Maritime Shipping Is Badly Exposed

A recent US Coastguard safety alert issued  caught the attention of the broader maritime industry, from the US Navy to multinational shipping companies. The alert documented an incident in February where a deep draft vessel on an international voyage sailed into the Port of New York and New Jersey with its shipboard network impaired from an active cyber-attack. 
 
The team of cyber experts who responded to the incident found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had apparently not been impacted.” 
 
Not surprisingly, they also found that the vessel was “operating without effective cyber security measures in place, exposing critical vessel control systems to significant vulnerabilities.”
 
Cyber Pirates and Zombie Ships
The maritime industry has been discussing how emerging attack surfaces could increase the risk of cyber-attacks capable of crippling ships, or even potentially hijacking autonomous vessels at sea, and the incident brought those conversations to the forefront.
 
Key public and private interests have been actively aware of the challenges created by increasingly connected and automated vessels, and together they have done a good job of engaging with cyber-security vendors to address emerging risks for connected hull, mechanical and electrical (HM&E) systems. However, there is a glaring area of vulnerability on the port management side that has not been fully discussed or addressed: connected systems at our nation’s ports.
 
Rise of the Robo Harbor-Master
Port authorities manage the flow of ships in and out, and the flow of cargo off and on each of those ships. Currently, these processes are primarily human directed, an incoming ship will typically check in with a harbormaster and its freight is signed for on paperwork. 
 
It’s a process rife with inefficiencies, and nations and cities are actively working to automate port systems.
The key is establishing identity and tying that identity to the supply chain, taking images of each ship’s serial number, then attaching that marker to its cargo, the dockworker checking it in, and down the chain to the truck that pics up each container. 
Most of the IoT systems now being put in place to digitise these process have not been built with security in mind and are very easy to penetrate.
 
If those systems can be compromised, then high-risk security events could happen, such as having a bad actor tell the system to permit specific containers to pass through a port unsearched. This is how a lot of contraband gets into the country.
With great connectivity comes great risk
 
In order to secure port authorities, two significant challenges must first be addressed.
 
1. Port operations typically fall under municipalities and are governed with fixed, low budgets, meaning they lack the spend and manpower to manage the kinds of dynamic threats that arise through automating processes. The technology costs of automating processes are high, but ports are increasingly able to justify the spend by pointing to what will be saved through the resulting efficiency improvements. 
 
What ports frequently fail to recognise is that the skillset needed to manage the complexity that comes with such a move frequently look very different than what staff can manage. 
 
2. There is great potential for efficiency by marrying the identity of a ship to its cargo to the dockworker checking it in to the truck picking up the cargo, but linking those together is very difficult. The only way to do it is through automation, but that connectivity creates a lot of risk that ports are ill-equipped to deal with. 
 
Cyber security risks aside, there is no framework for establishing accountability throughout the process. Who will be responsible for making sure what is in a container remains in that container?
 
Today, there are no standards and no oversight organisation tasked with creating a standardisation process.
 
Interconnected Systems require Zero Trust
Digital transformation requires all systems and sensors to be interconnected to achieve the desired business automation. The approach to interconnecting these on a shared network should use a ‘zero trust’ approach to segmenting network connectivity. 
 
HelpNetSecurity
 
You Might Also Read:
 
Cyber-Attacks On Maritime Oil Tankers:
 
 
« Extra-Terrestrial Hacking
Proactivity Is Key To Effective Cybersecurity »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Prosperon Networks

Prosperon Networks

Prosperon Networks support SMB to Enterprise networks through the provisioning of network monitoring software, customisation, consultancy and installation.

Law Enforcement Cyber Center (LECC)

Law Enforcement Cyber Center (LECC)

LECC is designed to assist police, digital forensic investigators, detectives, and prosecutors who are investigating and preventing crimes that involve technology.

First Response

First Response

First Response is a Cyber Incident Response and Digital Forensic Investigation company.

Applied Risk

Applied Risk

Applied Risk is an established leader in Industrial Control Systems security, focused on critical infrastructure security and combating security breaches that pose a significant threat.

FFRI Security

FFRI Security

FFRI is committed to research and development of preventing the most advanced cyber-attacks and breaches.

Trustless Computing Association (TCA)

Trustless Computing Association (TCA)

TCA is is a non-profit organization promoting the creation and wide availability of IT and AI technologies that are radically more secure and accountable than today’s state of the art.

UK Research & Innovation (UKRI)

UK Research & Innovation (UKRI)

UKRI works in partnership with universities, research organisations, businesses, charities, and government to create the best possible environment for research and innovation to flourish.

StackHawk

StackHawk

StackHawk is built to help dev teams ship secure code. Find and fix bugs early before they become vulnerabilities in production.

Centraleyes

Centraleyes

Centraleyes (formerly CyGov) is a cutting-edge integrated cyber risk management platform that gives organizations unparalleled understanding of their cyber risk and compliance.

National Academy of Cyber Security (NACS) - India

National Academy of Cyber Security (NACS) - India

National Academy of Cyber Security provides Professional Training Courses and Programmes in Cyber Security.

Defentry

Defentry

Defentry have created an Ecosystem that lets our users easily monitor, train and resolve their digital security issues.

AWARE7

AWARE7

IT security for human and machine. With the help of our products and services, we work with you to increase the IT security level of your organization.

SafeBase

SafeBase

Safebase provide the infrastructure for Trust Communication. Our Trust Center enables Security and Sales teams to share and automate access to security, compliance, and privacy information.

CipherStash

CipherStash

CipherStash is a complete data governance and breach prevention platform.

Closed Door Security

Closed Door Security

Closed Door Security is the only cybersecurity team in the north of Scotland offering everything from IASME Certification to CREST-Accredited penetration testing.

Hive

Hive

Hive is a leading provider of cloud-based AI solutions to understand, search, and generate content, and is trusted by hundreds of the world's largest and most innovative organizations.

IT Voice

IT Voice

IT Voice specializes in Managed IT and VoIP solutions. Our focus is simplifying the technology so our customers can stay focused on what they do best.