Maritime Shipping Is Badly Exposed

A recent US Coastguard safety alert issued  caught the attention of the broader maritime industry, from the US Navy to multinational shipping companies. The alert documented an incident in February where a deep draft vessel on an international voyage sailed into the Port of New York and New Jersey with its shipboard network impaired from an active cyber-attack. 
 
The team of cyber experts who responded to the incident found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had apparently not been impacted.” 
 
Not surprisingly, they also found that the vessel was “operating without effective cyber security measures in place, exposing critical vessel control systems to significant vulnerabilities.”
 
Cyber Pirates and Zombie Ships
The maritime industry has been discussing how emerging attack surfaces could increase the risk of cyber-attacks capable of crippling ships, or even potentially hijacking autonomous vessels at sea, and the incident brought those conversations to the forefront.
 
Key public and private interests have been actively aware of the challenges created by increasingly connected and automated vessels, and together they have done a good job of engaging with cyber-security vendors to address emerging risks for connected hull, mechanical and electrical (HM&E) systems. However, there is a glaring area of vulnerability on the port management side that has not been fully discussed or addressed: connected systems at our nation’s ports.
 
Rise of the Robo Harbor-Master
Port authorities manage the flow of ships in and out, and the flow of cargo off and on each of those ships. Currently, these processes are primarily human directed, an incoming ship will typically check in with a harbormaster and its freight is signed for on paperwork. 
 
It’s a process rife with inefficiencies, and nations and cities are actively working to automate port systems.
The key is establishing identity and tying that identity to the supply chain, taking images of each ship’s serial number, then attaching that marker to its cargo, the dockworker checking it in, and down the chain to the truck that pics up each container. 
Most of the IoT systems now being put in place to digitise these process have not been built with security in mind and are very easy to penetrate.
 
If those systems can be compromised, then high-risk security events could happen, such as having a bad actor tell the system to permit specific containers to pass through a port unsearched. This is how a lot of contraband gets into the country.
With great connectivity comes great risk
 
In order to secure port authorities, two significant challenges must first be addressed.
 
1. Port operations typically fall under municipalities and are governed with fixed, low budgets, meaning they lack the spend and manpower to manage the kinds of dynamic threats that arise through automating processes. The technology costs of automating processes are high, but ports are increasingly able to justify the spend by pointing to what will be saved through the resulting efficiency improvements. 
 
What ports frequently fail to recognise is that the skillset needed to manage the complexity that comes with such a move frequently look very different than what staff can manage. 
 
2. There is great potential for efficiency by marrying the identity of a ship to its cargo to the dockworker checking it in to the truck picking up the cargo, but linking those together is very difficult. The only way to do it is through automation, but that connectivity creates a lot of risk that ports are ill-equipped to deal with. 
 
Cyber security risks aside, there is no framework for establishing accountability throughout the process. Who will be responsible for making sure what is in a container remains in that container?
 
Today, there are no standards and no oversight organisation tasked with creating a standardisation process.
 
Interconnected Systems require Zero Trust
Digital transformation requires all systems and sensors to be interconnected to achieve the desired business automation. The approach to interconnecting these on a shared network should use a ‘zero trust’ approach to segmenting network connectivity. 
 
HelpNetSecurity
 
You Might Also Read:
 
Cyber-Attacks On Maritime Oil Tankers:
 
 
« Extra-Terrestrial Hacking
Proactivity Is Key To Effective Cybersecurity »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

BeOne Development

BeOne Development

BeOne Development provide innovative training and learning solutions for information security and compliance.

Silent Breach

Silent Breach

Silent Breach specializes in network security and digital asset protection. Services include Pentesting, Security Assessments, Incident Detection & Response, Governance Risk & Compliance.

e2e-assure

e2e-assure

e2e Protective Monitoring and Security Operations Centre (SOC) Service is a complete cyber defence service to protect your critical assets from cyber attacks and GDPR breaches.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

Asseco Group

Asseco Group

Asseco Poland stands at the forefront of the multinational Asseco Group. We are a leading provider of state-of-the-art IT solutions in Central and Eastern Europe.

Ekran System

Ekran System

Ekran System is an advanced insider threat detection solution for companies of any size.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS)

Women in CyberSecurity (WiCyS) is a non-profit organization dedicated to the recruitment, retention and advancement of women in the cybersecurity field.

Sompo International

Sompo International

Sompo International is a global specialty provider of property and casualty insurance and reinsurance services including Cyber & Network Risk.

NARIS

NARIS

NARIS is the leading provider of an integrated Governance, Risk and Compliance platform called NARIS GRC.

Cerby

Cerby

Your team uses unmanageable applications that put you, your company, and your data at risk. Protect, secure, and accelerate your business automatically with Cerby.

GoTo

GoTo

At GoTo we help people and businesses to connect and collaborate simply and securely – from anywhere. We’re the trusted partner for companies of all sizes.

Modern Networks

Modern Networks

Modern Networks is a leading provider of IT managed services to the UK’s commercial property sector and medium sized enterprises.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.

Lighthouse IT

Lighthouse IT

At Lighthouse IT, we are focused on delivering seamless and reliable services to unlock the value of technology for your business.