A new U.S. Coast Guard Cyber Command report on cybersecurity trends in the maritime environment said the significance of cyber hygiene, detection, and response “grew exponentially” last year due to a 68 percent increase in reported maritime cyber incidents and USCG efforts to ensure maritime facilities are complying with cyber regulations.
A cyber attack on the port environment can compromise physical facility access control systems, manipulate terminal and gate operating systems for the purpose of leaking sensitive supply chain data or facilitating smuggling or cargo theft, stop port operations by compromising the terminal headquarters, compromise operational technology systems such as cranes in a way that leads to loss of life or property, tamper with PNT so that vessels cannot safely navigate a port, and compromise shipboard systems with impacts to safety or cargo.
U.S. Coast Guard Cyber Command’s (CGCYBER) first Cyber Protection Team — deployable special forces that assess threats and vulnerabilities, identify the presence of adversaries on networks and systems, and respond to cyber incidents — attained full operational capability in May 2021, with the second team following in November 2021. CGCYBER’s Maritime Cyber Readiness Branch, tasked with translating “cybersecurity details into measurable operational risk,” investigated 47 cybersecurity incidents in 2021 “including several large-scale incidents affecting multiple organizations at once.”
“Though the number of reported incidents has increased 68% from 2020 (28 total incidents), MCRB believes many other incidents go undetected or unreported,” the report notes.
The maritime environment incidents reported to the Coast Guard in 2021 included phishing at sectors Guam, Columbia River, Los Angeles/Long Beach, Corpus Christi, Houston/Galveston, Mobile, Charleston, Maryland/NCR, New York, and New England, as well as MSU Port Arthur. Ransomware was reported at sectors Columbia River, Los Angeles/Long Beach, New Orleans, Virginia, Delaware Bay, Maryland/NCR, Long Island Sound, and New England. Sector Puget Sound reported an incident related to authorized access, while Columbia River reported a suspected snitch device. Sector Delaware Bay reported an AIS spoof.
“Cyber-criminals are now using more advanced tactics, techniques, and procedures (TTPs) including focused ransomware attacks in multi-extortion style campaigns with hopes of ensuring a higher, more guaranteed payout,” the report said. “Rather than hitting a broad range of targets, cyber criminals have evolved to focus ransomware attacks on higher value targets.”
The three most popular ransomware-as-a-service variants targeting the maritime transportation system in 2021 were Maze, Sodinokibi, and Ryuk.
“Nation state malicious cyber actors (MCAs) typically abuse zero-day vulnerabilities and known exploitations,” the report continued. “Zero-day vulnerabilities are vulnerabilities disclosed or discovered without an available patch or update to remediate the vulnerability. MCAs often use zero-day vulnerabilities in their initial attack vector to avoid detection. Nation state MCAs abuse Virtual Private Servers (VPS) and web shells to avoid detection and circumvent host system security in order to gain access to the victim networks. MCAs use these techniques within the MTS to increase the probability of successfully exploiting an intended victim.”
Phishing, of which industries within the maritime environment such as logistics and shipping saw “slight increases” last year, “remained the most prevalent means by which MCAs delivered malicious code” in 2021, and both nation-state actors and cyber criminals “will very likely continue to use phishing emails to gain initial access to victim networks.”
As of last October, Maritime Transportation Security Act-regulated facilities are under requirements to address cyber vulnerabilities. “This policy brought with it new cyber competency expectations for industry facility security officers and Coast Guard facility inspectors,” the report noted. “Coast Guard facility inspectors will review cybersecurity plans submitted by facilities. They will also incorporate cybersecurity reviews when conducting security inspections.”
Maritime transportation system partners “fully remediated two-thirds of all exploitable findings on publicly facing systems and 45% of all internally exploitable findings within six months of a CPT Assess mission,” USCG said. “They also partially remediated an additional one-sixth of publicly facing and 43% of internally accessible findings within this 6-month window.”
Out of publicly exploitable findings, 14 had been fully mitigated as of the six-month follow-up, two had accepted the risk of the finding, three were false positives, and three had taken no action to date. Out of internally exploitable findings, 53 had been fully mitigated at the six-month check-in time, 46 had been partially mitigated, five accepted the risk of the findings, and eight had taken no action to date.
Common findings included credentials that were easy to guess — including passwords of “admin,” “PASSWORD,” or “1234” — or easy to crack, such as “123456,” “password1,” “abc123,” or “iloveyou.” Other issues included weak password policies, use of open mail relay servers, poor patch management, outdated operating systems or applications that did not support updates, elevated service account privileges, and non-essential use of elevated access.
CGCYBER mitigation recommendations to vulnerable entities included changes in password policies, privileged account management, network segmentation, multifactor authentication, vulnerability scanning, software updates, user training, and disabling or removing a feature or program.
The report noted the most user resistance — even though it carried the lowest cost of the mitigations — was seen with the recommendation to change password policies to require more length and complexity.
“Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication,” the report stated. “Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose easily guessed passwords.”