Trouble underway: Seven perspectives on maritime cybersecurity
November 13, 2020 MARITIME CYBER SECURITY
With greater than 90 percent of all global trade tonnage transported by sea and vital global energy networks, maritime infrastructure has never been more essential and yet also more at risk. In just the last two weeks, there have been several high-profile attacks on the maritime industry, with both the fourth largest global shopping company and the International Maritime Organization (IMO) targeted.
To dive deeper on this topic, we asked seven experts—including several who spoke at a recent Scowcroft Center for Strategy and Security event on maritime cybersecurity—about these threats and how policymakers can help protect against them:
What are the most vulnerable aspects of our maritime infrastructure? What makes them such attractive targets?
“When compared to commercial IT, the technologies used within the maritime sector illustrate the difficulties new sectors have to adapt to the Internet of Everything (IoE). Like many other sectors, the maritime sectors used to develop stand-alone software and hardware, inherently “limiting” the risks to internal threats. The new IoE paradigm, however, proves that it is challenging to securely design, develop, and operate a fully connected environment. Current GPS, ECDIS, and AIS systems have demonstrated various vulnerabilities in the last couple of years. So in order for the maritime environment to develop and operate in a secure fashion, it will be essential to have an overall view of the supply chain, from third party manufacturer to the people operating and maintaining the equipment. This view should further evolve over the lifetime of the equipment, with updates, upgrades, and training.
“In its current state, the maritime industry is a prime target due the many moving parts of ports and vessels, the increasing attack surface (e.g. adding connectivity to devices that had never been thought to be connected), the current lack of security and privacy by design, as well as the inadequacy of cyber-security training. Furthermore, with the industry quickly bridging the gap between IT and Operational Technology (OT), we may soon see wide-spread vulnerabilities impacting the maritime sector as a whole.”
Dr. Xavier Bellekens, Lecturer and Chancellor’s Fellow, Institute for Signals, Sensors, and Communications,University of Strathclyde
From a government standpoint, what can the US government do to incentivize the maritime industry to invest more in cybersecurity?
“I believe that the most impactful things the US government can do to incentivize maritime industry investments in cybersecurity are:
- Promote robust, real-time, maritime-specific cyber threat and incident information sharing between maritime industry stakeholders, and between those stakeholders and the US government (and vice versa), when appropriate.
- Share cybersecurity threat intelligence with cleared maritime industry stakeholders.
I believe that these two measures are critically important as, currently, maritime industry executives have limited information about cybersecurity threats that other companies have experienced. Only by sharing cybersecurity threat and incident information widely with and between maritime companies can their senior executives gain a clear appreciation of the collective threats and potential financial and national security impacts of failing to adequately invest in IT and OT infrastructure improvements and other cybersecurity enhancement measures. Having this complete cybersecurity threat picture is key to making corporate cost-benefit decisions on increased investments in cybersecurity, and to ensuring that those investments achieve the best possible cybersecurity protections.”
Cameron Naron, Director, Office of Maritime Security, Maritime Administration, US Department of Transportation
What kind of players exist in the maritime industry and what role should they play in driving improved cybersecurity outcomes?
“The challenges in driving improvement in cybersecurity programs within the global maritime industry result from the many links in the marine transportation system and the personnel at each of these links. With enhanced technology, the interconnectivity—while improving the efficiency of the system itself—also presents multiple nodes which provide opportunities for cyberattacks. Looking at the system as a whole and starting at the most basic level, the vessel and its systems, interconnected within the ship and interfaced with shore management, is the basic building block. Key links to and from the vessel include shore management (ship owner, operator, or charterer), government agencies requiring electronic reporting of vessel information, third-party contractors including classification societies, vendors, technical service providers, and port and terminal authorities. Simply put, in an ideal world, the entire logistics chain is interconnected and provides stakeholders real-time information essential to scheduling and decision making. Integrating cybersecurity programs at each interface is critical as is also the education of personnel at each interface. In such an integrated system, the cybersecurity programs are only as good as the weakest link, making it critical that all links in the logistics chain collaborate in establishing robust programs, properly training personnel and maintaining the operational efficiency necessary for all parts to work as one.”
Ms. Kathy Metcalf, President and Chief Executive Officer, Chamber of Shipping of America
Cyber-attacks on maritime infrastructure can be especially alarming because of potential compounding effects. What lessons can be taken from other sectors to help better protect maritime infrastructure from systemic threats?
“Three opportunities for maritime to build on the cybersecurity lessons learned by others jump out. First, from the energy sector, how to monitor and alert on malicious system behaviors in technology without a great deal of computing head room left for big commercial IT security applications. Second, from the US financial sector, the importance of regular and realistic joint exercises to build confidence in the collaborative links between stakeholders and raise awareness of channels for cascade failure between them. Third, from the telecommunications sector, how some companies have approached repeated adversarial events as an issue of resilience—building flexibility, capacity to adapt, and deep system expertise as a means of operating through failure rather than endlessly seeking to prevent it.”
Trey Herr, Director, Cyber Statecraft Initiative, Scowcroft Center for Strategy and Security, Atlantic Council
What was your biggest takeaway from the Atlantic Council panel conversation? How does it align with what you see as the biggest threat to maritime cybersecurity that needs to be tackled?
“Sustaining a safe, secure, and resilient marine transportation system is foundational to our economic and national security. When we consider evolving risks in the cyber domain, the maritime sector is on par with other more widely recognized sectors, like finance and energy, in terms of the potential for significant consequences. As we have seen from recent incidents, the maritime industry’s growing dependence on continuous network connectivity and converging layers of information and operational technology make it inherently vulnerable to cyber threats.
“The first step for the maritime industry is to recognize that cyber risk management is not an administrative function that can be left solely to company IT professionals, but rather a strategic and operational imperative that must be managed at the C-suite level. We also need to recognize that cyber security is a team sport; no single public or private entity has the capabilities, authorities, resources, and partnerships to do it alone, so information sharing and collaboration are essential to managing this risk.”
Captain Jason P. Tama, Commander, Sector New York; Captain of the Port of New York and New Jersey, United States Coast Guard
How does cyber insecurity in civilian maritime infrastructure impact military readiness and capabilities? Why should the cybersecurity of our commercial fleets be a priority for the US government and the Department of Defense (DoD)?
“While cyber insecurity in civilian maritime infrastructure has not yet been a hindrance to force projection, it could be in the future, given the right set of circumstances. In the past, we have operated under the assumption of an uncontested homeland and uncontested passage. However, exploring the asymmetric level of effort required for successful cyber-attacks juxtaposed against the damage they may cause, has forced a re-evaluation of whether our infrastructure and routes will remain uncontested in the future. Because the Army relies on the civilian maritime industry to move equipment, when US forces need to be sent overseas quickly, minor delays throughout our civilian critical infrastructure could have a ripple effect on the deployment timeline. The cybersecurity of commercial fleets should be a priority for the US government and DoD because disruptions or delays to military deployments could jeopardize our ability to maintain stability and to support our allies and partners.”
Dr. Erica Mitchell, Critical Infrastructure/Key Resources Research Group Leader, Army Cyber Institute, West Point; Assistant Professor in the Electrical Engineering and Computer Science Department, West Point
How can we help better enable and operationalize the Maritime industry to ensure that cybersecurity is not only understood, but also prioritized?
“First, to understand and prioritize cybersecurity, persistent visibility into organizations’ own networks, assets, and critical third-party integration must be achieved. This is the spectrum of attack surfaces that requires the same continual monitoring and awareness that we have practiced for centuries at sea: inspections of cargo holds and machinery spaces, watertight enclosures and hatches, and material conditions throughout the vessel to ensure seaworthiness. An understanding of network architecture, what is connected, when it connects, and who may be required to connect is an imperative. Real-time knowledge of business, vessel, and marine terminal networks and technologies presents the greatest power of information to empower stakeholders because what belongs and what doesn’t belong is discoverable and tangible in the present, allowing actions to be taken early, instead of after a breach. Observable behaviors of how systems react to detectable adversarial activities and breach attempts is convincing and defensible evidence from which to understand then prioritize the risk through informed decisions. This is largely missing—inconsistent at best—across the maritime industry, with some exceptions. Without persistent monitoring in a rapidly advancing digital ecosystem, decisions will be farther behind the curve and based on scanty information.
“Second, cybersecurity leadership is necessary in the board room to ensure leadership is informed, that all the appropriate considerations are included in strategic planning and governance, and that cybersecurity actions taken are translated to a business language for all leadership and stakeholders to understand. In operating ships and marine terminals where cyber-physical systems integrate with IT, leaders must create and implement unified strategies for how the fleet or facilities will be protected; to support the vessel masters, crews, and employees through the creation of sensible plans to respond and recover, and to maintain safe operations. This is no different from how responsible maritime companies develop strategies to understand and manage other forms of somewhat tangible risk, such as geopolitical, climate change, ballast water, and even obsolescent technology replacement. As an example, many operational and safety checks are required to be performed and logged for a vessel preparing to sail or arrive in port. Very little in the form of pre-departure or arrival cybersecurity checks are provided to the vessel as tested and validated from ashore. This type of assurance and safety due diligence can be organized and led by a maritime Chief Information Security Officer (CISO). At the present, very few maritime companies are staffed with a CISO, with some exceptions. So how can we sail into the digital future without the dedicated leadership and the processes to trust-but-verify?
“Third, industry would benefit from discreet information sharing exchanges from which stakeholders may meet in private to discuss not only cybersecurity threat information, but also strategy and best practices, and to meet with government representatives as needed. As the deployment of OT monitoring software solutions by vendors increases, we must understand industry’s experiences with the performance of these technologies, the value of the output data, and new unintended security vulnerabilities. These lessons learned should be shared so industry can advance through digitalization together, vice operate in a vacuum. Lastly, as businesses interface with shareholder and government entities in the sharing of cybersecurity information, organizations need the right blend of industry and cyber leadership expertise to represent their equities ahead of regulation.
“We are always thinking ahead in maritime—monitoring through watchkeeping, anticipating, scanning, plotting navigation fixes, inspecting, analyzing trends, and preparing—because the sea is unforgiving, and the duty of care is neither optional nor negotiable. Until now, cyber has run counter to every best practice we have learned and practiced—react, wait for the bad news, then scramble (with some exceptions). Instead, turn the constraints of limited resources, talent, and low priority into advantages and strategy by simplifying the cybersecurity problem through continuous monitoring, dedicated cybersecurity leadership, and discreet collaboration.