Op-Ed: Protecting vessels against phishing and malware intrusion

By Andrew R. Lee and James A. Kearns

Imagine this scenario, fresh back from leave after a high-seas piracy incident, the captain stood on the bridge of the Babylon Sister, a massive cargo carrier slicing through the choppy waves of the Atlantic. As things were under control, the captain retired to his cabin, logged on to his computer, and began catching up on email. Among the day’s missives was one from the cargo shipper’s management — or so he thought. It warned of potential security breaches and urged the seaman to verify his credentials by clicking on a hyperlink. The captain was usually cautious about online scams, but this email looked authentic and did not raise any alarms. So he did as instructed and clicked on the link.

Unbeknown to the captain, a skilled cybercriminal had crafted the “spear phishing” email. And after the captain clicked the link and entered his particulars, a silent malicious software installation was underway and the cybercriminal obtained access to the Babylon Sister’s computer systems.

Days passed and the captain continued his intercontinental voyage, unaware that the cybercriminal and his cronies were taking advantage of their wide access to the ship’s network, gathering information about the Babylon Sister’s operations and control systems. They also exploited weak points in the network’s operational systems and compromised its security. This enabled them to manipulate critical functions of the ship.

One fateful morning, as the sun was engulfed by heavy fog, the captain and his crew attempted to navigate the treacherous conditions using only instruments. But the devices began to display erratic readings, and the captain found it increasingly difficult to maintain a steady course. Failing to gain control, he called on the ship’s IT department to investigate.

The fog thickened and panic rose just as the Babylon Sister’s communication systems faltered. The ship’s engines began to sputter. The hurried IT investigation revealed that the captain’s choice had caused this situation. The Babylon Sister was in the midst of a cyberattack that threatened property and person. 

Scenarios like this are not far-fetched. In 2019, the Coast Guard reported that a deep draft vessel on an international voyage experienced a significant cyber incident that impacted its shipboard network just as it was entering the Port of New York and New Jersey. And last month (May 2023), the Coast Guard advised of active email phishing and malware intrusion attempts that targeted commercial vessels. The release highlighted that cybercriminals are attempting to gain sensitive information, including the content of an official Notice of Arrival, using phishing email addresses with a sender posing as an official Port State Control (PSC) authority. The Coast Guard also reported that in some cases the criminals have attempted to install malicious software designed to disrupt shipboard computer systems.

In today’s information-heavy world, malicious actors can easily leverage openly available ship and ship operator information to create apparently legitimate phishing emails. They then use the data to design campaigns that threaten ship control and safety and even redirect money transfers (known as business email compromise).

So what steps can a maritime stakeholder take to gird its defenses against phishing emails and malware?

• Focus on your people, like the captain who failed to discern the phishing email that sent the Babylon Sister into a crisis. The human element is the most important internal threat to a company’s cybersecurity. To meet this threat, employee cybersecurity training programs must be regular and effective and focused on phishing attacks and social engineering. Also, explore segmented system access, that is, allow only specifically authorized users access to certain parts of the system. Finally, know that cyber gangs are increasingly contacting rogue and disgruntled employees to help them carry out attacks.
• Identify valuable data storage. Begin by inventorying your data to determine how you can protect it. Ask your IT department or IT services provider about segmenting access by implementing a pseudo-sensitive compartmented information access scheme.
• Identify vulnerable access points and software patch demands. Maritime navigation systems make regular use of open source software, but the “open” part can be concerning. By one measure, software supply chain attacks have increased an average of over 700% annually in only the past few years. So while open source software offers many advantages, it demands attention be paid to cybersecurity protocols and making consistent updates to mitigate potential vulnerabilities.
• Build a skilled incident response (IR) team, make a plan, and test the plan. The IR team should call on experts who are skilled at identifying specific possible threats. What would a cybercriminal or nation-state actor want from your system and assets? An effective maritime cybersecurity action plan is critical to cyber safety and to efficient recovery from an attack. If it is serious about a plan, a company’s C-suite must be directly involved in developing it. Carry out practice exercises so you know how to execute the plan in an attack. Hire penetration testers (aka ethical hackers) to identify likely attack surfaces and vectors.

Within the maritime industry, the stakes for handling modern-day cyber pirates are considerable, not least because threats to commercial vessel IT and operational technology systems risk the integrity of the global supply chain and global trade. Incidents like the fictional tale that afflicted the Babylon Sister are not only possible, by all indications they are likely.

Andy Lee chairs the privacy and data security team at Jones Walker LLP and holds the CIPP/US designation from the International Association of Privacy Professionals. Jim Kearns is special counsel in the firm’s Maritime Practice Group, where he focuses on maritime transactions.