Maritime networks have become an attractive playground for hackers, with cyber-attacks on vessel OT networks and systems increasing by 900% over the past three years. A ship’s onboard information technology and operational technology systems can be hacked just as easily as systems ashore. Such security breaches have the potential to do considerable harm to the safety and security of ships, ports, marine facilities and other elements of the maritime transportation system. Attacks on vessel OT networks can be catastrophic, leading to injury, loss of life, asset damage or environmental impact.
There has been some ongoing tension between Israel and Iran in the form of an alleged back and forth of attempted and successful cyberattacks against physical infrastructures. Geopolitical tensions are one of many maritime security challenges.
On May 9, 2020, all shipping traffic at the Shahid Rajaee port terminal in Iran came to an abrupt halt. According to The Washington Post, an unknown foreign hacker briefly knocked the port’s computers offline, which led to massive backups on waterways and roads leading to the terminal. The Shahid Rajaee port facility is the newest of two major shipping terminals in the Iranian coastal city of Bandar Abbas, on the Strait of Hormuz. Computers that regulate the flow of vessels, trucks and goods at the port were knocked offline simultaneously on May 9, 2020, disrupting operations and causing road and waterway congestion that lasted several days. The attack on the port’s computers was confirmed a day later by Mohammad Rastad, managing director of the Ports and Maritime Organization (PMO), who stated, “A recent cyberattack failed to penetrate the PMO’s systems and was only able to infiltrate and damage a number of private operating systems at the ports.”
A panel of technical experts debated the advantages of cyber security centres securing vulnerable maritime assets during Riviera’s Maritime’s zero-day exploit: port cyber security webinar. They explained how port facilities remain vulnerable to, and are unprepared for, cyber threats. They agreed port cyber security is maritime’s zero-day exploit, which is a secret vulnerability no one has generated protection for. Panellists on Riviera’s Maritime’s zero-day exploit: port cyber security webinar were : University of Plymouth research fellow for cyber security Dr Kemedi Moara-Nkwe, NORMA Cyber managing director Lars Benjamin Vold and McDermott Will & Emery partner Paul Ferrillo.
Cyber attacks on logistics hubs would devastate the supply chain network with tremendous financial damage, said Mr Moara-Nkwe. He said cyber threats could affect operational technology (OT) such as supervisory control and data acquisition (SCADA) systems and IT networks in ports. “Ports are unique in their interfaces between IT and OT, such as for cargo loading and unloading,” he said, adding a cyber attack initiated in IT could impact substations, electrical systems and automated cranes.
There are also consequences to cyber issues jumping between IT and OT on ships as more owners, operators and managers adopt digitalisation and internet of things (IoT). “This could potentially cause a vessel to lose access to onshore services, with no communications,” said Mr Moara-Nkwe. “There could be a loss of access to electronic devices used for navigation or for safety purposes on ships.”
“Ports depend on the technology and need to consider the risks as a cyber attack can affect availability of technology and assets,” said Mr Moara-Nkwe. “Potential consequences are disruptions to port operations and to supply chains.”
Economic Impacts: Ports & Shipping
Shipping and ports go hand-in-hand the disruption to one creates a ripple effect for the other — this is a fact we’ve already seen first-hand with the current global pandemic and oil crash. With the historically low oil prices, many companies and ports began to struggle with storage. Bloomberg writes, “From California to Gibraltar, tankers have piled up as suppliers deal with the largest glut the world has ever seen and ports have become congested.” The lack of storage prolonged voyages with tankers having no place to go — and at port, they clogged up a well-worn system, causing knock-on consequences.
This was also seen in attack on Iran’s port. According to an official, the damage was more severe than initially described by Iranian officials. Photos shown to The Washington Post dated May 9, 2020 exposed miles-long traffic jams on highways leading to the Shahid Rajaee port terminal. A photograph dated May 12, 2020 also showed dozens of loaded container ships in a waiting area off the coast.
From another perspective, Lloyd’s of London looked at the estimated damage of a coordinated cyber-attack against ports. In their worst-case scenario, a coordinated cyber-attack on 15 Asian ports would cost $110 billion. Additionally, 92% of the estimated costs from the cyber-attack are uninsured. The report also projected the interrelated costs with countries linked to each port. Asian countries would lose $26 billion, followed by Europe at $623 million, and North America at $266 million. Related industries would also take a hit, with aerospace losing $28.2 billion, manufacturing at a $23.6 billion loss, and retail losing $18.5 billion. (The report and estimates are pre-COVID 19 figures.)
Maritime ports cyber security
To identify cyber security vulnerabilities, ports and regulated facilities should conduct facility security assessment and plan to address cyber security vulnerabilities using a facility security plan. OT cybersecurity isn’t just a must-have for ships and vessels. Onshore operations, ports, and terminals must also secure and protect their operations. With rising cyber attacks and huge impacts, Port, ship and offshore staff must adapt their cybersecurity operations accordingly to ensure their endpoints, critical systems and components are updated and protected.
The European Union Agency for Cybersecurity provides port operators with a set of good practices to help them identify and evaluate cyber risks, and effectively identify suitable security measures. EU Agency for Cybersecurity Executive Director Juhan Lepassaar stated: “The maritime sector plays a pivotal role in the global supply chain. Advancing digital technologies bring economic benefits to ports, but also introduce new cyber threats. The report provides guidelines and good practices to support them in effectively conducting this cyber risk assessment, which is where many of these operators face challenges.”
The interconnected nature of ports requires operators to achieve and maintain a baseline level of cybersecurity to ensure security across the port ecosystem. The report notes that the EU maritime sector has a fragmented approach to assessing cyber risks.
The report encourages port operators to develop a set of good practices in a means to develop this baseline level of cybersecurity. Practices include to:
- Identify cyber-related assets and services in a systematic way that includes maintaining an asset inventory, identifying dependencies and deploying automation;
- Adopt a comprehensive approach for identifying and evaluating cyber risks that includes CTI, risk indicators and business impact analysis, involves all relevant stakeholders and is integrated at an organisational level;
- Prioritise the implementation of security measures following a risk-based approach that considers security measure effectiveness and pertinence to the identified risks, and is founded in a security-by-design approach;
- Implement organisation-wide cybersecurity awareness and technical training programmes;
- Develop a comprehensive cybersecurity programme that involves a commitment by senior management;
- Conduct a cybersecurity maturity self-assessment to identify priorities for improvement, and budget and resource allocation.
The EU Agency for Cybersecurity supports cybersecurity in Europe’s maritime sector by providing recommendations, supporting the development of regulations, facilitating information exchange and organising awareness-raising events. In 2019, the Agency published its Port Cybersecurity Report with a set of cybersecurity good practices for the maritime sector, and organised two maritime security workshops with the European Maritime Safety Agency (EMSA).
The Agency is currently developing an online tool for cyber risk management for port operators, and will continue its work with EU bodies, such as the EMSA, and Member States to strengthen cybersecurity for the sector.
Countermeasures need to include direct approaches such as hardening IT and OT systems, improving personnel training and regulatory changes to reduce vulnerabilities.
“There are also indirect approaches such as risk sharing, and projects such as Cyber-MAR, with the aim of quantifying the effects of cyber attacks and proposing risk models that would aid risk mitigation,” said Mr Moara-Nkwe. IMO has taken the initiative to raise awareness across the industry on how to tackle risks by promoting a maritime cyber risk management approach. He would promote and encourage growth of the cyber-insurance market. “This will allow players in the maritime space to adequately hedge against cyber risks,” he said, adding the “rise of cyber security centres is the way forward in cyber security”.
Mr Vold explained the purpose of the Norwegian Maritime Cyber Resilience Centre (NORMA) for building unified resilience against cyber threats for Norway’s maritime and shipping sectors. “We are finding new ways to collaborate, share best practice and technical information,” said Mr Vold. “We need to find a holistic way in the industry to tackle cyber threats.” NORMA provides an intelligence and information-sharing service and an incident response and crisis support service. “From 1 June 2021, we will be a security operations centre, with services tailored for the shipping and maritime sector,” said Mr Vold.
One of the key comments from this webinar’s panel was the importance of regulation and authorities’ response to cyber issues on ships. Mr Ferrillo provided an update on the regulatory framework and changes in the US, including the National Maritime Cyber Security Plan. The main priority of this plan is to establish clear lines of command of who oversees maritime security, mostly the US Coast Guard in US continental waters. Other aims are developing maritime standards and best practices for IT and OT technologies and strengthening port cyber security best practices through contractual requirements.
“Developing procedures to identify, prioritise and mitigate cyber security risks for ports and vessels would include developing a framework for ports and vessel assessments to follow,” said Mr Ferrillo. “Better information sharing and more timely sharing of cyber security threat intelligence and increased educational training to produce more cyber security specialists for ports and vessels” would also be part of the plan.
Mr Ferrillo spoke about the role of the US Coast Guard as the chief maritime law enforcement agency in the US. He said the national maritime cyber security plan “rides side by side with US Coast Guard’s guidelines for addressing cyber risks” at Maritime Transportation Security Act (MTSA) regulated facilities (NVIC). “Which generally require these ports to address and document network and cyber security vulnerabilities,” said Mr Ferrillo. MTSA requirements are mandatory, while US Coast Guard’s NVIC is guidance for reminding port facilities of the need to comply with MTSA regulations.
References and Resources also include: