidance for a variety of systems, including:
- Bridge systems
- Cargo handling and management systems
- Propulsion and machinery management and power control systems
- Access control systems
- Passenger servicing and management systems
- Passenger facing public networks
- Administrative and crew welfare systems
- Communication systems.
BIMCO cybersecurity guidelines onboard ships
The Baltic and International Maritime Council (BIMCO) is another large international shipping association that has embraced a standard framework for cybersecurity in maritime applications. Today, BIMCO’s Guidelines for Cyber Security Onboard Ships is in its fourth version and covers issues such as risk-based approaches, authentication, access management, incident response plans, data protection, and management of ship to shore communications, among other things.
U.S. government’s efforts in maritime cybersecurity
The US government released the National Maritime Cybersecurity Plan (NMCP) in December of 2020. The report is divided into functional sections, including Risks and Standards, Information and Intelligence Sharing, and Creation of a Maritime Cybersecurity Workforce. Each of these sections contains several priority actions that must be taken. Written in the wake of the NotPetya attacks, the National Maritime Cybersecurity Plan called for, among other things, assessments to be conducted at ports by DHS or the US Coast Guard, as well as expanded intelligence and information sharing. In the wake of COVID, however, it is unclear how much of what is outlined in the NMCP has actually been done.
U.S. Coast Guard cyber strategic outlook
The concepts and actions outlined in the NMCP seemed to gel some more in August of 2021 when the US Coast Guard published its Cyber Strategic Outlook. Protecting marine transportation is one of the primary responsibilities of the USCG, and cybersecurity of OT level systems is a natural extension of this mission. From the report:
“As part of the effort to protect the MTS, Coast Guard Cyber Command has created Cyber Protection Teams and the Maritime Cyber Readiness Branch as detailed in the Cyber Strategic Outlook released on August 3, 2021. Additionally, the Coast Guard is in the process of hiring 40 individuals as Marine Transportation System Specialists (MTSS)-Cybersecurity, to further aid in the coordination of efforts at our Area, District, and Sector/Marine Safety Unit Commands to strengthen the MTS against cybersecurity attacks.”
As part of the document, the “Coast Guard strongly encourages vessels and facilities operating in the MTS to take prompt action in the following areas:
- Review controls protecting Operational Technology.
- Closely monitor network and system logs for any signs of unusual activity.
- Review incident response plans, security plans, business continuity plans, and disaster recovery plans.
After reviewing these plans, with the context of these recently identified threats, implement increased security measures to mitigate any identified vulnerabilities.”
Cybersecurity recommendations and best practices
While all these efforts to increase cybersecurity for the maritime transportation system should be lauded, the overall industry would benefit from increased training and awareness in cybersecurity at the OT level. Many of the existing standards and guidance for marine applications are not comprehensive enough when it comes to the OT requirements of maritime transportation, and better guidance needs to be given to end users about how to deploy the technologies, processes, and procedures required to achieve a resilient cybersecurity posture specifically for operations. Suppliers of systems, software, and devices to the maritime sector also must develop products and applications that offer more security, and there are not many options for selecting products that have been tested to a certain standard in the maritime industry.
Most of the guidelines referenced here are just that – guidelines. There is no single standard for cybersecurity in maritime operations today. Companies like DNV GL and Lloyd’s Register will evaluate ships and end users/owner-operator compliance to these guidelines, and most of the industry is following these guidelines voluntarily, similar to the situation in the chemical and oil and gas industries, which have standards like ISA/IEC 62443. The 62443 standard is quite comprehensive when it comes to applying cybersecurity to OT environments, and the MTS sector could benefit from more involvement with the 62443 standards organization.