Maritime Shipping Is Badly Exposed

A recent US Coastguard safety alert issued  caught the attention of the broader maritime industry, from the US Navy to multinational shipping companies. The alert documented an incident in February where a deep draft vessel on an international voyage sailed into the Port of New York and New Jersey with its shipboard network impaired from an active cyber-attack. 
 
The team of cyber experts who responded to the incident found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had apparently not been impacted.” 
 
Not surprisingly, they also found that the vessel was “operating without effective cyber security measures in place, exposing critical vessel control systems to significant vulnerabilities.”
 
Cyber Pirates and Zombie Ships
The maritime industry has been discussing how emerging attack surfaces could increase the risk of cyber-attacks capable of crippling ships, or even potentially hijacking autonomous vessels at sea, and the incident brought those conversations to the forefront.
 
Key public and private interests have been actively aware of the challenges created by increasingly connected and automated vessels, and together they have done a good job of engaging with cyber-security vendors to address emerging risks for connected hull, mechanical and electrical (HM&E) systems. However, there is a glaring area of vulnerability on the port management side that has not been fully discussed or addressed: connected systems at our nation’s ports.
 
Rise of the Robo Harbor-Master
Port authorities manage the flow of ships in and out, and the flow of cargo off and on each of those ships. Currently, these processes are primarily human directed, an incoming ship will typically check in with a harbormaster and its freight is signed for on paperwork. 
 
It’s a process rife with inefficiencies, and nations and cities are actively working to automate port systems.
The key is establishing identity and tying that identity to the supply chain, taking images of each ship’s serial number, then attaching that marker to its cargo, the dockworker checking it in, and down the chain to the truck that pics up each container. 
Most of the IoT systems now being put in place to digitise these process have not been built with security in mind and are very easy to penetrate.
 
If those systems can be compromised, then high-risk security events could happen, such as having a bad actor tell the system to permit specific containers to pass through a port unsearched. This is how a lot of contraband gets into the country.
With great connectivity comes great risk
 
In order to secure port authorities, two significant challenges must first be addressed.
 
1. Port operations typically fall under municipalities and are governed with fixed, low budgets, meaning they lack the spend and manpower to manage the kinds of dynamic threats that arise through automating processes. The technology costs of automating processes are high, but ports are increasingly able to justify the spend by pointing to what will be saved through the resulting efficiency improvements. 
 
What ports frequently fail to recognise is that the skillset needed to manage the complexity that comes with such a move frequently look very different than what staff can manage. 
 
2. There is great potential for efficiency by marrying the identity of a ship to its cargo to the dockworker checking it in to the truck picking up the cargo, but linking those together is very difficult. The only way to do it is through automation, but that connectivity creates a lot of risk that ports are ill-equipped to deal with. 
 
Cyber security risks aside, there is no framework for establishing accountability throughout the process. Who will be responsible for making sure what is in a container remains in that container?
 
Today, there are no standards and no oversight organisation tasked with creating a standardisation process.
 
Interconnected Systems require Zero Trust
Digital transformation requires all systems and sensors to be interconnected to achieve the desired business automation. The approach to interconnecting these on a shared network should use a ‘zero trust’ approach to segmenting network connectivity. 
 
HelpNetSecurity
 
You Might Also Read:
 
Cyber-Attacks On Maritime Oil Tankers:
 
 
« Extra-Terrestrial Hacking
Proactivity Is Key To Effective Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Open Networking Foundation (ONF)

Open Networking Foundation (ONF)

The Open Networking Foundation (ONF) is a non-profit operator led consortium driving transformation of network infrastructure and carrier business models.

ISE Talent

ISE Talent

ISE Talent is an executive search and talent management firm dedicated exclusively to Information Security Executives.

Cyber Command

Cyber Command

Our Managed IT service allows clients to offload the management of day-to-day computer, server, and networking support to our team of professionals.

aeCERT

aeCERT

aeCERT is the national Computer Emergency Response Team for the United Arab Emirates.

Santa Monica Networks (SMN)

Santa Monica Networks (SMN)

Santa Monica Networks specializes in providing secure solutions for data networks and data centers.

Conceptivity

Conceptivity

Conceptivity provide risk management solutions in the areas of Supply Chain Security, Cyber Security and Critical Infrastructure Protection.

CyberOwl

CyberOwl

CyberOwl's early warning system uses a probabilistic framework to systematically aggregate uncertain and disparate security events to provide real-time visibility of threats to every asset.

Onspring

Onspring

Onspring is the cloud-based platform of choice for governance, risk and compliance (GRC) teams and business operations experts across multiple industries.

Physec

Physec

Physec offers innovative security products and solutions for the Internet of Things ecosystem.

Anglo African

Anglo African

Anglo African is an information technology firm providing end-to-end solutions to different industries, from IT Infrastructure to DataCom as well as Cloud & InfoSec services.

Wise-Mon

Wise-Mon

Wise-Mon is expert in its field of network monitoring and control. We give solutions to huge organizations with tens of thousands of ports, as well as small companies with one switch.

RHEA Group

RHEA Group

RHEA Group offers aerospace and security engineering services and solutions, system development, and technologies including cyber security.

Accelerator Frankfurt

Accelerator Frankfurt

Accelerator Frankfurt is an independent go-to-market program focused on Fintech, Cybersecurity and Digital B2B startups.

Dynics

Dynics

The Dynics ICS-Defender is an Industrial Control System Security Appliance for OT or OT/IT convergent environments.

Cardonet

Cardonet

Cardonet is an IT Support and IT Services business offering end-to-end IT services, 24x7 IT Support to IT Consultancy, Managed IT and Cyber Security.

Stacklet

Stacklet

Stacklet provides cloud governance as code platform that accelerates how Global 2000 manages its security, asset visibility, operations, and cost optimization policies in the cloud.