Following earlier warnings that cyber attacks are now targeting ships, the US Coast Guard (USCG) has issued a post-mortem of the incident that occurred in February.
The unnamed vessel suffered an incursion that “significantly degraded the functionality of its onboard computer system”, according to the USCG. Many cyber experts warn that such malware can lie dormant for months and undetected before springing into action, making it difficult to isolate the cause – something that cyber criminals rely on for the success of cyber attacks.
Although “essential vessel control systems had not been impacted” in this case, this was simply a matter of luck, with “critical vessel control systems [exposed] to significant vulnerabilities”. This despite the fact that the crew, aware of the risks, refrained from using onboard computers to check emails, check their bank accounts, or make online purchases – often pegged as the origin of shipborne malware.
Many organisations hit by cyber attacks do not divulge this publicly because of fear of diminishing their share prices, giving rise to many anonymous reporting frameworks around the world, including those operated by the USCG. As a result, it is likely that cyber risk and cyber breaches are a much bigger problem than alluded to in the press.
Despite the USCG emphasised the benefit of keeping network segmentation making it “harder for an adversary to gain access to essential systems and equipment”, ABS cyber expert Cris DeWitt warned that this technique – what is referred to in his field as ‘air gaps’ – is an incomplete solution and should be treated accordingly.
“The idea is that we don’t have to worry about interactions between this system and that system, because they’re not connected. For example, the navigation system and the crew entertainment system – they do not connect. But in many cases there are two access points, one of which is known, the other unknown,” he said. “There are automated exploit tools that are designed to take advantage of that exact thing.”
Other steps toward enhancing cyber security include installing and updating antivirus software; treating external media not scanned for malware with caution before plugging into any shipboard network; creating network profiles for individual crew and eliminate the use of generic log-in credentials for multiple personnel; and keeping software as up-to-date as possible to patch vulnerabilities.
In May the USCG said that attacks are being tailored towards shipping, with criminals “attempting to gain sensitive information, including the content of an official Notice of Arrival, using email addresses that pose as an official Port State Control [PSC] authority such as email@example.com”.
“Additionally, the coastguard has received reports of malicious software designed to disrupt shipboard computer systems.” The USCG warned crew to verify with PSC authorities in the event of suspect requests for information.