After a string of cyberattacks affecting leading maritime companies like Maersk, CMA CGM and Cosco, cyber threats have become a top priority for maritime regulators. As nation-states and sector organizations pass measures to bolster the industry’s cyber resilience, shipowners and operators are often left scrambling to keep up. The 2021 compliance deadline with the IMO resolution on cyber risk management is no different.
Are the threats real? How are owners and operators addressing cyber risks on vessels? And are these actions sufficient for certification and IMO compliance?
To learn more, TME spoke with Mission Secure, an OT cybersecurity leader helping clients in the maritime, defense, and other critical infrastructure industries stop OT cyber threats head-on. Mission Secure’s Don Ward, Senior Vice President of Global Services, and Weston Hecker, Senior Ethical Hacker, Researcher, and Penetration Tester, gave an inside view of what they see on the front lines as they help the industry manage cyber risks in day-to-day operations.
TME: Can you tell us what you’re seeing today in the cybersecurity threat environment?
Don: Maritime operators have been seeing serious threats in the position, navigation, and timing (PNT) arena. For example, one organization takes ships through the Strait of Hormuz and is constantly affected by GPS jamming signals; they’re very concerned that it could lead to a grounding, or at minimum, idling in place and stalling a voyage.
Most of our maritime clients are also concerned about the separation between the operational technology (OT) environments on the ships and the ship’s business (IT) network. In many cases, the owners of the vessel don’t have access to third-party operational technology networks. These are the networks designed by maritime equipment OEMs, and they control everything from water and electricity to ballast water and the main engines. Managing third-party vendors is a significant challenge for many operators.
Weston: The entire attack surface has had – no pun intended – a sea change over the last few years. Nation-state and non-state threat actors are becoming more and more active, and the ability to perform attacks remotely is increasing. Hackers can have custom malware developed, often by professional programmers who cross legal and moral boundaries. The threats are definitely escalating, and we saw that last year across the industry.
TME: Are the IMO 2021 cybersecurity requirements leading shipowners to address these vulnerabilities?
Don: Definitely. IMO released resolutions and guidelines in 2017 centered around integrating cyber risk management into ships’ safety management systems (SMS) by this year. The rule provides guidelines, but there’s a lot that one has to address. The big fear among shipowners is that they don’t have a full checklist of what it will take to achieve compliance.
We’re also seeing owners and operators looking to reconcile the IMO requirements that point to the major tenets of NIST with other industry standards/frameworks, like BIMCO, ISO 27001, and IEC 62443. There’s a lot of interest in addressing and mitigating cyber risks. Part of that is, of course, driven by compliance. But some companies are also using the opportunity to get ahead of cyber threats and make their operations resilient. The resulting actions range from multi-standard, deep-dive assessment and security architectures to full-blown 24/7 managed cybersecurity services, depending on the organization’s requirements.
TME: Can you tell us about what you do when you go aboard a ship and evaluate its security?
Don: We usually try to put a team on-site, both control systems experts and IT cybersecurity experts. We go aboard and do a full walk-down, tracking all cables and validating network diagrams, among other actions. It’s a comprehensive process covering technology but also processes and people. Interviews with the crew and reviewing plans and incident response flow are just as important as looking at the network architecture.
And we often find that systems that were supposed to be on an island — for example, cargo management systems — were improperly back-connected to the rest of the ship’s network with serial or other network connections back-ended into engineering workstations and HMIs. We’ve noticed that often the network infrastructure for switches and wireless access points might have been chosen and deployed over time in an ad hoc manner, without regard to standardization, and often involving three or four different vendors — all contributing to more Product Security Incident Response Teams (PSIRTs) and unpatched attack surfaces. They might have multiple vendors for the same technology, like firewalls, and some of these vendors provide consumer-grade rather than enterprise-grade equipment.
There are also physical vulnerabilities that anyone who boards the vessel could compromise — unlocked equipment cabinets, sticky notes with passwords, modifications to cabling, and other physical avenues of attack. Crew members also bring in their own technology, like streaming or Roku devices, wireless access points, and wireless printers and mice, which can be easily hacked, and sometimes, those devices will circumvent the firewall between the IT and OT networks.
Weston: I can’t stress enough how many times I’ve gotten into a network by hacking a wireless printer. That’s one of the most significant points of exploitation that we come across on ships. Wireless keyboards and mice are also very vulnerable. By hijacking a wireless mouse connection, I can inject keystrokes and commands into a target computer and potentially even capture the user’s keystrokes — including usernames and passwords.
We’ve also seen vulnerabilities in wifi repeaters designed to expand the ship’s wireless networks. The operator will install subpar repeaters, and I’m able to spoof my way onto those networks. In some cases, it’s possible to gain access from up to a quarter of a mile away from the ship using directional wireless capabilities. The attack surface is massive, and these comprehensive assessments identify the holes and weaknesses.
TME: How do you get crew buy-in when you go in to do an assessment?
Don: That’s certainly a challenge throughout the industry. Let’s say that the CISO or CIO approves the assessment plan. When you get on the ship, the entire crew may be looking at you and thinking, “Why are you here? I’m not doing anything; I’m not going to allow you access.” For any company doing assessments, you need to have free and open access, and you want to have the comfort to talk to personnel on board and understand their workflow. Do they have an incident response plan or a cybersecurity plan in place? If you don’t get honest answers, you can’t provide a holistic picture back to your customer.
That’s where having both control systems OT experts and IT cybersecurity experts comes into play. Our OT experts know precisely what’s going on because they had the same mentality when IT teams would enter their plant or facility – don’t mess anything up, stop things from running, etc. Cybersecurity and operations still have an IT versus OT mentality. It’s necessary to bring those two groups together to get buy-in and make progress – or at least establish a level of trust to complete an accurate, thorough assessment. Our diverse team and multi-faceted skillset have allowed us to bridge that gap for organizations.
TME: How do you help the customer to reduce their risk?
Don: It varies by the company, their requirements and their cyber maturity level. But our objective with every customer is to get them past merely visibility and detection stages to a point where they’re able to actually protect their operations and stop OT cyber threats. An analogy I use often is that a security camera will tell you you’re being robbed, but a security guard will stop it. We help create that security guard for operations.
In action, we often start with an assessment to help the client understand their current cyber posture. Then, we prepare a secure cyber architecture design that allows for greater protection — more segmentation of the IT and OT networks and the building of enclaves. We help the customer transition to a zero-trust model that eliminates enterprise-centric or consumer-centric multicast or broadcast protocols and a running list of other vulnerable and easily hacked protocols. For example, by implementing a white-listing rule set and using firewalls and intrusion prevention technology, you can eliminate many unauthorized devices and programs from production control systems.
The third-party OT networks are often most challenging and cannot be done right away. These networks are all behind the vendor’s own “iron curtains” — the vendor won’t allow you in, and they void the warranties on their equipment if you go in and attempt to patch a vulnerability yourself. Sometimes the only way to address these vulnerabilities is to install a “virtual patch” through deploying in-line OT/IT firewalls/IPS systems to isolate a third-party vendor’s control network. That’s also part of what we cover with the Mission Secure Platform.
Many of our clients have larger fleets. For sister ships, we often assess one vessel of each type (i.e., LNG/LPG, FSRUs, Drillships, Tankers) and come up with a secure architecture, and then they move forward and apply that design to the other ships in the same series.
TME: How easy is it to achieve significant improvements?
Don: In a typical process with a maritime customer, if they can get 50 percent of what we recommend addressed, they are in a much better position. Many of the actions are cyber hygiene best practices; upgrade some of the network infrastructure — the switches, the routers, the wifi — to something enterprise-grade, or patch their existing products. However, the need to continue to “virtually patch” through the deployment of Purdue Level 0 to 3.5 visibility, detections, and protections will always be necessary for almost all OT/ICS environments.
Weston: Our remediation advice is very actionable. We know the limitations of shipboard equipment because some of our technicians have set them up for the last 25 years. They know the specifics of those systems, their engineering, and how they have changed over the years. We come up with a usable and realistic plan for the shipowner.
TME: How can you help shipowners who are investing in new vessels?
Don: In the case of a first-in-class newbuild, we go straight into a secure architecture design process; there’s no need to do any pen-testing because it’s a brand new infrastructure. And often, the same design can be used for the whole series. This is ideal because security can be built in from the start, and then owners and operators just need to monitor and maintain their operation like one would with safety.
We’ve also had a couple of customers that have built new sister ships in a vessel series, which we’ve already assessed and designed a secure cyber architecture. They just incorporated some of the changes that we’ve suggested previously into the newbuilds.
TME: Seaports aren’t covered by the IMO guidelines, but are you seeing interest from port operators as well?
Don: In the U.S., ports are considered critical homeland security infrastructure. Many of them have cranes that can be hacked and cargo management and transportation systems that could cause economic damage if they were compromised. Or they could infect vessels coming to their port. Even though the IMO guidelines don’t cover them directly per se, ports are considered critical supporting infrastructure, and many ports we’re working with want to ensure they’re doing their part as well. It’s vital to their business and clients – ship operators.
Weston: During the COVID-19 pandemic, many ports reduced their IT and OT staff; the operators we’ve been talking to are worried because they’ve lost some critical skillset and functions. Some operators even lost some background knowledge about how assets or systems are set up in their facilities. Currently, part of what ports need is help in getting their documentation right. For industrial, defense, and critical infrastructure operations, we’re uniquely qualified to help because we have teams with the experience, certifications, and clearances to work on docks and industrial equipment. Not a lot of pen-testing or security companies have that capability.
TME: What about the seaports that are making plans to switch their OT systems to 5G?
Weston: Especially when you’re an early adopter, it’s essential to get good advice. When the project is not properly managed, the new network might be built with security loopholes from the outset, just because of loose configurations and a “security through obscurity” approach; I’ve seen that firsthand. But if it’s set up properly, it’s amazing how much security you can build in from the beginning. We have years of in-house experience in cellular network design and can provide that guidance.
Don: As an example, we have one port project focused on a brand new port expansion, and they have the foresight to incorporate defense-in-depth from the start. Expertise is essential in setting up these new port systems. For example, some of these networking products’ default settings rely on an unmanaged IPv6 communications protocol. We find that all the time, and that’s an easy attack vector.
TME: What are the biggest risks you’re looking at going forward?
Don: We’re particularly concerned about malware and ransomware. Again, the number of third parties on these vessels amplifies the threat. The vessel itself might be secure, but you’ve got multiple SSL-encrypted tunnels that are coming into the ship and going to each of the third-party networks. This is an avenue of attack for a hacker.
The third parties’ technicians can also create serious problems if they make a mistake. We saw one situation where an OEM tech was working on a shipboard network remotely and tried to close a valve. It nearly caused a spill. The Mission Secure Platform can force authentication, then track, audit, and log third-party activity to manage this risk.
We also consider more deliberate insider threats. A nation-state could pay crewmembers or technicians to plug in a device or apply a “patch” that could propagate an advanced persistent threat. You can see from the recent SolarWinds attack in the enterprise space how serious this danger might be. There’s a massive concern in the maritime industry with control system vendors, those third parties, being impacted by something similar to SolarWinds.
I tell all of our customers that we try to protect against four types of threats: you from the outside, you from you, you from your third parties on the ship, and the third parties from each other. At a minimum, we try to create barriers around and between the third-party networks so that if there is damage, it’s localized and controlled. Cybersecurity is an on-going journey, but with new technologies and digital transformation, it’s really table-stakes now to be cyber secured and resilient.
This post is sponsored by Mission Secure. To help owners, operators, and ports learn more about complying with the 2021 IMO cyber risk management guidelines, Mission Secure has created an IMO regulatory overview. This regulatory overview summarizes key parts of the IMO 2021 cybersecurity measures, complete with cross-references to ISO/IEC 27001 and the Guidelines on Cyber Security on Board Ships. For more information, please visit https://www.missionsecure.com/imo-cyber-risk-management-regulatory-overview.
Go to Source
A massive fire broke out at the Port of Beirut on Thursday, incinerating a warehouse full of tires and oil within the port’s free zone. The same area was heavily damaged in the ammonium nitrate explosion that leveled the central port area and the adjacent waterfront on August 4. According to Lebanon’s civil defense agency, […]
Over the course of the past five days, the Australian Maritime Safety Authority arranged a medical intervention for an injured aboard a freighter in the Indian Ocean. On Saturday evening, the Spliethoff tweendecker Dolfijngracht called for assistance while under way about 1,000 nauical miles off the coast of Western Australia. A crewmember had sustained serious […]
The naval forces of the US and Bahrain recently staged a joint force training exercise which showcased the interoperability between coalition warships operating I the Arabian Gulf. Coalition Task Force Sentinel executed combined exercise Sentinel Shield supporting Sentry and Sentinel patrols in the coalition’s area of operations. The guided-missile destroyer USS John Paul Jones and […]
With close to 100 daily cargo flights operated to a destination network spanning more than 65 cities across six continents, Emirates SkyCargo is delivering essential supplies and commodities to people around the world. The air cargo carrier is currently operating 11 Boeing 777 freighter aircraft, each with a capacity to transport about 100 tonnes of […]
The National Transportation Safety Board (NTSB) has released a Marine Accident Brief about an accident that occurred on April 15, 2019, involving the towing vessel DeJeanne Maria which struck the end of a submerged dredge pipeline while pushing two spud barges to the Gulf of Mexico. The incident occurred on the Mississippi River in Pass […]
Best known as a leading passenger airport serving Germany’s most populated federal state North Rhine-Westphalia, Düsseldorf has become transformed into a vital distribution point, during the COVID 19 pandemic, for medical equipment and other life-saving goods, mostly from China. Gerton Hulsman, managing director of cargo operations, reports that the handling teams are working hard to […]
DSV Belgium has solid experience in the transport of pharmaceutical products for different customers. With a pharma hub based at Brussels Airport a lot of experience and know-how has been built up over the years. Last weekend, the forwarder handled one hundred million mouth masks, an important milestone for its Belgian organisation that has put […]
The UK government’s new post-Brexit tariff regime will result in both winners and losers. The new regime is set to replace the European Union’s Common External Tariff from the end of the Brexit Transition Period on December 31, 2020. The UK’s commitment to the ongoing Brexit process and ending the UK’s transition from EU membership […]
Emirates SkyCargo has expanded its weekly scheduled cargo flight operations to cover 75 destinations across six continents. Through its wider reach, Emirates SkyCargo is able to transport essential commodities and other urgently needed cargo more rapidly across the world, allowing exporters and importers across markets to benefit from direct access to widebody cargo capacity. Some […]
Global commercial aviation charter company Albion Aviation Group is reporting that it is seeing a considerable uptake in its professional cargo broker training courses from the current global pandemic crisis and surge in charter demand. “We have completed a number webinar courses for a whole of host of companies, looking to manage their own cargo […]
Operators can continue to use pilots and other crew members who have unable to comply with certain training, recent experience, testing, and checking requirements due to the COVID-19 outbreak in support of essential operations. Additionally, this Special Federal Aviation Regulation (SFAR) provides regulatory relief to certain persons and pilot schools unable to meet duration and […]
Astral Aviation has increased its intra-African network with cargo freighters during the pandemic. While there has been a reduction in capacity to, from, and within Africa, which has been caused by a stoppage of passenger flights and limited frequencies on freighter aircraft, Astral Aviation continues to operate cargo freighters from its Nairobi hub to 13 destinations […]
The U-Freight Group (UFL), with its considerable involvement in eCommerce logistics, says that the latest statistics showing that global e-commerce sales hit $25.6 trillion in 2018 are a further vindication of its decision to enter this sector of the international freight market several years ago. The latest available estimates, up 8% from 2017, were recently […]
Callan Marine is serving as the prime contractor to the Texas Department of Transportation for a maintenance dredging project located at the Bolivar Ferry Terminal, in Galveston, Texas. Work began in May and is estimated to be complete in late July 2020. The project consists of the removal of 600,000 cubic yards of material and […]
Network Airline Management and TAAG Angola Airlines are pleased to announce the renewal of their long-term freighter aircraft contract by an additional 12 months, sealing an ongoing partnership for the foreseeable future. Operating a regular weekly scheduled service from Liege, Belgium, to the capital of Angola, Luanda, Network Airline Management provides a Boeing 747-400F aircraft […]
Qatar Airways Cargo transported 56 SkyCell containers with vaccines from one of the largest vaccine manufacturers worldwide on its scheduled freighter and belly-hold cargo flights for its customer, CEVA Logistics. The 54-tonne shipment consisting of pneumococcal and varicella vaccines were flown from Brussels to Mumbai via the carrier’s hub in Doha on two separate flights. […]