Risk Adrift

Each day, approximately every 10 minutes, a cargo ship makes its way through the Suez Canal, moving roughly $9 billion worth of cargo through the 120-mile passage. Twelve percent of all global trade passes through the canal in one year, according to the Suez Canal Authority.

But that came to a sudden halt on 23 March 2021 when a container ship, the Ever Given, became wedged in the canal, blocking traffic, and sending the Suez Canal Authority, the Ever Given’s operator—Evergreen Marine Corp.—and a host of dredgers and tugboats into a frenzy to get the 1,300-foot ship unstuck. The effort took nearly a week, after which the ship was sent to the Great Bitter Lake to anchor for months until the authority reached a settlement with the Ever Given’s owner, Shoei Kisen Kaisha, Ltd., in July 2021 for an undisclosed sum and a new tugboat capable of pulling 75 tons.

Tugboats were critical for getting the Ever Given unstuck. More than a dozen were used to free the ship which was more than 10 times their size—just like they do at ports and in waterways around the world. Like their larger counterparts, they are also becoming increasingly digitized and vulnerable to cyber threats that may start in business networks but could spread elsewhere.

In September 2020, the U.S. Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) issued its first alert on tugboats, recommending vigilance after a U.S. tugboat was targeted via a phishing email, Ship Technology reported.

"Advancing digital technologies bring economic benefits to ports, but also introduce new cyber threats." 

The notice was just one of 62 cybersecurity advisories the MTS-ISAC issued in 2020—the year the ISAC was founded—in what it dubbed a “marked increase” in cyberattacks since the beginning of the COVID-19 pandemic.

“In addition to the attack on the United Nations’ International Maritime Organization, multiple public and commercial shoreside facilities and vessel owners and operators around the world were hit by ransomware attacks,” according to the 2020 MTS-ISAC Annual Report.

The report did not cite any specific reason for the rise in attacks, but instead said multiple factors were responsible, including geopolitical tensions, transitions in criminal activities in response to the COVID-19 pandemic, legal challenges that make cybercrime a “low-risk endeavor,” an increase in remote workers, and inadequate resources for IT and security teams in the maritime sector.

“Phishing remained a preferred attack technique, with Emotet and ransomware campaigns relying heavily on social engineering as a tactic across 2020,” the MTS-ISAC report explained. “Common phishing themes included invoices, DocuSign, OneDrive with links or attachments, missed messages (voicemails and facsimiles), and spoofed [Office 365] alerts were reported by vessels, including tugboats, and ports alike. While these themes have been successfully used by attackers for years, not surprisingly, in 2020 COVID-19 subjects were frequently reported by both shoreside and vessel stakeholders.”

And while these attack vectors have ramifications for the business side of the maritime industry—such as the NotPetya ransomware attack that crippled shipping giant Maersk Line’s business operations for weeks—they can also pose a threat to the operational technology that the sector relies on to function.

In the past decade, ports and shipping have become increasingly digitized, says Michael Edgerton, CPP, manager of port security at the Port Authority of New York and New Jersey and author of A Practitioner’s Guide to Effective Maritime and Port Security.

“There are two ways of looking at port and maritime infrastructure,” Edgerton says. “One is looking at how digitization affects operational technology, cranes, and pipelines that could result in a negative event. There’s also an increasing emphasis on the business operations, IT operations, financial, and cargo management, which are data rich.”

The maritime industry is undergoing a shift of changes, including its own digital transformation, according to Lloyd’s List, a shipping journal published since 1734. In its Outlook 2021: Shipping Accelerates Towards an Uncertain Future, survey respondents said that big data and artificial intelligence (36.9 percent) and autonomous systems (29.8 percent) would likely be the most significant drivers of change in the shipping industry between 2021 and 2026—after low/zero carbon research and design initiatives. Respondents also considered digitalization to be the best investment opportunity for shipping in 2021.

While these moves are designed to make the maritime industry more efficient and lower business costs, they can also create lucrative target points for ransomware attacks and more malicious attacks that could seek to compromise operational technology or life safety systems on vessels.

“With enhanced technology, the interconnectivity—while improving the efficiency of the system itself—also presents multiple nodes which provide opportunities for cyberattacks,” said Kathy Metcalf, president and CEO of Chamber of Shipping of America, in a panel discussion hosted by the Atlantic Council on maritime cybersecurity. “Key links to and from the vessel include shore management (ship owner, operator, or charter), government agencies requiring electronic reporting of vessel information, third-party contractors including classification societies, vendors, technical service providers, and port and terminal authorities.”

“Simply put, in an ideal world, the entire logistics chain is interconnected and provides stakeholders real-time information essential to scheduling and decision making,” Metcalf continued. “Integrating cybersecurity programs at each interface is critical as is also the education of personnel at each interface.”

"The way we’re approaching it with a converged approach is the way of the future. " 

Some of these risks are beginning to be addressed through regulations and guidelines. The International Maritime Organization (IMO) released guidelines on maritime cyber risk management, which provide high-level recommendations for the shipping industry. They recommend building out an existing risk management framework with the ability to identify personnel roles and responsibilities for cyber risk management and system assets, protection and contingency measures that can be implemented to protect against a cyber event, detection measures for cyber threats, response measures for a cyber incident, and recovery measures to backup and restore systems.

The guidelines address vulnerable systems, including the ship’s bridge, cargo handling and management, propulsion and machinery management, access control, passenger servicing, and communication systems, according to an IMO spokesperson who responded to Security Management’s interview request.

“The guidelines present the functional elements that support effective cyber risk management,” the spokesperson says. “These functional elements are not sequential—all should be concurrent and continuous in practice and should be incorporated appropriately in a risk management framework.”

The IMO also implemented Resolution MSC.428(98), “Maritime Cyber Risk Management in Safety Management Systems.” Beginning 1 January 2021, companies were required to ensure that cyber risks are appropriately addressed in their existing safety management systems.

Along with the IMO, the European Union Agency for Cybersecurity (ENISA) issued guidelines for cyber risk management for ports in December 2020. The guidelines recommend port operators take a four-phase approach to cyber risk management, as well as adopt practices for a good baseline of cybersecurity.

“The maritime sector plays a pivotal role in the global supply chain,” said EU Agency for Cybersecurity Executive Director Juhan Lepassaar in a statement. “Advancing digital technologies bring economic benefits to ports, but also introduce new cyber threats. The report provides guidelines and good practice to support them in effectively conducting this cyber risk assessment, which is where many of these operators face challenges.”

These practices include identifying cyber-related assets and services in a systematic way, adopting a comprehensive approach for identifying and evaluating cyber risks, prioritizing the implementation of security measures, implementing organization-wide cybersecurity awareness and technical training programs, and conducting cybersecurity maturity self-assessments.

The U.S. Coast Guard is also addressing cybersecurity with an updated 2021 Cyber Strategic Outlook to address cyber threats to information and operational technology systems. Its analysis found that there were more than 500 major operational technology cyberattacks on the marine industry in 2020.

“The events of the last five years, including the exploitation of Coast Guard networks and information, the attacks on maritime critical infrastructure, and adversarial efforts to undermine democratic processes—not just by exploiting networks, but by negatively shaping information—reinforce that cyberspace is a contested domain,” wrote Commandant of the U.S. Coast Guard Admiral Karl L. Schultz in the introduction to the outlook.

The Cyber Strategic Outlook commits the Coast Guard to ensuring it is “mission ready,” protecting the Marine Transportation System, and identifying and combating adversaries throughout cyberspace.

These initiatives touch on a shift that is happening in the maritime industry, where business, operation, and security teams are becoming increasingly connected and dependent on one another and risk needs to be addressed at the enterprise level.

The Port Authority of New York and New Jersey is doing this, Edgerton says, by placing all its security functions—both physical and cyber—under the CSO.

“The way we’re approaching it with a converged approach is the way of the future. The business case—on the commercial side—will ultimately support that as senior executives look at cyber risk as an enterprise risk and treat it as such,” Edgerton says. “There’s different levels of maturity, and it’s going to be a continued process for everyone.”