On a Sea of Risk
Print Issue: April 2018
The maritime sector, one of the world's most critical infrastructures, is vulnerable to a variety of security threats. But in this environment, many organizations have difficulty analyzing a crucial issue: which levels of risk are acceptable? The answer can shift; a disaster can transform an organization's perspective.
This article is aimed at assisting those who are exploring the question of acceptable levels of risk, and how those risks might be mitigated, in the maritime sector. To that end, it discusses the information that informs a risk analysis: breakdowns of potential bad actors, their tactics and targets, sector weaknesses, and appropriate protection strategies.
First, common threat actors and motives are explored. Second, the tactics and targets of these actors are examined, as well as the vulnerabilities of the maritime sector that could be exploited by these criminals.
Third comes a discussion of the existing security measures used to protect the maritime sector against attacks, followed by ideas about effective security measures and related emergency management initiatives.
Actors and Motives
Threat actors may include current, prospective, or former employees of shipping companies and seaports, or third-party contractors such as trucking agents and train conductors. Maritime staff and contractors are not always fully vetted, particularly when positions are filled overseas. In the more extreme cases, they may be mentally ill, violent ex-felons, or even terrorists, serving in various posts such as merchant mariners, longshoremen, and tractor-trailer drivers.
Nonemployees may also be threat actors. These may include strangers with criminal records, such as smugglers or pirates, or even terrorists. Some of these people are or were in a platonic or intimate relationship with an employee or third-party contractor.
Experts have identified a variety of motives used by employees and nonemployees to justify their violent actions. A 2012 article "Maritime Terrorism and Piracy" in Global Security Studies reports that many threat actors simply seek monetary gain for themselves or are reacting to a loss of economic stability. Other threat actors believe that they are victims of personal violations, such as stress from overwork, humiliation by a supervisor, loss of their job, or recent harm to their family, and seek revenge by spreading fear, distrust, and distress.
Still other perpetrators seek to make others aware of their political agenda. In some of these cases, they seek to harass or embarrass a particular government, as a means of influencing decisions of and legislation in that country.
The motives of threat actors may be solidified into action in one of several ways. The most typical route to a commission of crime, or radicalization to terrorism, is when someone from a minority group feels marginalized to the degree that avenues of change outside of crime or violence are no longer viewed as likely or possible, according to a 2005 study "The Staircase to Terrorism" in the American Psychologist.
In these cases, violence is perpetrated because the threat actor does not believe that the current situation could be improved through politics or laws. Often, these views are shared by family and friends, who sympathize with the victimized and disenfranchised in a society. Consequently, the threat actor's decisions and beliefs, including the belief that violence is not an immoral alternative to achieving certain goals, are influenced by the actor's friends and family, as argued in the 2014 book The Psychology of Terrorism by John Horgan. Moreover, by identifying with and joining other criminals or terrorists, the perpetrator stands to gain both social and psychological rewards, Horgan explains.
Tactics and Targets
Threats in the maritime environment are varied, and threat actors have targeted the maritime sector through a range of tactics. These include the use of containers to hide explosives, terrorists, or contraband; criminals and terrorists posing as employees; and cyberattacks involving ship navigation, cargo databases, and other systems, such as life support.
Cargo security. In the past, criminals and terrorists have often transported illicit items like weapons (and even weapons of mass destruction) using an innocuous-looking vessel such as a fishing trawler, according to the chapter "Applying Risk Assessment to Secure the Containerized Supply Chain" in the 2007 book Managing Critical Infrastructure Risks edited by Igor Linkov, Richard J. Wenning, and Gregory A. Kiker.
Terrorists can also target cargo security by tampering with a legitimate consignment or by assuming a legitimate trading identity and using it to ship a dangerous consignment. In terms of the former, there have been instances where terrorists hide in cargo containers to gain access to ports.
In 2004, for example, two terrorists in Israel hid inside a cargo container for several hours before an attack so they could bypass the extensive security procedures at the Ashdod Port. These terrorists were successful in detonating their explosive devices. Ten people were killed and 16 injured, according to the 2008 Police Executive Research Forum report, Protecting America's Ports: Promising Practices. This incident brought home the lesson that inadequate cargo security poses legitimate threats in the maritime sector.
Ship stability. However, ports are not the only vulnerable maritime environment. Another major concern is a container ship's stability–that is, the ability of a loaded ship to remain on an even keel. Because containers have different weights and sizes, the seafaring ability of the ship becomes compromised if the ship is not properly loaded, and it may even become damaged or capsize.
To avoid this, shippers use computers to perform a stability analysis shoreside, and the ship is then loaded according to a configuration consistent with the analysis, with a record sent to the crew before the ship leaves the port. Given this process, criminals may devise a method to hack this analysis during the loading process so that it produces a configuration that would ultimately leave the ship unstable, which could cause damage to the vessel and endanger the lives of the crew.
Fire suppressants. Another concern for container ships is fire. Ship containers located in holds (as opposed to above deck) are generally protected by large carbon dioxide fire suppression systems. As a suppressant, carbon dioxide has many virtues. It is odorless, it leaves no residue, and generally it will not damage cargo in any way. It also does not conduct electricity. But carbon dioxide also has a large liability–it is highly toxic to humans at the concentrations necessary to be deployed in the total flooding applications for which it is used.
To date, these stability and fire systems have not been exploited by threat actors, but accidents happen. According to the U.S. Environmental Protection Agency's report Carbon Dioxide as a Fire Suppressant: Examining the Risks, between 1975 and 2000 there were 20 incidents involving the accidental shipboard discharge of carbon dioxide fire suppression systems on nonmilitary ships in the United States and Canada that resulted in 19 deaths and 73 injuries. The automation of commercial ship systems could also be exploited by threat actors in the future, either electronically or by motivated individuals with knowledge of the systems.
Insider threat. Another security threat is posed by insiders. Many positions in the maritime sector are vulnerable to potential insider threats from those who obtain employment, or pose as an employee, with the malicious intent to access critical infrastructure. Harm may be caused by these real or impersonated employees in a port or on a ship, including those working as sanitation workers, cabin stewards, equipment operators, office administrators, and even security personnel. Such positions may be used for drug trafficking, human trafficking, smuggling, and even espionage, and they may be desirable for infiltration leading up to a terrorist attack.
Finally, cybercriminals can use malicious software or malware to gain access to maritime systems, modify data, and cause damage.
Cyberattacks can also be used to gain unauthorized access to systems and data. According to The Guidelines on Cyber Security Onboard Ships, issued in June 2017 by BIMCO—an international association of shipowners and operators—criminals, terrorists, foreign states, and insiders can use malware or hire others to hack and use malware to compromise port and ship cybersystems. These threat actors may target maritime communications, ship navigation, and cargo tracking systems.
For example, in Antwerp, Belgium, in 2013, hackers hired by drug traffickers gained unauthorized access into port systems that controlled the movement and location of containers and modified the data. This allowed drivers hired by the organized criminals to access the port and pick up cargo where the drugs were hidden.
Moreover, ships are increasingly using systems that rely on digitization, integration, and automation. That creates a need for more cyber risk management on board, according to BIMCO's new guidance. As technology continues to develop, information technology and operational technology onboard ships are being networked together and, more and more frequently, connected to the Internet.
This growing practice brings greater risk of unauthorized access or malicious attacks to ships' systems and networks. Risks may also occur when personnel access systems on board, such as by introducing malware via a piece of removable media.
Given these risks, the safety, environmental, and commercial consequences of not being prepared for a cyber incident may be significant. Responding to the increased cyberthreat, a coalition of international shipping organizations, with support from a wide range of stakeholders, came together to issue new BIMCO guidelines.
Currently, there is a range of security measures used for protection in the maritime sector. These measures include advanced tracking and notification systems, credentials for mariners, and the vetting of employees.
In addition, U.S. regulations such as the 24-Hour Advanced Manifest Rule (AMR) and the 96-Hour Advanced Notice of Arrival to the National Vessel Movement Center give appropriate government agencies the opportunity to intervene early to prevent criminal activities, including potential terrorist attacks.
Assessments and credentials. The U.S. Coast Guard (USCG) has taken a lead role in maintaining a risk assessment system that reviews top-secret elements to determine which ships may require boarding and extensive review before they are allowed entry into U.S. waters. The U.S. government also determines which foreign ports are unable to provide adequate measures to ensure that ships and cargo coming from those locales are reasonably secure. Sometimes, the government maintains a presence in these potentially problematic ports.
Under the treaties and customs of the maritime world, the International Maritime Organization's Safety of Life at Sea (SOLAS) has developed a series of measures to ensure confidence in the integrity of the credentials issued to mariners. Although the advent of Merchant Mariner Credentials, issued by the USCG, is mostly focused on safety rather than security, this is starting to change.
The USCG issues these credentials in accordance with the guidelines of the International Convention on Standards of Training. Two additional credentials include the certifications under the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, which is issued to U.S. seafarers to show evidence of a mariner's education, training, competencies, and proficiencies; and the Transportation Worker Identification Card, a tamper-resistant, biometric credential issued by the U.S. Transportation Security Administration, which is required to enter a secure area in a port or on a vessel in the United States.
These processes have allowed for greater scrutiny over mariners and other personnel who work in maritime centers, ports, and infrastructure projects.
Vetting. The security of U.S. ports, however, also depends on the depth of the vetting process for employees who have gained these credentials. According to the Seafarers International Union, if a foreign employee has met the necessary requirements of the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers, he or she is permitted to work on a U.S. flag vessel if no other qualified U.S. crewman is available. There have been instances of improperly credentialed individuals that caused ships to be held in port for failing to meet safety standards, but not due to security risks. And, a captain may learn inadvertently that one of the employees on board is in fact a felon who bypassed the vetting system.
According to "Hiding Behind the Flag," a series of articles on the website of PBS Frontline in 2004, The Kingdom of Tonga as a Flag of Convenience country was closed for security reasons after it was found to be selling passports for as much as $60,000. Moreover, U.S. intelligence agencies believed that Tongan ships were part of Osama bin Laden's "navy." In 2002, Israeli commandos boarded a Tongan ship and found 50 tons of weapons on board.
Two more Tongan ships were later caught with illegal Pakistani immigrants on board carrying large quantities of cash, maps, and false passports. U.S. intelligence officials suspected links to al Qaeda; although the evidence of these links was never revealed. Shortly after these incidents, Tonga's cabinet closed the Ship's Registry, headquartered in Greece.
A final essential element of defense-in-depth measures is the emergency management plan. In the maritime sector, it is important to have different types of emergency management plans for mitigating hazards and vulnerabilities to ensure people's safety and reduce property losses. These emergency management plans include, but are not limited to, hazard awareness, emergency preparedness and response, evacuation, and risk communication.
The effective implementation of an emergency management plan requires that all involved have proper training and are given exercises to ensure the viability of existing plans. Unfortunately, this is not always the case. In April 2014, the Sewol ferry disaster in South Korea killed 304 people; nearly all of them schoolchildren. Even though the vessel took about three hours to sink, many of those on board never received evacuation orders, demonstrating a clear failure of the emergency management plan.
According to Fundamentals of Emergency Management, a book issued by the U.S. Federal Emergency Management Agency (FEMA) in 2006, there are three types of exercises—tabletop, functional, and full-scale—that may be used to train personnel in dealing with emergency situations. A tabletop exercise is conducted in the classroom or conference room and is based on a limited scenario that allows participants to provide a verbal description of possible responses to contingencies. The advantage of this type of exercise is that it allows the evaluator, usually the controller, to determine the staff's ability to resolve the problem.
A functional exercise tests one or more functions in an emergency plan in a field setting designed to approximate disaster conditions. Due to the complexity of a functional exercise, multiple evaluators are required to assess the staff's performance, and coordination among multiple evaluators is needed to verify satisfactory performance by the staff.
Finally, a full-scale exercise tests all aspects and all organizational participants in an emergency operation plan in a realistic field setting. Regardless of which type of training exercise used, effectiveness is determined by its ability to teach strategies to all the participants.
Plans, strategies, and exercises should not be stagnant. It is necessary to update all of these periodically. Modification should not wait for a scheduled time, because waiting to revise a strategy might prove to be disastrous. Threats are growing in number and complexity, and security must not fall behind in keeping up with them.
The process of assessing maritime risk, and risk acceptability, can be influenced by cultural or subcultural factors specific to a community of practice. For instance, The Netherlands faces a persistent threat of flooding. To adapt, the Dutch have developed a disaster subculture, or a set of cultural tools to deal with this recurrent hazard, according to the 2014 study "Flood Disaster Subcultures in The Netherlands" in the journal Natural Hazards.
In the study, the authors examined how two local communities in the Dutch lowlands developed a disaster subculture toward the prospect of flooding. Locals developed a range of early detection and mitigation tools that made them feel confident in their ability to respond. "Both communities are not afraid of flooding and feel experienced, prepared and knowledgeable enough to cope self-sufficiently," the authors write.
However, given the communities' past success with flood response, authorities also spread messages that reflect an "attitude of defiance," the authors write. For example, some officials communicated that by 2025, high-water levels will no longer be an issue, and residents will no longer have to worry about flooding. While that attitude does not dominate overall, it has become part of the disaster subculture.
Another example is the 2012 wrecking of the Costa Concordia cruise ship near the shore of the Isola del Giglio in Italy. The accident occurred when the ship's captain, while performing a sail-by salute (a slow passage of the ship close to shore, and a common cruise-industry subculture practice for showing off the ship and impressing local residents), hit a rock and killed 32 people.
Sail-by salutes have been part of the maritime culture since ancient times. However, this cultural practice does increase accident risk. Thus, the practice also illustrates the need for those in the maritime sector to consider human factors when making decisions about acceptable levels of risks and threats.
Even when emergency response plans are developed and tested, the reality is that there are situations faced by security and emergency managers that must be resolved through flexibility and improvisation. An unwillingness to be open to change and attentive to the social and physical environment may result in a failure to reduce risk.
The unfolding of an actual disaster often creates parameters that could never be included in a plan, particularly when the threat faced is new. For example, the waterborne evacuation of lower Manhattan following the 9/11 attacks was entirely improvised. This innovative method, as discussed in the 2016 book, American Dunkirk: The Waterborne Evacuation of Manhattan on 9/11 by James Kendra and Tricia Wachtendorf, encourages the reader to reconsider the relationship between planning and creativity.
The authors advocate for two concepts. One is a change in mindset so that improvisation is not considered the result of a plan failure, but instead as a method for getting acclimated to a changing social and technical environment.
The second concept is for more training designed to enhance creativity. Even though some people tend to be creative on their own, oftentimes their natural creativity is stifled.
Hence, security and emergency managers should embrace creativity and improvisation as tools that may be used to help minimize the consequences of any disaster.
Dr. Marie-Helen Maras and Dr. Lauren R. Shapiro are associate professors at the Department of Security, Fire, and Emergency Management at John Jay College of Criminal Justice. Drs. Lucia Velotti, Susan Pickman, Hung-Lung Wei, and Robert Till, all of John Jay College, contributed to this article.