By Maura Keller
The maritime industry is constantly evolving. With the advent of new technologies and a greater focus on operational efficiency, cybersecurity has stepped out of the background and the IT back offices to the forefront of the industry. Maritime cybersecurity incidents can cost multi-millions of dollars in losses to a shipping company, stevedores and financial institutions. In addition, the hacking or distortion of manifests can reflect fraudulent cargo entering a port, such as narcotics and weapons of mass destruction.
According to Ford Wogan, a partner in the Maritime Practice Group at Jones Walker LLP, in the early 2000s, cybersecurity was barely a blip on the proverbial radar within the maritime arena. In the United States, the Maritime Transportation and Security Act of 2002 (MTSA) was overwhelmingly passed by the House and Senate.
“Enacted in the wake of the September 11, 2001, attacks, the MTSA focused on shoring up port and waterway security efforts to deter, prevent and response to a physical terrorist threat. In fact, the word ‘cyber’ does not appear anywhere in the MTSA,” Wogan says.
More recently though, as technology has advanced, physical threats to the industry have given way to cyber threats, which have often been undertaken by governmental actors, Wogan says. As a result, cybersecurity concerns—and their effect on the industry’s financials—have become more prominent.
Wogan points to the 2017 NotPetya cybersecurity attack on Maersk Lines resulting in nearly $300 million in losses to the company. “Similar cybersecurity attacks to ports around the world—including in Barcelona and San Diego—crippled not just port operations but other aspects of the global supply chain, illustrating the inherent connectiveness of the industry and the trickle-down effect a cybersecurity event can have beyond just the party targeted,” Wogan says.
Industry stakeholders along with governmental and regulatory agencies have responded to these emerging threats proactively. The United States Coast Guard (USCG) has issued circulars outlining guidelines for addressing cybersecurity risks at MTSA-regulated facilities and, as recently as February, issued a Vessel Cyber Risk Management Work Instruction to provide guidance on USCG’s approach for assessing cyber risks as part of its commercial vessel compliance program. And according to Wogan, BIMCO, IMO and other industry leaders have also provided their own guidelines and recommendations for implementing cybersecurity policies and procedures aboard vessels.
“We’ve seen a number of ransomware attacks at ports over the years most recently, the Port of Kennewick,” says Joelle Dvir, associate in McDonald Hopkins’ national data privacy and cybersecurity group. In November 2020, the Port of Kennewick outside of Seattle was hit with ransomware and faced a $200,000 ransom demand. The port was forced to rebuild from backups after deciding not to pay the ransom.
As Dvir explains, ransomware attacks can be introduced into the port environment in a variety of ways — via phishing email, unsecured remote desktop protocol (RDP), and even by physical methods, like plugging a corrupted device into the port environment.
“A culture of privacy from every angle is crucial in protecting the ports,” Dvir says. “Every person that interacts with the ports must be cyber-aware and know what to do to avoid an attack and steps to take when they suspect a cyber incident.”
An Evolution of Sorts
The maritime industry has recognized the threat of cybercrime for the past decade. However, according to David Espie, director of security for the Maryland Port Administration, some key elements to address this threat have been absent or inconsistent. These include: Taking the threat seriously; training by security professionals and by system users; lack of reporting cyber-related incidents; lack of coordination by local, state or federal officials; and a failure to adequately fund the acquisition of necessary cybersecurity software and hardware technology.
“Now, in an effort to counter cybercrime efforts, maritime entities are properly investing in necessary counter cybercrime behavior to include training, the hiring of qualified cybersecurity professionals and investing in prudent technologies that deter the cybercrime menace,” Espie says.
Today, the biggest issues facing maritime cybersecurity include: shipping lines ensuring the security of their geospatial technology and engine operation; the security/integrity of passenger and cargo manifests; security of stevedoring operations; and the integrity of personnel and physical security systems and technology.
The reason for the increase in attacks is, in Wogan’s view, quite evident. Computers play a more critical operational role now than at any time before. But with that increased operational function comes greater cybersecurity vulnerabilities and risks.
“Navigation, mechanical systems, communication systems, cargo operations, and safety and security monitoring all involve computerization in some form or fashion,” Wogan says. “With growing computerization and cloud-based services, the access to computer systems also grows, meaning the avenue and opportunity for a potential cybersecurity attack enlarges.”
According to Dvir, last year Israeli cybersecurity company Naval Dome reported that cyberattacks on the maritime industry’s operational technology systems increased by 900% over the preceding three years.
“Focusing on maritime cybersecurity is crucial not only due to the rising attacks, but given how impactful the seas are in our daily life,” Dvir says. “Ninety percent of trade is by water and nearly 100% of transoceanic data traffic is transmitted under water through undersea cables. As the maritime industry moves towards the use of autonomous vessels, the threat of remote access to the vessels’ controls leading to high jacking is serious. It is essential for the maritime industry to keep abreast of cyber-threats.”
Jarle Coll Blomhoff, group leader, cyber safety and security at DNV says the marine industry is seeing vessels also increase their connectivity to remote and other systems.
“The maritime industry must consider the risks of these and implement necessary barriers and actions,” Blomhoff says. “This is especially critical with operational technology (OT), where there is a significant risk of connecting systems that are not security managed, as the technology is designed to operate in an ‘island mode.’”
On the information technology (IT) side, the threats are common to many industries, so while the maritime industry needs to address them, the factors to consider and the toolbox available are more well known.
In addition, ports are considered critical infrastructure in most countries, so they are often regulatorily obliged to address cyber security. “Still, we will see a continuous increase in the demands on them, as well as the threat picture, as ports must consider managing the risks of both IT and OT systems as well,” Blomhoff says.
That’s why cyber professionals are working closely with information technology experts in combatting cybercrime. “In addition, FEMA’s federal port security grant program has provided information technology departments a significant resource to acquire state-of-the-art software and technologies which alert system administrators of potential nefarious cyber activity,” Espie says. “This technology continues to evolve in correlation with identified and/or future potential threat activity.”
Dvir stresses that safeguarding the maritime industry from cyber-attacks requires a comprehensive approach. Taking precautions by installing security systems, such as firewalls and detection systems for denial of services attacks and other malware is critical, but no longer sufficient.
“Proactive cybersecurity risk management is crucial,” Dvir says. “Maritime industry players also need to have incident response plans, conduct incident response drills and implement staff training and awareness programs, including phishing training.”
Though training and vetting of security and data-management procedures are taking place throughout the industry, experts agree that the maritime industry must be mindful that its policies and procedures should evolve as threats change.
“Best practices must adapt and efforts must be undertaken to ensure that others are adapting as well. Change, of course, means dedicating time and resources,” Wogan says. “Complacency or viewing cybersecurity threats as static, rather than dynamic, is a recipe for disaster.”
In October 2021, each Maritime Transportation Security Act certified port in the U.S. must incorporate cybersecurity within their facility security plans. It is noted that FEMA’s federal port security grant program is a vital funding mechanism in America’s fight against cybercrime.
“Maritime cybersecurity will continue to be a challenge,” Espie says. “Lone wolfs, terrorists, those engaged in industrial espionage, and the disgruntled worker will continue to target maritime and other industries.” That’s why the security of systems which house and operate physical security technologies such as access control, closed circuit TV (CCTV), and ship manifests will continue to be on the forefront.
“Cybersecurity is here to stay in the maritime industry,” Wogan says. “As the industry becomes more reliant upon automation, computerization and system integration, cybersecurity and its corresponding risks will continue to evolve and change.”