If there is one universal truth we have learned from developments on the cybersecurity landscape in recent years, it is that none of us are free from cyberthreats. Attackers identify and exploit vulnerabilities wherever they might exist, regardless of the target’s geographic location, whether the target is an individual or an enterprise, or which industry sector the target represents. By the same token, attackers are equally capable of wreaking havoc whether their target is based on land or sea. Considering that more than 70 percent of the earth is covered by water, and an expanding attack surface for the vessels journeying across those waters, and cybercriminals have no shortage of maritime targets that they can aim to exploit.
Unlike many of the modern sectors of our digital economy on which cybercriminals have set their sights, the maritime industry has been around for centuries. Ships and other seafaring vessels might not seem like natural targets for cybercriminals, but the array of potential access points on modern vessels – such as internet connectivity, the use of industrial control systems and satellite and radio communication systems – present growing opportunities for cybercriminals to pursue. Expect the maritime attack surface to continue to expand given momentum toward a future in which autonomous ships will be a prominent piece of the maritime landscape, underscoring the growing reliance on interconnected information systems.
New methods of attack on the high seas
A wide range of methods exist for those who seek to target maritime vessels, including:
- Extortion/ransomware for allowing the vessel to restore operations
- Digital piracy by shutting down the vessel
- Espionage for obtaining sensitive information that can be used by competition
- Defamation/litigation by causing ISPS Code incompliance/delaying the vessel/causing disruption
- Terrorism causing vessel collision/hazard to ports/other ships
- (H)Activism for conveying a message
These possibilities are not merely theoretical. The US Coast Guard recently warned that unidentified hackers attempted to gain access to ships’ electronic systems to steal sensitive information and disrupt ships’ computer systems. The impact of these kinds of attacks can be enormous. Consider such disturbing possibilities as attackers manipulating passenger lists to allow for illegal transports, illegally leaking data about sensitive cargo transports and potentially even causing engines to explode or vessels to shut down by manipulating industrial control systems. When it comes to maritime threats, not only are sensitive digital assets at risk, but the possibility exists of cyberattacks leading to physical security incidents that could lead to large-scale losses of life. Needless to say, these are sobering scenarios. Just as pirates have been a feared threat to ship personnel for centuries, now and in the future, those in the maritime industry have to worry about attackers who are equally menacing but can imperil their missions and safety without risking a physical confrontation.
A shift in mindset
A recent article published by the Center for International Maritime Cybersecurity shined a spotlight on shortcomings in the US Navy’s cybersecurity posture, drawing upon an independent review that was completed in March. Essentially, it was noted that a shift in mindset is required to direct more attention and resources toward preparedness for cyberwar. The article states that, “Ultimately, the objective should be a Sailor who understands cyber hygiene and proper use of the network as a primary on-the-job tool, just as well as any Soldier or Marine knows his or her rifle. Sailors go to sea aboard complex warships with integrated networked systems that run everything from Hull, Mechanical, and Electrical (HM&E) systems to combat systems and weapons employment. The computer is our rifle, why shouldn’t we learn how to use it more safely and effectively?” Given the considerable resources available to the US military, it is fair to assume that many of the world’s smaller nations face an even more glaring challenge in readying their navies and maritime operations for the emerging threats they face at sea.
Fortunately, there are many avenues available to those in the maritime sector to safeguard the people, cargo and other resources on which they depend. After first taking stock of the organization’s cybersecurity capabilities and gaps in preparedness, some of the most important next steps should include devising an updated ship security plan, appropriate training of the crew and employees and tracking implementation progress through periodic audits.
It is essential that all entities that operate in the maritime sector – whether private organizations or military units – commit themselves to taking stock of their cybersecurity maturity and then putting the policies and procedures in place to address their vulnerabilities. This is an overlooked component of the cybersecurity ecosystem that is in urgent need of greater attention in both the public and private sectors. There may be nothing new about the need for ships to deliver cargo or patrol their country’s coasts, but the threats they are increasingly likely to encounter, invisible to any telescope, have placed the age-old maritime sector in uncharted waters.
Editor’s note: This blog post originally appeared in CSO.