Cyber Attacks Reported by US Coast Guard: Are Maritime Cyber Security Risks Unknown or Ignored?
The US Coast Guard issued a marine safety alert on July 8th 2019 following an "interagency response" to a cyber incident affecting a vessel bound for the Port of New York and New Jersey. This followed a more general briefing issued in May 2019 which warned of cyber adversaries attempting to gain sensitive information via phishing and malware intrusion attempts.
The investigation by the US Coast Guard and other agencies found that although the vessel's essential controls systems had not been impacted, the onboard computer system had been 'significantly degraded' by a malware infection. This had led the vessel to report the incident, and had exposed critical systems to additional risk. The alert highlights that although separate computers were used by the crew, the same network was used for official business, and it is assessed as likely therefore that an infection had been able to spread within the environment.
What is particularly noteworthy about this latest report is that the risk was 'well-known among the crew', and despite this, the same shipboard network was used to manage operations on the ship – to update electronic charts, manage cargo data and communicate with shore-side facilities, pilots, agents, and the Coast Guard. Is this because the crew were ignoring the risk, or were unaware of how likely it was that the issues could be exploited? More widely, is there adequate information available to organisations to make intelligence-backed risk decisions? The publication of this briefing, and the previous one in May, are to be welcomed as they bring greater attention to the likelihood of vessels being targeted in this way. Ideally, future reports will also include key technical indicators such as the type of malware, how the infection happened and what the intent was.
The benefits of open, collaborative and positive information sharing, with controls to protect company reputations, have been well established in other industries over the last decades. It is therefore possible for organisations to find in-depth and detailed reporting about attacks which took place, for example, against banks, energy networks and digital enterprises. Moreover, this information is often made public, and in fact, organisations like Norsk Hydro that have openly shared not only that an attack had taken place but also its impact have found it has actually developed their reputation as a resilient organisation. While not every organisation can (or should) be as open in every situation, the sharing of cyber-security intelligence with the widest possible audience results in a net-positive impact for the industry as a whole, as all organisations can respond to 'raise the bar' for attackers, making attacks harder to carry out and less likely to succeed.
Whilst maritime information sharing groups do exist in some geographies, the industry would benefit from evolving the culture of information sharing to become a central part of the industry's response to cyber attacks, and wherever possible, lessons learned should be shared publicly to reach the widest possible audience. To help bridge this gap in publicly available information, Nettitude has produced a retrospective review of maritime-focused cyber attacks from the past decade and a review of security research conducted in this space to help organisations understand their risk exposure, and make evidence-based decisions on mitigation.
It is worth operators focusing on the five key recommendations in the US Coast Guard report, as they are functional, proportionate measures to introducing a basic level of security hygiene:
- Ensure networks are segmented relative to their criticality and security posture. This makes it harder for malware or adversaries to move between systems.
- Remove shared credentials. The use of shared passwords and accounts increases the risk that if one system is compromised access can be gained by many others.
- Install and update antivirus software. Although this won't catch everything, antivirus software provides a basic level of protection against malicious files and applications.
- Keep devices updated. Applying software updates is critical, and although it can be difficult when vessels are not in port, this should be built into maintenance programmes for all onboard equipment.
- Be careful using removable USB devices. These are often used to transfer documents between ship and shore, but can become infected in the process. All media should be scanned for viruses before being connected to critical ship systems.
This incident again highlights the need to assess and prepare environments for the range of threats they face in the modern maritime environment. The US Coast Guard's brief "strongly encourages all vessel and facility owners and operators to conduct cybersecurity assessments to better understand the extent of their cyber vulnerabilities". Nettitude, a Lloyd's Register company, offers a range of assessment services, from risk assessments to practical penetration testing. Contact us to discuss your requirements further.