maritime-blackboxes-FB-1-1-e1609964241469-1.jpg

Report outlines deep cybersecurity challenges for the public/private seagoing sector.

The White House has released cybersecurity guidance for securing the Maritime Transportation System (MTS), which operates along 25,000 miles of coastal and inland waterways in the United States.

The document points out that the MTS encompasses “361 ports, 124 shipyards, more than 3,500 maritime facilities, 20,000 bridges, 50,000 Federal aids to navigation, and 95,000 miles of shoreline that interconnect with critical highways, railways, airports and pipelines.” In addition, there are more than 20 Federal government organizations that currently have a role in maritime security of all stripes, ranging from vessel and personnel safety to transportation standards and logistics.

2020 Reader Survey: Share Your Feedback to Help Us Improve

In all, this footprint contributes one quarter of all United States gross domestic product, or approximately $5.4 trillion, according to the Feds.

Maritime Challenges

Applying good cybersecurity to the seagoing sector is a complex process plagued with challenges. The report enumerates several of these, starting with the fact that it’s a diverse ecosystem “with businesses of all sizes leveraging IT and [operational technology] OT systems that interconnect with larger maritime systems. Users across the maritime sector access key data and management systems daily for business purposes, making secure access control and user monitoring difficult.”

To boot, different public and private entities own and operate these interconnected systems, and common cybersecurity standards do not exist across facilities. Some of the entities also lack appropriate resources or expertise to implement appropriate cybersecurity frameworks even if a common approach were defined.

“Cybersecurity within some ports and facilities is situational, ad-hoc and often driven by profit margins and efficiency,” reads the report. “Unless the private sector has a clear understanding of current and future maritime cybersecurity threats and a financial incentive to invest in maritime cybersecurity measures, some private sector entities may not be inclined to align with maritime partners or allies.”

Additionally, some of the MTS footprint relies on outdated telecommunication infrastructure, threatening the ability for MTS stakeholders to “protect digital information, the network and to detect when malign actors are attempting to access protected systems,” the report warned.

The danger here is real; researchers have previously identified the prevalence of Windows XP and Windows NT within critical ship control systems, including IP-to-serial converters, GPS receivers or the Voyage Data Recorder (VDR), which thus tend to be easily compromised. Researchers at Pen Test Partners found that with the ability to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.), capsizing a ship with a cyberattack is a relatively low-skill enterprise.

Previous research has shown that other concerning attacks are possible as well, such as forcing a ship off-course or causing collisions. The issue with remediating the dismal state of maritime security is a lack of clearly defined responsibility for security, according to the researcher.

Maritime Cybersecurity Mitigations

To correct and mitigate maritime cybersecurity threats going forward, the report advocates the implementation of standardized risk frameworks across the MTS, security requirements for suppliers and contractors, vulnerability audits, information-sharing policies and more.

The recommendations start with establishing an OT risk framework that provides a standard for “insurers, facility and/or vessel owners and shippers to share a common risk language and develop common OT risk metrics for self-assessments.” This is a framework that the Feds will provide guidance on, and the report said that will include an international port OT risk framework based on the input from domestic and international partners, according to the advisory.

It also addressed third parties, and said that “the United States will strengthen cybersecurity requirements in port services contracts and leasing. To limit adversarial opportunity, contracts or leases binding the United States Government and private entities must contain specific language addressing cyber risk to the MTS. The private sector owns and operates the majority of port infrastructure.”

The report added, “Port services such as, but not limited to, loading, unloading, stacking, ferrying or warehousing Federal cargo requires cybersecurity contracting clauses to safeguard the flow of maritime commerce, MTS users and our economic prosperity.”

In addition, the report prescribes an examination of critical port OT systems for cyber vulnerabilities, but it doesn’t specify a role for the federal government. Instead, the report noted that the maritime sector should glean cybersecurity best practices from other critical infrastructure sectors.

The Feds will, however, establish a cyber-forensics process for maritime investigations.

“The United States will design a framework for port cybersecurity assessments,” according to the report. “Developing and deploying cyber-forensics for all major marine casualties and mishaps, when a maritime cyber-effect cannot be ruled out, is paramount.”

And finally, the report addresses the cybersecurity skills gap.

“DHS, through the United States Coast Guard, in coordination with other applicable departments and agencies, will develop cybersecurity career paths, incentives, continuing education requirements and retention incentives to build a competent maritime cyber-workforce,” the report reads, “…and will encourage cybersecurity personnel exchanges with industry and national laboratories, with an approach towards port and vessel cybersecurity research and application.”

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar — Jan. 20, 2 p.m. ET.

 

Source: threatpost


2021-01-11_21h33_57-1200x647.png

President Trump has released the “National Maritime Cybersecurity Plan,” which sets forth how the United States government will defend the American economy through enhanced cybersecurity coordination, policies and practices, aimed at mitigating risks to the maritime sub-sector, promoting prosperity through information and intelligence sharing, and preserving and increasing the nation’s cyber workforce.

President Trump designated the cybersecurity of the Maritime Transportation System (MTS) as a top priority for national defense, homeland security, and economic competitiveness in the 2017 National Security Strategy. The MTS contributes to one quarter of all United States gross domestic product, or approximately $5.4 trillion. MTS operators are increasingly reliant on information technology (IT) and operational technology (OT) to maximize the reliability and efficiency of maritime commerce. This plan articulates how the United States government can buy down the potential catastrophic risks to our national security and economic prosperity created by technology innovations to strengthen maritime commerce efficiency and reliability.

The National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders, and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security. The Plan identifies government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.

This Administration continues to defend American workers and American prosperity while strengthening our national security. President Trump has taken numerous steps to bolster cybersecurity measures, promote American workers, defend American technology, and lead the world in technological innovation. Today’s release furthers the President’s successes at bridging the private and public technological and industrial sectors to benefit the American people and protect the American way of life.

Source: whitehouse


maritime-cybersecurity-plan-unveiled-showcase_image-8-a-15713.jpg

Maritime transportation systems increasingly rely on IT and OT, which can create vulnerabilities, the plan notes.

“The proliferation of IT across the maritime sector is introducing previously unknown risks, as evidenced by the June 2017 NotPetya cyberattack, which crippled the global maritime industry for more than a few days,” the plan states.

The U.S. relies on ocean-based commerce for about 25% of its gross national product. The plan is designed to help protect the nation’s network of 25,000 miles of coastal and inland waterways, 361 ports, 124 shipyards, more than 3,500 maritime facilities, 20,000 bridges, 50,000 federal navigation aids and 95,000 miles of shoreline.

“The National Maritime Cybersecurity Plan unifies maritime cybersecurity resources, stakeholders and initiatives to aggressively mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security,” says National Security Adviser Robert O’Brien .

The plan, which is designed to unify maritime cybersecurity resources and close defensive gaps, will be reassessed every five years.

Citing a lack of specialists in this field, the plan calls for investing in the training of maritime cybersecurity specialists in port and vessel systems. This will include developing career paths for those who choose this profession along with continuing education and retention incentives.

Uniform Standards

A top priority, according to the plan, is for the government to encourage the use of uniform cybersecurity standards by the 20 federal agencies that have a role in maritime security. These agencies are responsible for vessel and personnel safety, transportation standards, physical security and other maritime industry activities.

“The NSC staff, through the policy coordination process, will identify gaps in legal authorities and identify efficiencies to de-conflict roles and responsibilities for MTS cybersecurity standards,” the plan states.

The plan also calls for the U.S. Coast Guard to analyze and clarify the 2016 and 2020 cybersecurity reporting guidance for maritime stakeholders. The Coast Guard also should collect maritime cyber incident reports to identify trends and attack vectors and then share that information with others, the plan says.

The Department of Defense and Homeland Security should work together to examine whether critical port operational technology systems have cybersecurity vulnerabilities, the plan states. Because a framework for conducting such an assessment does not exist, the plan calls for basing maritime audits on practices in other sectors.

“For example, the Department of Energy conducts small-scale vulnerability testing to protect electrical power generation and distribution OT systems. Similarly, maritime OT systems would benefit from vulnerability inspections. Findings from these audits may inform cybersecurity mitigation and remediation for MTS users,” the plan says.

Information and Intelligence Sharing

The plan also calls for the Coast Guard, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI to work together to create a list of cybersecurity issues that can then be shared with domestic and international partners in the maritime industry.

It also calls for the creation of a mechanism for government agencies to share unclassified, and when possible, classified information to protect maritime IT and OT networks with all those in the maritime industry.

Source: govinfosecurity


reimar-adobe-stock-115677.jpeg

As the Trump administration in the US draws to a close, the President has released a new ‘National Maritime Cybersecurity Plan’ detailing how the United States government will aim to defend the cybersecurity of the maritime sector through enhanced coordination, policies and practices, aimed at mitigating risks and increasing the nation’s cyber workforce.

The cybersecurity of the Maritime Transportation System (MTS) was listed as a top priority in the 2017 US National Security Strategy. The MTS contributes to one quarter of all United States gross domestic product, or approximately $5.4 trillion, with the new plan addressing the potential catastrophic risks to security and economic prosperity that could be created by maritime cyber vulnerabilities.

“The American people elected me on the promise to make America great again. I promised that I would protect American interests and promote the welfare and economy of our great citizens,” writes President Trump, in the plan’s introduction.

“During my first year in office, I designated transportation and maritime sector cybersecurity as a priority for my administration. In keeping with my promise and this priority, I am continuing to promote the second pillar of the national security strategy, promote American prosperity, by approving the national maritime cybersecurity plan.”

“The national maritime cybersecurity plan explains how my administration will: defend the American economy by establishing internationally recognized measures of risks to the maritime sub-sector and standards to mitigate those risks; promote prosperity through information and intelligence sharing; and preserve and increase our great nation’s cyber workforce.”

The Plan aims to unify US maritime cybersecurity resources, stakeholders, and initiatives to mitigate current and near-term maritime cyberspace threats and vulnerabilities while complementing the National Strategy for Maritime Security, identifying government priority actions to close maritime cybersecurity gaps and vulnerabilities over the next five years.

The full US National Maritime Cybersecurity Plan can be downloaded here.


carabay-adobe-stock-116339.jpeg

A new report warns of increasing cybersecurity threats to the maritime industry. The Global Maritime Consultants Group’s (GMCG) Marine Cyber Security white paper, published on December 24, warns of attacks which may originate via email, denial of service, impersonation or various other means and sets out measures that the maritime industry can take to protect against and prevent such attacks.

The industry has recognized cybersecurity as a major threat and to some extent is playing catch-up with other industries, particular when compared to other forms of transportation. To help address the need for increased action against cyber attacks, the International Maritime Organisation (IMO) has introduced a new code which from January 1 2021 requires ship owners and managers to assess cyber risk and implement relevant measures across all functions of their safety management system.

GMCG warns that one of the simplest ways of threatening and corrupting a ship’s system is for an employee to open an infected email. “In doing so it can cause the recipient of the targeted email to become an infected member of the maritime supply chain. This can then result in the electronic virus being downloaded and passed on through the systems associated with the ship, its land-based operations and often with financially crippling effects. Most of these fraudulent emails are designed to make recipients hand over sensitive information or trigger malware installation on shorebased or vessel IT networks.”

The report says the first step for ship owners is to have a recognized plan that identifies cybersecurity objectives that are relevant for safe ship operations. “These checks and balances should also encompass anyone connected with the ship’s operations, both in-house and external. It is also vital to create an inventory list of all safety and business-critical systems and software which will be needed in the first instance to define and create a cyber risk assessment.”

Communication systems, ship propulsion and power control systems, cargo management systems, passenger services, and the ship’s bridge system are all vulnerable areas and the report also recommends ensuring that public network connections are kept entirely separate from the ship’s and maritime land-based networks.

A coalition of maritime organizations* recently updated a set of cybersecurity guidelines for the industry. Issued in December, the fourth version of the Guidelines on Cyber Security Onboard Ships includes general updates to best practices in the field of cyber risk management, and as a key feature, includes a section with improved guidance on the concept of risk and risk management. The improved risk model takes into consideration the threat as the product of capability, opportunity, and intent, and explains the likelihood of a cyber incident as the product of vulnerability and threat.

“In recent years, the industry has been subjected to several significant incidents which have had a severe financial impact on the affected companies,” said Dirk Fry, chair of BIMCO’s cyber security working group and Director of Columbia Ship Management Ltd.

“While these incidents have had little or no safety impact, they have taught us some very important lessons which have been incorporated into the new version of the guidelines,” added Fry.

*The following organizations produced the fourth edition of Guidelines on Cyber Security Onboard Ships: BIMCO, Chamber of Shipping of America, Digital Containership Association, International Association of Dry Cargo Shipowners (INTERCARGO), Interferry, International Chamber of Shipping (ICS), INTERMANAGER, International Association of Independent Tanker Owners (INTERTANKO), International Marine Contractors’ Association (IMCA), International Union of Marine Insurance (IUMI), Oil Companies International Marine Forum (OCIMF), Superyacht Builders Association (Sybass), and World Shipping Council (WSC).

Source: hstoday


CMA-CGM-at-night_Sh2-768x432.jpg

The White House on Tuesday rolled out a plan to secure the nation’s maritime sector against cybersecurity threats that could endanger national security.

The plan, which was compiled in December but made public this week, lays out the Trump administration’s plans for defending the maritime transportation sector against cybersecurity threats.

The sector is involved in around a quarter of the nation’s gross domestic product.

ADVERTISEMENT

The three goals of the plan include establishing international standards defining threats to the maritime sector, enhancing intelligence and information sharing around these threats and increasing the nation’s cyber workforce for the maritime sector.

The plan is meant to address new threats from the increased use of new information technology and operational technology systems in the sector.

“The National Maritime Cybersecurity Plan demonstrates my commitment to promoting American prosperity by strengthening our cybersecurity,” President Trump wrote in a statement included in the plan. “This is a call to action for all nations to join us in protecting the vital maritime sector that interconnects us.”

National security adviser Robert O’Brien said in a statement Tuesday that the plan would help the federal government “buy down the potential catastrophic risks to our national security and economic prosperity” created by the reliance of the maritime sector on new technologies.

“This Administration continues to defend American workers and American prosperity while strengthening our national security,” O’Brien said. “President Trump has taken numerous steps to bolster cybersecurity measures, promote American workers, defend American technology, and lead the world in technological innovation.”

ADVERTISEMENT

“Today’s release furthers the President’s successes at bridging the private and public technological and industrial sectors to benefit the American people and protect the American way of life,” he added.

Priority actions included in the national security plan include prioritizing the training of cybersecurity specialists in port and vessel systems, sharing government information with private sector groups involved in the maritime sector, prioritizing maritime intelligence collection and developing a “cyber-forensics process” for investigating cyberattacks involving the maritime sector.

The National Security Council will oversee the completion of these priorities, and will reassess the plan at least once every five years.

“The United States is a maritime Nation that depends on a robust, integrated, and secure maritime transportation system to support our economic prosperity, provide for our national defense, and connect the United States economy with the global market,” the plan reads. “Technology innovation develops at a pace faster than that which global maritime security can maintain, creating low-cost opportunities for malicious actors.”

The sector has already been targeted by hackers. The Coast Guard put out an alert in late 2019 that a ransomware intrusion at a facility regulated under the Maritime Transportation Security Act forced the facility to shut down for 30 hours after disrupting camera and physical access control systems, along with the entire corporate IT network at the facility.

The plan was also rolled out as the federal government continues to grapple with one of the largest cyber incidents in U.S. history, with the majority of federal agencies and the U.S. Fortune 500 companies compromised by Russian hackers as part of an attack on IT group SolarWinds.

The Department of Defense, which houses the Navy, and the Department of Homeland Security, which oversees the Coast Guard, were among the agencies impacted by the incident.

Source: thehill


magnifier-adobe-stock-116301.jpeg

The Ports and Maritime Organization of Iran announced in a statement that its information technology experts have thwarted a cyberattack targeting the electronic infrastructures of the Iranian ports.

All missions and activities of the Ports and Maritime Organization are going on normally, the statement added, noting that online services are being provided to prevent any disruption to the freight services or loading and unloading operations even for a moment.

Last month, an official said the export of non-oil commodities in the first half of the current Iranian year via the southeastern port city of Chabahar has risen by 95 percent compared to the corresponding period a year earlier.

Chabahar is the closest and best access point of Iran to the Indian Ocean and Iran has devised serious plans to turn it into a transit hub for immediate access to markets in the northern part of the Indian Ocean and Central Asia.

Source: tasnimnews.com


Mopic-680x0-c-default.jpg

With greater than 90 percent of all global trade tonnage transported by sea and vital global energy networks, maritime infrastructure has never been more essential and yet also more at risk. In just the last two weeks, there have been several high-profile attacks on the maritime industry, with both the fourth largest global shopping company and the International Maritime Organization (IMO) targeted.

To dive deeper on this topic, we asked seven experts—including several who spoke at a recent Scowcroft Center for Strategy and Security event on maritime cybersecurity—about these threats and how policymakers can help protect against them:

 

What are the most vulnerable aspects of our maritime infrastructure? What makes them such attractive targets?

 

“When compared to commercial IT, the technologies used within the maritime sector illustrate the difficulties new sectors have to adapt to the Internet of Everything (IoE). Like many other sectors, the maritime sectors used to develop stand-alone software and hardware, inherently “limiting” the risks to internal threats. The new IoE paradigm, however, proves that it is challenging to securely design, develop, and operate a fully connected environment. Current GPS, ECDIS, and AIS systems have demonstrated various vulnerabilities in the last couple of years. So in order for the maritime environment to develop and operate in a secure fashion, it will be essential to have an overall view of the supply chain, from third party manufacturer to the people operating and maintaining the equipment. This view should further evolve over the lifetime of the equipment, with updates, upgrades, and training.

“In its current state, the maritime industry is a prime target due the many moving parts of ports and vessels, the increasing attack surface (e.g. adding connectivity to devices that had never been thought to be connected), the current lack of security and privacy by design, as well as the inadequacy of cyber-security training. Furthermore, with the industry quickly bridging the gap between IT and Operational Technology (OT), we may soon see wide-spread vulnerabilities impacting the maritime sector as a whole.”

Dr. Xavier Bellekens, Lecturer and Chancellor’s FellowInstitute for Signals, Sensors, and Communications,University of Strathclyde

 

From a government standpoint, what can the US government do to incentivize the maritime industry to invest more in cybersecurity?

 

“I believe that the most impactful things the US government can do to incentivize maritime industry investments in cybersecurity are:

  • Promote robust, real-time, maritime-specific cyber threat and incident information sharing between maritime industry stakeholders, and between those stakeholders and the US government (and vice versa), when appropriate.
  • Share cybersecurity threat intelligence with cleared maritime industry stakeholders.

I believe that these two measures are critically important as, currently, maritime industry executives have limited information about cybersecurity threats that other companies have experienced. Only by sharing cybersecurity threat and incident information widely with and between maritime companies can their senior executives gain a clear appreciation of the collective threats and potential financial and national security impacts of failing to adequately invest in IT and OT infrastructure improvements and other cybersecurity enhancement measures. Having this complete cybersecurity threat picture is key to making corporate cost-benefit decisions on increased investments in cybersecurity, and to ensuring that those investments achieve the best possible cybersecurity protections.”

Cameron Naron, Director, Office of Maritime Security, Maritime Administration, US Department of Transportation

 

What kind of players exist in the maritime industry and what role should they play in driving improved cybersecurity outcomes?

 

“The challenges in driving improvement in cybersecurity programs within the global maritime industry result from the many links in the marine transportation system and the personnel at each of these links. With enhanced technology, the interconnectivity—while improving the efficiency of the system itself—also presents multiple nodes which provide opportunities for cyberattacks. Looking at the system as a whole and starting at the most basic level, the vessel and its systems, interconnected within the ship and interfaced with shore management, is the basic building block. Key links to and from the vessel include shore management (ship owner, operator, or charterer), government agencies requiring electronic reporting of vessel information, third-party contractors including classification societies, vendors, technical service providers, and port and terminal authorities. Simply put, in an ideal world, the entire logistics chain is interconnected and provides stakeholders real-time information essential to scheduling and decision making. Integrating cybersecurity programs at each interface is critical as is also the education of personnel at each interface. In such an integrated system, the cybersecurity programs are only as good as the weakest link, making it critical that all links in the logistics chain collaborate in establishing robust programs, properly training personnel and maintaining the operational efficiency necessary for all parts to work as one.”

Ms. Kathy MetcalfPresident and Chief Executive Officer, Chamber of Shipping of America

 

Cyber-attacks on maritime infrastructure can be especially alarming because of potential compounding effects. What lessons can be taken from other sectors to help better protect maritime infrastructure from systemic threats?

 

“Three opportunities for maritime to build on the cybersecurity lessons learned by others jump out. First, from the energy sector, how to monitor and alert on malicious system behaviors in technology without a great deal of computing head room left for big commercial IT security applications. Second, from the US financial sector, the importance of regular and realistic joint exercises to build confidence in the collaborative links between stakeholders and raise awareness of channels for cascade failure between them. Third, from the telecommunications sector, how some companies have approached repeated adversarial events as an issue of resilience—building flexibility, capacity to adapt, and deep system expertise as a means of operating through failure rather than endlessly seeking to prevent it.”

Trey Herr, Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council

 

What was your biggest takeaway from the Atlantic Council panel conversation? How does it align with what you see as the biggest threat to maritime cybersecurity that needs to be tackled?

 

“Sustaining a safe, secure, and resilient marine transportation system is foundational to our economic and national security. When we consider evolving risks in the cyber domain, the maritime sector is on par with other more widely recognized sectors, like finance and energy, in terms of the potential for significant consequences. As we have seen from recent incidents, the maritime industry’s growing dependence on continuous network connectivity and converging layers of information and operational technology make it inherently vulnerable to cyber threats.

“The first step for the maritime industry is to recognize that cyber risk management is not an administrative function that can be left solely to company IT professionals, but rather a strategic and operational imperative that must be managed at the C-suite level. We also need to recognize that cyber security is a team sport; no single public or private entity has the capabilities, authorities, resources, and partnerships to do it alone, so information sharing and collaboration are essential to managing this risk.”

Captain Jason P. TamaCommander, Sector New YorkCaptain of the Port of New York and New Jersey, United States Coast Guard

 

How does cyber insecurity in civilian maritime infrastructure impact military readiness and capabilities? Why should the cybersecurity of our commercial fleets be a priority for the US government and the Department of Defense (DoD)?

 

“While cyber insecurity in civilian maritime infrastructure has not yet been a hindrance to force projection, it could be in the future, given the right set of circumstances. In the past, we have operated under the assumption of an uncontested homeland and uncontested passage. However, exploring the asymmetric level of effort required for successful cyber-attacks juxtaposed against the damage they may cause, has forced a re-evaluation of whether our infrastructure and routes will remain uncontested in the future. Because the Army relies on the civilian maritime industry to move equipment, when US forces need to be sent overseas quickly, minor delays throughout our civilian critical infrastructure could have a ripple effect on the deployment timeline. The cybersecurity of commercial fleets should be a priority for the US government and DoD because disruptions or delays to military deployments could jeopardize our ability to maintain stability and to support our allies and partners.”

Dr. Erica Mitchell, Critical Infrastructure/Key Resources Research Group Leader, Army Cyber Institute, West Point; Assistant Professor in the Electrical Engineering and Computer Science Department, West Point

 

How can we help better enable and operationalize the Maritime industry to ensure that cybersecurity is not only understood, but also prioritized? 

 

“First, to understand and prioritize cybersecurity, persistent visibility into organizations’ own networks, assets, and critical third-party integration must be achieved. This is the spectrum of attack surfaces that requires the same continual monitoring and awareness that we have practiced for centuries at sea: inspections of cargo holds and machinery spaces, watertight enclosures and hatches, and material conditions throughout the vessel to ensure seaworthiness. An understanding of network architecture, what is connected, when it connects, and who may be required to connect is an imperative. Real-time knowledge of business, vessel, and marine terminal networks and technologies presents the greatest power of information to empower stakeholders because what belongs and what doesn’t belong is discoverable and tangible in the present, allowing actions to be taken early, instead of after a breach.  Observable behaviors of how systems react to detectable adversarial activities and breach attempts is convincing and defensible evidence from which to understand then prioritize the risk through informed decisions. This is largely missing—inconsistent at best—across the maritime industry, with some exceptions. Without persistent monitoring in a rapidly advancing digital ecosystem, decisions will be farther behind the curve and based on scanty information.

“Second, cybersecurity leadership is necessary in the board room to ensure leadership is informed, that all the appropriate considerations are included in strategic planning and governance, and that cybersecurity actions taken are translated to a business language for all leadership and stakeholders to understand. In operating ships and marine terminals where cyber-physical systems integrate with IT, leaders must create and implement unified strategies for how the fleet or facilities will be protected; to support the vessel masters, crews, and employees through the creation of sensible plans to respond and recover, and to maintain safe operations. This is no different from how responsible maritime companies develop strategies to understand and manage other forms of somewhat tangible risk, such as geopolitical, climate change, ballast water, and even obsolescent technology replacement. As an example, many operational and safety checks are required to be performed and logged for a vessel preparing to sail or arrive in port. Very little in the form of pre-departure or arrival cybersecurity checks are provided to the vessel as tested and validated from ashore. This type of assurance and safety due diligence can be organized and led by a maritime Chief Information Security Officer (CISO). At the present, very few maritime companies are staffed with a CISO, with some exceptions. So how can we sail into the digital future without the dedicated leadership and the processes to trust-but-verify?

“Third, industry would benefit from discreet information sharing exchanges from which stakeholders may meet in private to discuss not only cybersecurity threat information, but also strategy and best practices, and to meet with government representatives as needed. As the deployment of OT monitoring software solutions by vendors increases, we must understand industry’s experiences with the performance of these technologies, the value of the output data, and new unintended security vulnerabilities. These lessons learned should be shared so industry can advance through digitalization together, vice operate in a vacuum. Lastly, as businesses interface with shareholder and government entities in the sharing of cybersecurity information, organizations need the right blend of industry and cyber leadership expertise to represent their equities ahead of regulation.

“We are always thinking ahead in maritime—monitoring through watchkeeping, anticipating, scanning, plotting navigation fixes, inspecting, analyzing trends, and preparing—because the sea is unforgiving, and the duty of care is neither optional nor negotiable. Until now, cyber has run counter to every best practice we have learned and practiced—react, wait for the bad news, then scramble (with some exceptions). Instead, turn the constraints of limited resources, talent, and low priority into advantages and strategy by simplifying the cybersecurity problem through continuous monitoring, dedicated cybersecurity leadership, and discreet collaboration.

Source: atlanticcouncil


image_750x_5f07d7a764ac3.jpg

Anastasios Arampatzis reports for Tripwire.com in its official website about the biggest challenges and best practices to mitigate risks in maritime cybersecurity.

Lets look at the essential factors that are crucial in strengthening the cybersecurity of Maritime Industry.

Maritime industry a target for cyber attackers

With more than 90% of the world’s trade being carried by shipping, according to the United Nations’ International Maritime Organization, the maritime industry is an attractive target for cyber attackers.

The European Union has recognized the importance of the maritime sector to the European and global economy and has included shipping in the Network and Information Systems (NIS) Directive, which deals with the protection from cyber threats of national critical infrastructure.

Ships rely on information and technology

Ships are increasingly using systems that rely on digitalization, integration, and automation, which call for cyber risk management on board.

The convergence of information technology (IT) and operational technology (OT) onboard ships and their connection to the Internet creates an increased attack surface that needs to be addressed.

Challenges in Maritime Cybersecurity

The evolution of digital and communications technology has allowed the integration of these two worlds, IT and OT.

The IT world includes systems in offices, ports, and oil rigs, OT is used for a multitude of purposes such as controlling engines and associated systems, cargo management, navigational systems, administration, etc.

Adjunct Professor at the Hellenic American University says, “Maritime industry, especially through vessels digitalization and with the numerous different Operational Technology devices deployed, creates a digital landscape previously unknown to a big extent due to the specific hardware and software being used. New security risks will be evolved with the impact being very significant mainly due to the direct connection with the physical world and the consequent operational damage.”

The maritime OT world includes systems like:

  • Vessel Integrated Navigation System (VINS)
  • Global Positioning System (GPS)
  • Satellite Communications
  • Automatic Identification System (AIS)
  • Radar systems and electronic charts

 

These technologies and systems provide significant efficiency gains for the maritime industry.

They also present risks to critical systems and processes linked to the operation of systems integral to shipping.

These risks may result from vulnerabilities arising from inadequate operation, integration, maintenance, and design of cyber-related systems as well as from intentional and unintentional cyberthreats.

To address the cyberthreats, it is important to consider the uniqueness of OT systems, as these assets control the physical world. There are certain challenges to consider, such as:

  • OT systems are responsible for real-time performance, and response to any incidents is time-critical to ensure the high reliability and availability of the systems.
  • Access to OT systems should be strictly controlled without disrupting the required human-machine interaction.
  • Safety of these systems is paramount, and fault tolerance is essential. Even the slightest downtime may not be acceptable.
  • OT systems present extended diversity with proprietary protocols and operating systems, often without embedded security capabilities.
  • They have long lifecycles, and any updates or patches to these systems must be carefully designed and implemented (usually by the vendor) to avoid disrupting reliability and availability.
  • The OT systems are designed to support the intended operational process and may not have enough memory and computing resources to support the addition of security capabilities.

Disruption of the operation of OT systems may impose significant risk to the safety of onboard personnel and cargo, cause damage to the marine environment, and impede the ship’s operation.

Safety warning from USCG

In fact, it was only last July that the U.S. Coast Guard issued a safety alert warning all shipping companies of maritime cyber-attacks.

The incident that led to this warning happened in February 2019 when a large ship on an international voyage bound for the Port of New York and New Jersey reported “a significant cyber incident impacting their shipboard network.”

The Coast Guard led an incident-response team to investigate the issue and found that “although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.”

A series of incidents

  • This was not the first time the U.S. Coast Guard had released a cyber safety warning.
  • In May 2019, they published a bulletin to raise the awareness of maritime stakeholders of “email phishing and malware intrusion attempts that targeted commercial vessels.”

A cyber incident in ships might have severe consequences for the crew, the passengers, and the cargo on board.

Considering that many ships carry harmful substances, a cyber incident might have severe environmental consequences or might lead to hijacking the ship to steal the cargo.

The Baltic and International Maritime Council (BIMCO) has defined a cyber safety incident any incident that leads to “the loss of availability or integrity of safety critical data and OT.”

Cyber safety incidents can be the result of:

  • a cyber security incident, which affects the availability and integrity of OT (for example, corruption of chart data held in an Electronic Chart Display and Information System (ECDIS))
  • a failure occurring during software maintenance and patching
  • loss or manipulation of external sensor data that’s critical to the operation of a ship including but  not limited to Global Navigation Satellite Systems (GNSS)

Best practices to mitigate maritime cyber threats

In 2017, the International Maritime Organization (IMO) adopted resolution MSC.428(98) on Maritime Cyber Risk Management in Safety Management System (SMS).

The Resolution stated that an approved SMS should consider cyber risk management and encourages administrations to ensure that cyber risks are appropriately addressed in safety management systems.

The same year, IMO developed guidelines that provide high-level recommendations on maritime cyber risk management to safeguard shipping from current and emerging cyber threats and vulnerabilities.

In addition, BIMCO has developed the Guidelines on Cyber Security Onboard Ships, which are aligned with the NIST Cybersecurity Framework.

To achieve this goal, maritime companies should follow these best practices:

  • Identify the threat environment to understand external and internal cyber threats to the ship.
  • Identify vulnerabilities by developing complete and full inventories of onboard systems and understanding the consequences of cyber threats to these systems.
  • Assess risk exposure by determining the likelihood and impact of a vulnerability exploitation by any external or internal actor.
  • Develop protection and detection measures to reduce the likelihood and the impact of a potential exploitation of a vulnerability.
  • Establish prioritized contingency plans to mitigate any potential identified cyber risk
  • Respond and recover from cyber incidents using the contingency plan to ensure operational continuity.

“Maintaining effective cybersecurity is not just an IT issue but is rather a fundamental operational imperative in the 21st century maritime environment,” said the U.S. Coast Guard in their July 2019 security warning.

Did you subscribe to our daily newsletter?

It’s Free! Click here to Subscribe!

Source: Tripwire


Machine_Learning_Sea_News_New-768x421.jpg

Despite the recent years’ NSA spying revelations, numerous international malware attacks and North Koreas’ hacking of Sony Pictures, maritime cyber-security is not an issue at the forefront of many ship-owners and managers minds.

However, whilst the maritime industry might not seem a likely target, reports of successful cyber-attacks are not unknown. Take, for example, the Port of Antwerp, where hackers working with a drug-smuggling gang repeatedly breached digital tracking systems to locate containers holding large quantities of drugs. They then dispatched their own drivers to retrieve the containers ahead of the scheduled collection time.

After two years, the operation was eventually shut down and there were no major repercussions for the Port of Antwerp or the companies involved. However, according to security experts at Trend Micro, these companies were extremely fortunate. Using the same techniques, it would not be difficult for criminals to cause chaos at sea. By simply accessing and manipulating a vessel’s AIS, hackers could prevent ships from providing movement information, cause AIS users to detect vessels in false locations or make “phantom” structures or vessels appear.

Other examples of an industry at risk include a drilling rig being hacked and forced to suspend operations, as well as a container line’s entire database of cargo information, including container number, location, place of origin, being erased. Furthermore, instances of maritime and offshore companies that have potentially fallen victim to cyber-attacks may be under-reported, as companies may fear appearing to have allowed confidential information to be compromised.

While maritime cyber-security is an issue that falls outside MTI’s traditional domain, we are in a position to use our platform to raise awareness of the issues at the executive level. Adopting good “cyber-hygiene” will dissuade opportunistic attacks and prevent accidental security compromises.

Developing and implementing such policies will require a top down approach within a company. At the most basic level a company should:

•             Set strong user access controls

•             Set strong network access controls

•             Perform regular backups

•             Keep software up to date

Training employees on how to recognize cyber-attacks and implementing policies on computer hard-ware usage, particularly the use of USB memory sticks, are further steps a company should consider.

Doing what you can to secure your networks and taking the time to integrate cyber-security into your risk management and crisis communications procedure, are the two most strategic things you can do to ensure you can respond effectively to maritime cyber-security threats and in doing so, protect your reputation as a secure service provider.

Source: mtinetwork


Twitter

@AnyawbSales - 1 year

INDIA TO BAN SINGLE USE PLASTIC ON ALL CALLING SHIPS

@AnyawbSales - 2 years

SQEXpress maritime electronic sms forms platform just released