Evolving Cyber Threats On The Open Seas

“A ship is safe in the harbor, but that’s not what ships are for” – William G.T. Shedd

Surprisingly enough, the maritime industry is becoming increasingly reliant on technology and data, which brings increased cyber risks.  Convincing shipowners that information security is worth the investment is challenging because security is an investment for long-term profitability.

Modern vessel navigation and propulsion systems, integrated cargo handling and container tracking systems at ports and on-board ships, and shipyard inventories and automated processes, are all controlled using software that is fundamental to business operations. Highly-skilled threat actors have demonstrated the ability to penetrate the systems used by the maritime industry, with potentially disastrous consequences.

The Cybeta business threat intelligence team provides the following overview of the information security compliance in the maritime industry, emerging threats from nation-state actors and organized criminals, and maritime cybersecurity risk management.

Maritime Shipping Global Compliance

Many shipowners underestimate cybersecurity regulations which will hurt shipowners in their bank accounts. In 2011, the European Union Agency for Cybersecurity assessed that the maritime cybersecurity awareness was “low to non-existent” and the focus of nearly all security measures was on physical systems. This assessment was evident as one of the industry’s highest-profile cyber-attacks was against container shipping company, Maersk that occurred in 2017. In the days after Maersk was hit, the company estimated that its losses might run-up to US$300 million.

In June 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. Furthermore, the IMO approved guidelines on cyber risk management, which focuses on identifying the systems, data, and capabilities that pose a risk to operations.

The IMO has given shipowners and managers until 2021 to incorporate cyber risk into ships’ safety management systems. Owners risk having ships detained if they have not included cybersecurity in the ISM Code safety management on ships by 1 January 2021.

The point about regulations is that security should be top of mind with a mandate from senior management. With growing customer demand for faster, more streamlined services that afford integrated and end-to-end logistics shipping organizations are facing increasing pressure to operate more efficiently due to overcapacity and global market and leaving out security.

Bigger and More Significant Threats on the Horizon

The majority of cyber-attacks were driven by an attempt to obtain personal or financially sensitive data. As threat actors continue to look for security gaps, the attack surface of ship owners continues to expand. We can divide the attack surface into two significant areas:

  1. The threat to maritime vessels.
  2. The threat to the ports and automated shipping manifest.

We differentiate vessels because vessels are the top priority for every shipowner. This is the asset that makes money for the shipowner and must be protected.  These are the common vulnerabilities that can be found on onboard systems.

  1. Obsolete and unsupported operating systems;
  2. Outdated or missing antivirus software and protection from malware;
  3. Inadequate security configurations and best practices, including ineffective network management and the use of default administrator accounts and passwords;
  4. Shipboard computer networks, which lack boundary protection measures and segmentation of networks;
  5. Safety-critical equipment or systems always connected with the shore side
  6. Inadequate access controls for third parties, including contractors and service providers.

Nation-State Actors Targeting Shipping Companies to Circumvent Sanctions
There is a broad range of reasons to hack a ship, one reason if for extortion. Intelligence collection dating back to at least 2014, provides detailed coverage of the significant nation-state threat actors such as China and the DPRK that continue to exploit the maritime industry. Campaigns by Chinese threat actor TEMP. Periscope (aka Leviathan), used a combination of unique and open source tooling to target the maritime and defense industries for espionage purposes.

According to a 2019 Insikt Group report intelligence report, a blockchain scam that experts assess with high confidence was conducted on behalf of North Korea against a maritime shipping target. A blockchain application called Marine Chain Platform was supposedly an asset-backed cryptocurrency that enabled the tokenization of maritime vessels for multiple users and owners. Marine Chan is part of a network of enablers throughout the world that assist North Korea in circumventing international sanctions. Users on deep and dark web forums pointed out that www.marine-chain.io was a near mirror image of another site, www.shipowner.io.

What makes Marine Chain standout from common cryptocurrency or blockchain scammer is that employees of the shipping company have been connected to Singaporean companies that have assisted North Korean sanctions circumvention efforts since at least 2013.

These connections to the Marine Chain Platform mark the first time this vast and illicit network has utilized cryptocurrencies or blockchain technology to raise funds for the DPRK government. Broadly, these types of cryptocurrency scams fit the template of the low-level financial crime described by defectors that has plagued South Korea for years, and that the international community is just beginning to track.

Maritime Cyber Risk Management

The goal of maritime cyber risk management is to support safe and secure shipping.  Threat intelligence professionals recommend continuous threat analysis that identifies threats that are presented by malicious actions (e.g., hacking or the introduction of malware) or the unintended consequences of benign actions (e.g., software maintenance or user permissions).

The exposure or exploitation of vulnerabilities in information technology systems could result from inappropriate connection to operational technology systems or from procedural lapses by operational personnel or third parties, which may compromise these systems (e.g., improper use of removable media such as a memory stick).

Elements of a Maritime Cyber Risk Assessments physically test and assess the Information Technology (IT) and Operational Technology (OT) systems onboard including:

  1. Identification of existing technical and procedural controls to protect the onboard IT and OT systems.
  2. Identification of IT and OT systems that are vulnerable, the specific vulnerabilities identified, including human factors, and the policies and procedures governing the use of these systems (the identification should include searches for known vulnerabilities relevant to the equipment, the current level of patching and firmware updates)
  3. Identification and evaluation of key shipboard operations that are vulnerable to cyber

Defending Ship Technology

Cybeta analysts recommend that ship owners and port security apply in-depth vulnerability assessment techniques to critical segments of the software that controls container shipping and the terminal operating system (TOS). For the most part, shipboard networks do not pose a significant risk until they targeted by attackers who aim to compromise the operational networks.

As technology develops, particularly the interconnectivity of devices and applications, risk by association is amplified, and understanding cyber trends is critical. Good threat intelligence practice is as much about awareness of affiliates’ risk exposure as it is your own.

Cybeta has designed unique ways to stay informed in this aspect of the threat landscape. Maritime Cyber Risk assessments allow threat intelligence teams to analyze and segregate vulnerable technologies while still being able to see trends from cyber attackers and methods across the entire threat landscape.

Sources:

Compliance

Link to article: https://www.darkreading.com/risk/first-eu-report-on-maritime-cyber-security/d/d-id/1136845

IMO Link: http://www.imo.org/en/OurWork/Security/Guide_to_Maritime_Security/Pages/Cyber-security.aspx

Link to article: https://www.darkreading.com/risk/first-eu-report-on-maritime-cyber-security/d/d-id/1136845

Threat Resources:

Marine Chain Link: https://www.ibtimes.com/marine-chain-was-north-korean-cryptocurrency-scam-says-report-2727750

Coast Guard Link: https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf