On average, the U.S. Coast Guard issues between ten and twenty safety alerts annually. Alerts tend to function more as a public service announcement designed to raise awareness of common hazards and risks and serve to remind Coasties of best practices. But one safety alert issued July 8 caught the attention of the broader maritime industry – from the U.S. Navy to multinational shipping companies to shipbuilders.
The alert documented an incident in February where a deep draft vessel on an international voyage sailed into the Port of New York and New Jersey with its shipboard network impaired from an active cyberattack. The team of cyber experts who responded to the incident found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.”
Not surprisingly, they also found that the vessel was “operating without effective cybersecurity measures in place, exposing critical vessel control systems to significant vulnerabilities.”
Cyber pirates and zombie ships
The maritime industry has been discussing how emerging attack surfaces could increase the risk of cyberattacks capable of crippling ships – or even potentially hijacking autonomous vessels at sea – and the incident brought those conversations to the forefront.
Key public and private interests have been actively aware of the challenges created by increasingly connected and automated vessels, and together they have done a good job of engaging with cybersecurity vendors to address emerging risks for connected hull, mechanical and electrical (HM&E) systems.
However, there is a glaring area of vulnerability on the port management side that has not been fully discussed or addressed: connected systems at our nation’s ports.
Rise of the robo harbormaster
Port authorities manage the flow of ships in and out, and the flow of cargo off and on each of those ships. Currently, these processes are primarily human directed – an incoming ship will typically check in with a harbormaster and its freight is signed for on paperwork. It’s a process rife with inefficiencies, and nations and cities are actively working to automate port systems.
The key is establishing identity and tying that identity to the supply chain – taking images of each ship’s serial number, then attaching that marker to its cargo, the dockworker checking it in, and down the chain to the truck that pics up each container. Most of the IoT systems being put in place to digitize this process were not built with security in mind and are very easy to penetrate.
If those systems can be compromised, then high-risk security events could happen, such as having a bad actor tell the system to permit specific containers to pass through a port unsearched. This is how a lot of contraband gets into the country.
With great connectivity comes great risk
In order to secure port authorities, two significant challenges must first be addressed.
1. Port operations typically fall under municipalities and are governed with fixed, low budgets, meaning they lack the spend and manpower to manage the kinds of dynamic threats that arise through automating processes. The technology costs of automating processes are high, but ports are increasingly able to justify the spend by pointing to what will be saved through the resulting efficiency improvements. What ports frequently fail to recognize is that the skillset needed to manage the complexity that comes with such a move frequently look very different than what staff can manage. A port’s security team may just be an IT person who has read a few books or completed a security certification course online, and with highly skilled IT and security professionals in high demand, the right workers are usually out of reach due to the noted budget constraints.
2. There is great potential for efficiency by marrying the identity of a ship to its cargo to the dockworker checking it in to the truck picking up the cargo, but linking those together is very difficult. The only way to do it is through automation, but that connectivity creates a lot of risk that ports are ill-equipped to deal with. Cybersecurity risks aside, there is no framework for establishing accountability throughout the process. Who will be responsible for making sure what is in a container remains in that container? Today, there are no standards and no oversight organization tasked with creating a standardization process.
Interconnected systems require zero trust
Digital transformation requires all systems and sensors to be interconnected to achieve the desired business automation. The approach to interconnecting these on a shared network should use a ‘zero trust’ approach to segmenting network connectivity. Combined with high-assurance, authenticated identity, ports can ensure that anyone who gets on a network can’t go beyond where they are permitted.
The Coast Guard Alert has served as a valuable wakeup call, but as tempted as the maritime industry is to focus on the potential for more dynamic, headline grabbing attacks – like cyber pirates hijacking autonomous container ships and turning them into zombie vessels – there are more critically important near-term challenges at the world’s ports which must be solved for.