Red Sky Alliance provides weekly Vessel Impersonation reports, Top 5 Maritime Indicators of Compromise (IOCs) and a Maritime Watchlist. These reports support current facts provided by Naval Dome’s Boston-based North American operations that cyberattacks are directly targeting maritime industry’s operational technology (OT) systems.
These attacks have increased by 900 percent over the last three years with the number of reported incidents set to reach record volumes by the end of 2020. Addressing port and terminal operators, and the connected transportation supply chain, the head of Naval Dome recently explained that in 2017 there were 50 significant OT hacks reported, increasing to 120 in 2018 and more than 310 in 2019. 2020 looks to end on a 500+ count on major cybersecurity breaches. Many of these attacks will likely go unreported.
The year 2018 witnessed the first major maritime ports attacked with malware. The ports of Barcelona, Spain and then San Diego, California US became victims. Next was the Australian shipbuilder Austal, followed by an attack on Chinese shipper Cosco that took down half of its US network.
Intel technology (IT) to OT connected networks just this year alone has seen US based gas pipeline operators, which often connect to ports, and the shipping company MSC struck by malware. The MCS breach effectively shut down the shipowner’s Geneva, Switzerland headquarters for five days. A US based cargo facility’s operating system were infected, with the Ryuk ransomware, showing supply chain vulnerabilities. In June of this year, OT systems at Iran’s Shahid Rajee port were hacked, restricting all infrastructure movements, and creating a massive back log. Some blame Israel for this cyber-attack. Some believe this advanced persistent threat (APT) level attack, regardless it shut down a part of the international transportation supply chain. Intelligence derived from Iran, along with digital satellite imagery, proved the Iranian port was in disarray for several days. Dozens of cargo ships and oil tankers were observed waiting to offload, while long queues of trucks formed at the entrance to the port stretching for miles.
Reports of these maritime related attacks have brought maritime cyber security to the forefront by increasing corporate and public awareness of the potential wider impact of cyberthreats on ports, IT/OT networks and connected transportation supply chains around the world.
Lloyd’s of London reported the economic impact and cascading effect of a cyberattack on port infrastructures mounts to millions in lost revenue. They pose that if 15 Asian ports were simultaneously hacked, financial losses would be estimated at more than USD$110 billion. A sizable portion of the loses ‘may’ not be recovered through insurance policies, as OT system hacks are often not policy covered.
Port IT and OT system network connecting RTG unloading cranes, cargo handling, STS (ship to ship) cranes, traffic control and vessel berthing systems, and over all safety and security systems are under direct threat. The Internet of Things (IoT) has its challenges. Our friends and colleagues at Worldwide Technology (WWT) offer direct AI-based solutions to combat these vulnerabilities. WWT has systems built around IT and is geared to help port operators streamline and safeguard port access while increasing throughput pace. WWT is a provider of digital strategy, innovative technology, and supply chain solutions to large public and private organizations, WWT is leveraging the power of computer vision to optimize the processing of containers.
The issue with many OT networks is that many systems do not have a “dashboard” like modern IT networks. OT operators may not know if an attack has even taken place. A physical system malfunctions, so it is reported as an OT irregularity like a system error, system failure, or an operator will just enable a system restart. Many operators believe they have their networks protected with traditional cybersecurity, but with the fire walls and software often only protecting the IT side, the OT network remains vulnerable. An example provided by Naval Dome would be the installation of an antivirus system on a vessel bridge navigation system (ECDIS) or, alternatively, a positioning system in a floating rig DP (dynamic positioning), or on one of the dock cranes on the pier side of the port. If attacked in a lateral move, the antivirus system would quickly turn out to be non-essential, impairing and inhibiting vessel or port system performance. Antivirus systems are simply irrelevant in places where the attacker is anonymous and discreet.
Operational networks, in contrast to information networks, are measured by their performance level. Their operation cannot be disconnected and stopped. An emergency state in these systems can usually only be identified following a strike and then they may become irreparable and irreversible, which is not good.
OT networks are thought to be protected, yet are often inadequate and based on an industrial computerized system, operating in a permanent state of disconnection from the network or, alternatively, connected to port systems and the equipment manufacturer’s offices overseas via RF radio communication (WiFi) or a cellular network (via SIM). Hackers love these avenues into systems.
If successful, hackers can access the cranes, the storage systems, and then penetrate the core operational systems either through cellular connections, WiFi, and, or infected USB sticks. The maritime industry is moving toward greater increases in the uses of networked, autonomous systems, and using more Internet connected equipment (IoT) and technologies. This creates more vulnerabilities, more loopholes, and more direct threats.
Many researchers additionally expect cybercriminals, terrorists and rogue states to begin holding the maritime environment, including the supply chain, to damaging cyber ransom events. Imagine numerous ships in ports where criminal or state sponsored hackers can easily override vessel systems, connected to valves, to initiate leaks and dump hazardous materials, ballast water, fuel oil, or worse - take over the vessel navigation controls. The same can occur inside the port operations itself.
Maritime professionals need to possess a solid understanding of the differences between the two spaces. There is a general disengage between IT and OT security and that is not good. In today’s systems, there is no segregation between the networks. Both need to work, hand in glove. Hackers can penetrate on the OT side then attack the IT side. This is happening while you read this report. Successful IT network hacks often have their origins with the entrance into the OT system.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com