Maritime Threat Analysis

The NJCCIC assesses with high confidence that the maritime sector, including ports, vessels, and shipping companies across the globe, will remain an attractive target for a range of cyberattacks designed to disrupt daily operations, steal sensitive data, incite distrust and promote violence toward the community, and encrypt critical operational data.

US maritime ports and associated marine transportation systems (MTS) are vital components of the nation’s critical infrastructure, security, and economy. The US Coast Guard, in combined efforts with the International Maritime Organization, is working to bring more awareness among maritime industry leaders and operators. It is critical to understand the potential impacts of a cyberattack on the maritime sector or associated industrial control systems, such as damaged equipment. These cyberattacks could result in environmental and public exposure to harmful pollutants, global economic consequences, and even death or serious injury. The National Maritime Cybersecurity Plan highlights the importance of maritime cyber safety by stating that the US maritime sector consists of “an integrated network of 25,000 miles of coastal and inland waterways, 361 ports, 124 shipyards, more than 3,500 maritime facilities, 20,000 bridges, 50,000 Federal aids to navigation, and 95,000 miles of shoreline that interconnect with critical highways, railways, airports, and pipelines.”

Extensive vulnerabilities exist within the maritime sector, including the physical environment, OT/IT environment, Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA), distributed control systems (DCS), and programmable logic controllers (PLC).

Shipping companies have reported numerous ransomware attacks, with many choosing to pay the ransom to avoid disruption to their operational schedules. A cyberattack has the potential to inflict substantial disruption to port and vessel operations and, due to the sheer volume of business conducted in ports worldwide, could result in significant monetary losses. MTS contributes to one quarter of all US gross domestic product and generates approximately $5.4 trillion annually.

With the maritime sector’s massive economic reach and the ever-growing advances in the industry’s technology use, profit-motivated threat actors are expected to continue targeting maritime ports, shipping companies, and vessels. Threat actors that target the maritime sector are usually state-sponsored actors, cybercriminals, hacktivists, and even untrained employees. State-sponsored attacks are usually from non-allied nations that use their cyber capabilities for espionage or to cause disruption and damage to critical infrastructure and the economy. While less sophisticated, cybercriminals are still dangerous. They are motivated by financial gain and use various types of methods, such as ransomware attacks, industrial and commercial espionage, and manipulation of data, to support their smuggling operations. It is estimated cybercrime targeting critical infrastructure costs the United States approximately $6 trillion as of 2021.

 

Recent Incidents

• On April 10, 2020, a malware attack targeted Mediterranean Shipping Company (MSC). For security issues, MSC servers were closed down to protect company data , and its website was taken down. The attack disturbed only internal data processes.

• On July 8, 2019, a malware attack targeted a US vessel, causing critical credential mining. The Coast Guard and FBI reported that a lack of security strategies on the vessel was the main reason such an attack occurred. All crew on the vessel shared the same login and password to the vessel’s computer. Moreover, the hacker took advantage of external device use and a lack of anti-virus software.
• In 2018, the Chinese government hacked and conducted a ransomware attack on a US Navy contractor and stole highly sensitive security data, which included plans for a supersonic missile project. Hackers targeted a contractor linked to a US military organization that conducts research and development for submarines and underwater weaponry.
• In September 2018, two international maritime ports, Port of Barcelona, Spain, and Port of San Diego, California, suffered cyberattacks. Port of San Diego authorities reported a ransomware incident, later revealed to be an infection of the SamSam  Impacts were isolated to some of the Port Authority’s administrative functions and did not interrupt port operations or vessel movements. The Port of Barcelona did not immediately disclose the type of incident but indicated the attack disruptedits internal IT systems, though it did not affect vessel or port operations.

• In June 2017, A.P. Moller-Maersk Group, the largest shipping company in the world, suffered a devastating attack as a result of the NotPetya malware. Maersk endured a 10-day halt in operations while it recovered from the attack, which required 4,000 servers, 45,000 PCs, and 2,500 applications to be reinstalled. Maersk reportedly lost approximately $300 million in revenue.

 

Attack Types

The Multidisciplinary Digital Publishing Institute published an article, Cyber Security in the Maritime Industry: A Systematic Survey of Recent Advances and Future Trends, that concludes some common attack types the maritime sector faces are:

Spearphishing: Spearphishing, conducted with emails containing suspicious links to obtain unauthorized access, is one of the most common attacks. After accessing an information system, the hacker installs keyloggers to capture logins and passwords and determines the identity of the individual workers, building a precise mapping of the status of the port. Although a substantial number of spearphishing attacks occur, port managers prefer to keep reporting to a minimum due to the sensitivity of the maritime sector, as breaches affect  the confidentiality of individuals and economic relationships between nations.

Distributed Denial-of-Service (DDOS): Distributed denial-of-service (DDOS) attacks are criminal acts in which a port information system is compromised by flooding the network with excessive traffic levels and denying access to its sites. As a result, maritime services and the ability to track goods are compromised. The impact of DDOS attacks on cyber-physical maritime systems is evaluated by using simulation. The model comprises a vessel, controller, and a gate with the simulated attack targeting communication between these different elements, and performing this exceeds the time safety limit.

Port Scanning: Attackers verify the most vulnerable network ports by using the scanning technique. The goal is to discover the status of services, define the optimum strategy to access databases, and identify which users monitor services. At the highest level, the attacker uses IP fragmentation to confuse the firewall, resulting in the packet filters being bypassed. Another technique is based on interrogating an open User Data-gram Protocol port to scan IP addresses by testing several protocols and other ports. TCP wrappers are preferred in order to mitigate such attacks, empowering the network manager to allow or block server access depending on the IP address.

Data Modification: Modifications to supply chain information affect international shipping due to changes in key information that relies on processes and stakeholders for container tracking, assurance, and international authorizations. An example of a damaging outcome of an attack is changing the destination of a container, which requires knowledge of the supply chain and the vulnerabilities therein to modify critical information.

Social Engineering: Social engineering attacks generally depend on exploiting human curiosity or compunction to execute a malicious act. The study of human behavior is core to a successful attack. Attackers use email, social media, or instant messaging to gather information on in-port network activity. Other classes of social engineering attacks are baiting and quid pro quo. Software updates by security managers through a USB is often the means to install malware, a file used by the hacker to obtain access to the system. Protection based on strictly applied security policies is the only method to mitigate such attacks.

Malware/Ransomware/Trojans: These classes of attacks generally aim to damage an information system or server by targeting vulnerabilities within the network. Furthermore, the use of external devices and the absence of anti-virus software protection facilitates the task of the hacker.

Espionage and Data Theft: Data theft and espionage can be the starting point of a larger destructive attack. Attackers often require specific information before attempting subsequent operations. Obtaining sensitive data can be beneficial to state-sponsored groups or cybercriminals. Data leaks can also cause substantial damage to the economy. In addition to intentionally revealing sensitive information, users can mistakenly send sensitive documents to public tools for analysis and allow them to be parsed or downloaded by third parties.

Recommendations

The NJCCIC advises maritime sector stakeholders to take proactive steps to increase their organizations’ overall cyber risk management and preparedness. Cybersecurity presents major challenges in the maritime sector, as there is an overall lack of expertise. Awareness is a vital step to contend with existing vulnerabilities and threats. To ensure a safe cyber environment, all staff members, including executives, should be properly trained and aware of the latest threats. Staff members and management should work together to ensure cybersecurity within the maritime sector. Cybersecurity is not solely an IT department responsibility; everyone is responsible and should be held accountable if they pose a risk.

The following resources can assist the sector in becoming more resilient to cyberattacks: International Maritime Organization Guidelines on Maritime Cyber Risk Management, US Department of Homeland Security Enhanced Cybersecurity Services, National Institute of Standards and Technology Cybersecurity Framework, and the US Coast Guard’s related framework profiles for bulk liquids transfer, offshore operations, and passenger vessels. The profiles provide common language for traditional maritime security and IT professionals to facilitate organizational awareness and incorporate cyber incident response into existing security plans. The US Coast Guard Maritime Commons blog and US Maritime Administration Maritime Security portal are recommended for accessing maritime cybersecurity alerts, advisories, and initiatives. Maritime industry stakeholders are encouraged to continue bridging the gap in cybersecurity expertise by participating in their local Area Maritime Security Committee events and Cybersecurity Subcommittees.

 

At minimum, the maritime sector, including interconnected organizations, should implement the following for their OT/IT environments:

• Tamper-resistant controls on field devices: Field devices must implement hardware security controls to prevent physical tampering.
• Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the general public must follow strict procurement procedures that only allow installing certified devices that follow strict security standards.
• Patching and updating: Support staff must install critical updates as soon as they are available, both for operating systems and ICS software. Install and regularly update anti-virus and anti-malware software on all hosts. Disable unused remote access/RDP ports and monitor remote access/RDP logs.
• Encryption: Devices must implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices. It includes protection from side channel attacks that can compromise encryption keys. 
• Authentication and access control procedures: Facilities should implement strict authentication and authorization procedures for their employees and for all software entities. Develop access control measures to prevent unauthorized access to critical cyber systems.
• Penetration testing and internal audit: All facilities must implement rigorous vulnerability assessment and penetration testing audits on a regular basis to ensure continuous analysis of operational systems.
• Employee training and awareness: All employees working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
• Network segmentation: All facilities must deploy proper network segmentation with DMZ configured and network isolation to protect critical systems. Whenever possible, ICS should not share the same network with internet-accessible devices.
• Use of different technologies: Implemented ICS should use devices and systems from different vendors to reduce the number of compromised assets per vulnerability. Although this measure introduces management complexity, it is a vital control to increase resilience of critical systems.
• Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job description and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
• Catalog and reduce system dependencies: Critical systems must identify and minimize dependencies on other systems and services, such as third-party processes.
• Minimize unified closed loop: Although closed-loop systems facilitate monitoring and control and it is true that manual control exacerbates workload, operators should minimize the use of automatic controls over critical machinery or at least implement heavy monitoring and break closed-loop systems down to individual procedures.
• Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Recovery plan: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, test, and update incident response (IR) plans and continuity of operations plans (COOPs).
• Ensure password security: Use multi-factor authentication where possible. Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable time frame for password changes. Avoid reusing passwords for multiple accounts.
• Use secure networks only: Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a virtual private network.
• Email security: Consider adding an email banner to messages originating outside your organization and disabling hyperlinks in received emails.

 

Further Resources

• https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
• https://media.defense.gov/2022/Sep/14/2003076379/-1/-1/0/CSA_IRGC.PDF
• https://www.cyber.nj.gov/garden_state_cyber_threat_highlight/multiple-federal-agencies-provide-details-of-cyberattacks-associated-with-irgc-affiliated-apts
• https://www.infosecurity-magazine.com/news/lazarus-group-hacked-energy/
• https://www.thedigitalship.com/news/maritime-satellite-communications/item/7966-inmarsat-addresses-rising-cyber-risks-in-latest-report
• https://www.continuitycentral.com/index.php/news/technology/7526-maritime-sector-and-satellite-infrastructure-will-be-particular-targets-for-cyber-attacks-in-the-second-half-of-2022
• https://www.cnbc.com/2022/06/27/hackers-can-now-bring-cargo-ships-and-planes-to-a-grinding-halt.html
• https://threatpost.com/feds-recommendations-maritime-cybersecurity/162804/
• https://www.dco.uscg.mil/Portals/9/2021CyberTrendsInsightsMarineEnvironmentReport.pdf
• https://www.dco.uscg.mil/Our-Organization/Assistant-Commandant-for-Prevention-Policy-CG-5P/Inspections-Compliance-CG-5PC-/Office-of-Port-Facility-Compliance/Domestic-Ports-Division/cybersecurity/