What Cybersecurity Vulnerabilities Do Maritime Facilities Face?
Seaports face familiar types of electronic assault: scanning, ransomware, malware, spear phishing and credential harvesting. In 2017, the shipping giant Maersk was laid low by the NotPetya worm, which scrambled the company’s IT and communications systems for two weeks, marking the largest maritime cybersecurity incident in recent years. That affected 76 ports across the globe, including the Port of Los Angeles, and 800 ships. In the end, the hack cost the company $300 million.
However, the Maersk attack was hardly the first. In 2011, the Belgian Port of Antwerp Bruges got hit by drug cartel hackers who surreptitiously took over the tracking of containers carrying hidden cocaine and heroin. The intruders accessed secure data giving them the location and security details of the steel boxes. That allowed the cartel to direct truck drivers to snatch them up before the legitimate owners of the cargo arrived. Port operators only got wise to the situation when they noticed containers inexplicably disappearing.
Seaports are complex facilities. While there is ample awareness of traditional IT vulnerabilities to networks, data and proprietary information, protection on the operational side is far behind, say experts. That includes cranes and container management systems, fuel terminals, shipboard controls, navigation systems, buoys, HVAC controls and more. Many are often creaky machines that have ancient, rudimentary electronic control systems.
“Operational technology is the most valuable thing in the network, and lives can be lost” without good oversight, says Rick Tiene, vice president with Mission Secure, Inc. The challenge is that the programmable logic control (PLC) boxes on maritime machinery are like 20-year-old computers, he says. “It’s a device that has an IP in/out and amps in/out.”
It’s so basic that cybersecurity technology can’t be added to it. Instead, Tiene’s company puts a protection envelope around PLCs.
“We put protection above it and below it,” he says. Practically speaking, that means monitoring the boxes for unusual power spikes that could indicate a cyber intruder has gained control.