The maritime sector is on the verge of a digital disruption. As digital transformation of the maritime sector is gathering momentum that will have a major impact on operations and existing business models, simultaneously the threat cyber attacks is emerging. Further the sector’s infrastructure will be exposed to more and more cyber vulnerabilities as the drive towards autonomous ships.
The United States Coast Guard has sent out two security alerts in 2019, highlighting a problem with the cybersecurity practices aboard commercial sea vessels. Coast Guard desribed the malware distributed by this malspam campaign as “malicious software designed to disrupt shipboard computer systems.” A report published in December 2018 by a conglomerate of 21 international shipping associations and industry groups highlighted a plethora of cyber-security problems aboard ships, where investigators found ransomware, USB malware, and worms on numerous occasions.
The international shipping industry carries around 90 percent of world trade. At any given time, about 50 000 ships are at sea or in port. The maritime industry is highly exposed to cyberattacks and threats that may have severe financial and reputational repercussions. Globally, almost 17 million cyberattacks occur every week. In 2018, cybercrime was estimated to cost around $600 billion globally.
An internal US Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the US’s advantage, The Wall Street Journal reported in March 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus – if we don’t do anything, we could die.”
Breaches have been “numerous,” according to the review. While China is identified as the primary threat, hackers from Russia and Iran have also been causing their share of trouble. US Navy considers that it faces threats from adversary nations like Russia, China, Iran, and North Korea, which have developed significant information warfare capabilities and interested in exploiting the Navy’s networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage. Earlier in 2019 the Journal reported that Chinese hackers have targeted more than two dozen universities in the US and elsewhere in an attempt to steal military secrets, particularly those related to maritime technology.
Secretary of the Navy Richard Spencer launched the recently concluded review in October, warning that “attacks on our networks are not new, but attempts to steal critical information are increasing in both severity and sophistication.” “We must act decisively to fully understand both the nature of these attacks and how to prevent further loss of vital military information,” he added.
Cyber warfare has moved to maritime domain. “The risk of cyber attacks against our ships and submarines is as real a threat as traditional weapons such as rockets, missiles and torpedoes,” Royal Navy says. Navies around the world are now developing new cyber security measures and technologies and carrying out exercises to test the operational effectiveness of warships, submarines and Marines in responding to cyber incidents that may unfold during a real-life crisis.
Players in the shipping industry need to identify the greatest cyber risks and address them in the most cost-effective way. This asks for scalable and data-driven solutions to automatically manage, detect and address risks in a consistent and transparent way.
IMO has issued MSC-FAL.1/Circ.3 Guidelines on maritime cyber risk management. The guidelines provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities and include functional elements that support effective cyber risk management.
Cyber Threats in Maritime domain
Offensive actors understand the naval reliance on communications, ISR, and visualization technologies, and perceive them as vulnerable to disruption and exploitation. The cyber threats that naval forces continue to face, are stemming from individuals, crime, NGOs, intelligence, national and international actors seeking to probe naval networks for vulnerabilities that can be exploited to their own ends.
A wide range of methods exist for those who seek to target maritime vessels, including: Extortion/ransomware for allowing the vessel to restore operations; Digital piracy by shutting down the vessel; Espionage for obtaining sensitive information that can be used by competition; Defamation/litigation by causing ISPS Code incompliance/delaying the vessel/causing disruption; Terrorism causing vessel collision/hazard to ports/other ships
(H) and Activism for conveying a message.
Cruise ships could be sunk by cyber terrorists, official Government guidance has warned in a drive to improve protections from online attacks. Vessels could be vulnerable to “kidnap, piracy, fraud [and] theft of cargo” if their computer systems are compromised, the Transport Department said. At worse a cyber-hack could result in “risk to life and/or the loss of the ship”, the industry was also told.
The concern is that hackers could distort mapping equipment or the ship’s controls, causing it to hit another vessel or run aground. The dire warnings were made in a “Cyber Security for Ships” code of practice, written by the Institution of Engineering and Technology and distributed by Whitehall.
Another Cyber threat is spoofing and jamming attacks on the position, navigation, and timing (PNT) systems, that are dependent on Global Positioning System (GPS) satellite constellation. GPS spoofing attempts to manipulate a GPS receiver by broadcasting counterfeit signals remains the most likely attack method it due to its simplicity. This form of attack involves overpowering the receiver by broadcasting signals that are synchronized with the legitimate signals detected by it, thereby forcing GPS to provide false information.
In July, 2017 the US Maritime Administration reported an incident in which at least 20 Russian ships appeared on trackers to be in the same spot 20 miles (32 kilometres) inland, despite being at various positions in the Black Sea. While this initially appeared to be a glitch, experts now suggest that Russia may have been testing a new system for spoofing GPS.
Researchers suspect that Iran used same methods to two United States riverine patrol boats in January 2016 when they unknowingly sailed into Iranian waters and were accused of violating Iran’s territorial integrity. As the Iran’s cyber warfare capabilities are increasing and its relations with US are deteriorating there is increasing threat of Iran using Cyber Warfare against US Navy.
North Korea, a close military partner of Iran, has reportedly used GPS jamming to disrupt air and naval traffic within the demilitarized zone as reported by Ian W. Gray in The Diplomat. The South Korean counter-espionage agency which launched a probe into an alleged hacking attack on a naval warship building firm last month says it believes North Korea may be behind the hack. On 20 April, Hanjin Heavy Industries & Construction Co, the largest naval shipbuilders in South Korea, was hit by a cyber-attack leaving possible classified files exposed.
Espionage is looking for operational information and technical data, and counter info operations. Nations such as Russia, China, Iran, and North Korea, have been developing quite impressive capabilities. In various stages of competency, they show interest in exploiting naval networks to conduct espionage operations, either by stealing information and technical data on fleet operations or preventing the Navy from taking advantage of information capabilities. All of these threats follow a “cyber kill chain” from discovery to probing, penetrating then escalating user privileges, expanding their attack, persisting through defences, finally executing their exploit, according to Ralph D. Thiele, writing in Focus on Defense and International Security Game Changer – Cyber Security in the Naval Domain.
Chinese hackers have breached U.S. Navy contractors to steal a raft of information, including missile plans, through what some officials describe as some of the most debilitating cyber campaigns linked to Beijing, the Wall Street Journal reported in Dec 2018. Victims have included contractors of all sizes, with some of the smaller ones struggling to invest in securing their networks, as hackers over the last 18 months have conducted numerous breaches to gather intelligence, sabotage American systems, and steal intellectual property, the Journal reported. The Journal’s report was based on information from experts and officials, who said that Navy Secretary Richard Spencer had ordered a review of cybersecurity weaknesses that led to an initial assessment validating concerns and laying groundwork for a response by the Navy. Officials in the Navy called the breaches troubling and unacceptable, the Journal reported.
Also, information operations – i.e. the collection of tactical information about an adversary as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent – are becoming cyber-enabled. Cyber will mostly be the means of choice to extracting the data. Actors and nations such as Russia have developed high professional skills to conduct information operations below the threshold of triggering a military response.
Post Snowden/NSA disclosure another serious type of threat that has potential to cause irreparable harm to the Navy’s interests is the insider threat. Presidential Executive Order 13587, signed in 2011 to improve federal classified network security, further defines an insider threat as “a person with authorized access who uses that access to harm national security.”
Mr Searle said cyber attack “is a real threat, certainly, it’s something we take very seriously, particularly areas of the combat system, communications systems, power and propulsion control systems. “We put a lot of effort into ensuring the security of those systems from software, from a communications point of view.” The Armed Forces must be able to defend themselves against cyber attacks to ensure their operational capability and also be prepared to carry out cyber attacks themselves to gain an operational advantage.
Overall, the Navy faces the same technological challenges confronting the rest of the Defense Department and even the world at large, declares Vice Adm. Mike Gilday, USN, commander, U.S. Fleet Cyber Command/U.S. 10th Fleet. One of the Navy’s top concerns is that an adversary would deny the fleet its cyber capabilities in a conflict. The service is working to enable its forces to operate in this kind of denied environment, but Adm. Gilday emphasizes that this does not represent an abandonment of cyber as a key warfighting tool. “Cyber is absolutely a key enabler, particularly early in a fight when we want to increase the fog and friction of war and place ourselves in a position of advantage against an adversary,” he declares. “Cyber is absolutely, positively part of how we have to fight in the future—and how we have to shape that environment right from the onset.”
Ships are increasingly using systems that rely on digitization, integration, and automation. Ships are increasingly using systems that rely on digitization, integration, and automation. Practically all major systems on ships, aircraft, submarines, and unmanned vehicles are networked – and frequently connected to the internet. This includes ships’ hull, mechanical and electrical systems, weapons and navigation systems, aviation systems, and not at least control systems. The continual reliance on position, navigation, and timing systems, such as the Global Positioning System (GPS) satellite constellation for navigation and precision weapons constitutes a consider-able technical vulnerability.
This clearly has magnified the risk of unauthorized access or malicious attacks to ships’ systems and networks.
The array of potential access points on modern vessels – such as internet connectivity, the use of industrial control systems and satellite and radio communication systems – present growing opportunities for cybercriminals to pursue.
In 2016, the Baltic and International Maritime Council (BIMCO) in their “Guidelines on Cyber Security Onboard Ships,” warned about the vulnerability of Merchant ships from cyber attacks due to their increased networking and automation systems onboard. Navies are moving to network centric systems in which all the sensors weapons and command and control on ships, aircraft, submarines, and unmanned vehicles are ‘networked’ , which also enhances vulnerability.
Threat agents seek for attack surfaces – i.e. the sum of an organization’s security risk exposure. This is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks – on four given layers:
- The physical layer provides the physical infrastructure of the cyberspace, e.g. the hardware. Fibre optic cables including undersea cables, and satellites comprise some of the more prominent features of the physical layers of cyberspace.
- The logic layer constitutes the central nervous system of cyberspace. On the logic layer occurs the routing to send and receive messages and to retrieve files. Here are decisions taken. Key elements of the logic layer are Domain Name Servers and Internet Protocols.
- The information layer comprises everything that entertains the internet: websites, chats, emails, photos, documents, apps etc. The information layer is reliant on the previous two levels in order to function.
- At the user layer people are interacting with cyberspace. As cyberspace is a man-made entity its topography can be changed by people.
Naval Dome exposes vessel vulnerabilities to cyber attack
Naval Dome exposed some of the vulnerabilities with a series of cyber penetration tests on systems in common use aboard tankers, containerships, superyachts and cruiseships, revealing with startling simplicity the ease with which hackers can access and over-ride ship critical systems. With the permission and under the supervision of system manufacturers and owners, Naval Dome’s cyber engineering team hacked into live, in-operation systems used to control a ships’ navigation, radar, engines, pumps and machinery.
While the test ships and their systems were not in any danger, Naval Dome was able to shift the vessel’s reported position and mislead the radar display. Another attack resulted in machinery being disabled, signals to fuel and ballast pumps being over-ridden and steering gear controls manipulated. Commenting on the first wave of penetration tests on the ship’s ECDIS system, Naval Dome cto Asaf Shefi said: “We succeeded in penetrating the system simply by sending an email to the Captain’s computer.
In a second attack, the test ship’s radar was hit. While the radar is widely considered an impregnable, standalone system, Naval Dome’s team used the local Ethernet Switch Interface – which connects the radar to the ECDIS, Bridge Alert System and Voyage Data Recorder – to hack the system.
“The impact of this controlled attack was quite frightening,” said Shefi. “We succeeded in eliminating radar targets, simply deleting them from the screen. At the same time, the system display showed that the radar was working perfectly, including detection thresholds, which were presented on the radar as perfectly normal.”
A third controlled attack was performed on the Machinery Control System (MCS). In this case, Naval Dome’s team chose to penetrate the system using an infected USB stick placed in an inlet/socket. “Once we connected to the vessel’s MCS, the virus file ran itself and started to change the functionality of auxiliary systems. The first target was the ballast system and the effects were startling. The display was presented as perfectly normal, while the valves and pumps were disrupted and stopped working. We could have misled all the auxiliary systems controlled by the MCS, including air-conditioning, generators, fuel systems and more.”
“Our solution can prevent this from happening,” he concluded.
IMO Cyber Risk Management
Maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
Threats are presented by malicious actions (e.g. hacking or introduction of malware) or the unintended consequences of benign actions (e.g. software maintenance or user permissions). In general, these actions expose vulnerabilities (e.g. outdated software or ineffective firewalls) or exploit a vulnerability in operational or information technology. Effective cyber risk management should consider both kinds of threat.
Vulnerabilities can result from inadequacies in design, integration and/or maintenance of systems, as well as lapses in cyberdiscipline. In general, where vulnerabilities in operational and/or information technology are exposed or exploited, either directly (e.g. weak passwords leading to unauthorized access) or indirectly (e.g. the absence of network segregation), there can be implications for security and the confidentiality, integrity and availability of information. Additionally, when operational and/or information technology vulnerabilities are exposed or exploited, there can be implications for safety, particularly where critical systems (e.g. bridge navigation or main propulsion systems) are compromised.
Effective cyber risk management should also consider safety and security impacts resulting from the exposure or exploitation of vulnerabilities in information technology systems. This could result from inappropriate connection to operational technology systems or from procedural lapses by operational personnel or third parties, which may compromise these systems (e.g. inappropriate use of removable media such as a memory stick).
Cyber risk management means the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders. The overall goal is to support safe and secure shipping, which is operationally resilient to cyber risks.
These Guidelines present the functional elements that support effective cyber risk management.
.1 Identify: Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.
.2 Protect: Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.
.3 Detect: Develop and implement activities necessary to detect a cyber-event in a timely manner.
.4 Respond: Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.
.5 Recover: Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.
US Navy’s Cybersecurity Policy and implementation
Navy Secretary Ray Mabus has called for the implementation of a layered approach to cyber defense and the establishment of a department wide program to tackle insider threats. Navy organizations, including the Marine Corps, “shall implement a defense-in-depth/defense-in-breadth [cybersecurity] strategy to mitigate information security risks throughout the entire life cycle of a system or network,” the memo states.
“The [Department of the Navy] shall establish an integrated set of policies and procedures to deter, detect and mitigate insider threats before damage is done to national security, personnel, resources and/or capabilities,” the memo states. The memo also updates acquisition strategy by calling on officials to make sure cybersecurity is considered at every phase of a system’s development and implementation. The memo also rebrands the DON Information Assurance Program as the DON Cybersecurity Program.
After first taking stock of the organization’s cybersecurity capabilities and gaps in preparedness, some of the most important next steps should include devising an updated ship security plan, appropriate training of the crew and employees and tracking implementation progress through periodic audits.
Coast Guard officials included guidance on basic cyber-security practices that can be implemented to improve the security posture of computer networks found aboard a ship. Summarized, these are:
- Implement network segmentation.
- Create network profiles for each employee, require unique login credentials, and limit privileges to only those necessary
- Be wary of external media
- Install anti-virus software
- Keep software updated
In order to detecting and monitoring opponent´s activities, blocking attacks, manoeuvring to defeat opponents, and defending naval information networks and critical infrastructure mission areas will likely include
• Operations and defence of the naval networks and operating shore-to-ship communications systems;
• Relevant and actionable intelligence and surveillance data based on the analysis of adversary communications and radars;
• Signals Intelligence and associated threat warnings to provide naval forces with location and intent of opponents;
• Provision of context to other intelligence sources;
• Provision of the maritime domain and a common operational picture;
• Warfare in the electromagnetic spectrum;
• Interrelated and complementary missions.
“Ultimately, the objective should be a Sailor who understands cyber hygiene and proper use of the network as a primary on-the-job tool, just as well as any Soldier or Marine knows his or her rifle, according to article by Center for International Maritime Cybersecurity . Sailors go to sea aboard complex warships with integrated networked systems that run everything from Hull, Mechanical, and Electrical (HM&E) systems to combat systems and weapons employment. The computer is our rifle, why shouldn’t we learn how to use it more safely and effectively?”