Eyes on Cyber in the Maritime Field

By Adrian Victor Vevera – General Director of the National Institute for Research and Development in Informatics ICI Bucharest, PhD. Eng., Nuclear Physicist by training, Scientific Researcher 2 title in the Romanian research establishment

The sinews of the world are straining and we have seen it takes little for them to break

It gives one a feeling a déjà vu to witness another reminder of the essential vulnerability of the global logistics chain making possible the globalized world, its division of labor and its abundance of products for every season and market. Rightly, people are concerned about the Yemeni rocket attacks on commercial shipping crossing the Bab-el Mandeb Straits and the Red Sea on their way to and from mainly Europe, carrying fuel, foodstuffs, and manufactured products. People are also concerned that the roundabout alternative around the Cape of Good Hope adds time and costs to shipping, thereby reducing efficiency and the overall capacity of the system. Whatever initiative the militaries of interested powers put into motion, it must not only deter attacks but also reassure civilian shippers, their clients upstream and downstream, their insurers and other actors that this security is sound.

However, I find it hard to take seriously the shock emanating from certain quarters that funneling most of global maritime trade by tonnage through a few key chokepoints would result in vulnerabilities that certain actors would take advantage of. In other words, it is a systemic vulnerability exploited by a threat actor to coerce the affected parties through the impact on the system-of-systems that literally makes modern supply and production chains possible. And we have been consistently forewarned, if not forearmed, that maritime trade and, by extension, maritime infrastructures, assets, and organization, is an immensely complex integrated critical infrastructure which is tightly wound and relatively easily perturbed. Off the top of my head, I will list the Ever Given blockage of the Suez Canal in March 2021, the horrendously complex impact of the pandemic and the anti-pandemic measures on transport capacity worldwide, and the impact of Russia’s blocking of the Ukrainian maritime grain transport routes as examples.

And I want to take this opportunity to underscore a different kind of threat, no less insidious, costly, or deadly, to the critical infrastructure that makes possible the global production and supply chains on which we rely – the cybersecurity of the maritime domain. This is, without hyperbole, a threat that knows no borders or chokepoints, that is omnipresent, that affects all aspects of the value chain, and that entails a complex ecosystem of aggressors, from states and state proxies, to rivals, criminal groups, terrorist organization or ideological actors. And the cost to benefit ratio of attacks through cyber vectors is so good, and the barriers to entry for new aggressors are so low (relatively), that we can anticipate that the situation will get worse. This is not helped by the rapid pace of digitalization, which is driven by new systems, practices, and standards in relation to new ship classes and other assets that are meant to increase capacity, decrease labor as a component, increase energy efficiency, environmental friendliness and more. The tradeoffs are all in the direction of heightening cyber risk.

The issues at play
The term OT (operational technology) has developed to encompass a wider array of technologies and applications than industrial control systems, while still representing, according to the renowned consultancy Gartner, “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in asset-centric enterprises, particularly in production and operations.” The proliferation of cyber-physical systems which interact with the physical world through the cyber environment, has created a whole new playhouse for the hacker or the complexity-driven disruption. In contrast to traditional “industrial” entities running ICS, asset-centric entities in the maritime sector feature significant distinctions and challenges, such as wide distribution of assets, cross-border nature of operation and governance, more frequent and complex interactions with other entities and their particular systems, as well as a greater intrusion of geopolitics and geoeconomics into the mix. So far, so well, but new digital paradigms, such as the Internet-of-Things moving from our wearable devices into the industrial area, have resulted in a rapidly changing cybersecurity landscape. This is especially true for the maritime domain, where the IoT paradigm facilitates cheap, accessible, and sustainable control systems in highly distributed geographic environments, with real-time analytics, sophisticated embedded systems, cloud storage and computing, and commercial-off-the-shelf sensors.

Figure 1 is an attempt to provide a snapshot of the complicated cyber domain metasystem for the maritime, involving the assets but also the organizations and the facilities required. We can observe that there are important specificities in play that warrant the particular attention given to the cyber maritime domain as its own field. Firstly, there are numerous domains in which cyber threats are felt, particularly as air-gapped digital systems gave way to networked systems facilitating a downsizing of the crew and more efficient use of the asset or the shore facilities (such as container loading and unloading). These vary depending on the entity, region. or asset in question, but the razor-thin margins of competitive maritime transport drive those unwilling to adapt out of the business. Digitalization becomes not just a growth strategy, but an economic survival strategy. Maritime actors rely on dedicated systems, which the figure tries to underline, for instance in communications, identification, displays, data recording, radar plotting and more. Specific systems that are not usually of concern in terrestrial settings are also important, such as engine control, ballast, stabilization. Decision support systems will become even more important as unmanned shipping fleets come online chasing new efficiencies. Many of these issues are relevant in other maritime-specific areas such as offshore infrastructures like oil rigs, offshore wind farms and others. The newer generation of offshore infrastructure, including tethered floating wind turbines, require active stabilization and careful environmental monitoring to maintain safety and security. With Europe looking to power through to energy independence partly through renewables, offshore infrastructure will become a more and more important component of this strategy.

High profile cases
Basically, the surface contact area between the maritime domain and the cyber environment is growing, driven not just by digitalization, but also by greater networking in service of distributed command, control, and coordination systems. We have seen this in play several times in recent history and the threat actors are not just “growing their business”, but choosing to enhance their aggression right when the circumstances guarantee maximum disruption. The start of the pandemic saw restriction efforts which put pressure on logistical systems which atrophied in the lockdown and were overstrained in the post-lockdown economic bounce. Between February and June 2020, Israeli consultancy Naval Dome reported a 400% increase in cyber-attacks against shipping . There was an across the board increase in attacks, but the maritime domain certainly saw some of the worst dynamic, perhaps second to the critical health infrastructures.

In June 2017, Maersk was affected by NotPetya, a ransomware analogue malware that did not spread through social engineering or spam, which burned through Maersk in seven minutes . Maersk lost all its data, 49,000 laptops and 4,000 servers, with direct damages totaling 300 million dollars. One office alone was spared through an unrelated power outage.

In 2018, the Chinese company COSCO was affected by the SamSam ransomware which eschews the commodity and malware-as-a-service approach of others in favor of in-house development to respond to security updates and other issues. COSCO reported effects in the United States, Canada, Panama, Argentina, Brazil, Peru, Chile, and Uruguay. It did not disclose the damages, but it boasted a return to normalcy in five days , through its use of segmented networks, backups for data and contingency plans.
Allianz’s 2023 Safety and Shipping Review pointed out that many attacks target onshore components of maritime infrastructures and cited attacks in 2022 against the Port of London Authority and the Port of Los Angeles, and attacks in 2023 against the Port of Halifax and the ports of Montreal and Quebec. This just means that there is room to grow for hackers targeting the ships themselves and a January 2023 cyber-attack against DNV, a software vendor offering a ShipManager software, affected 1,000 ships and required a server shutdown.

The response is not easy
Getting ready is not easy, especially in the absence of some technical silver bullet. The C-suite and other stakeholders must have a vision regarding the creation of a cybersecurity strategy, its implementation, the adequate sourcing of technology, of security products and services, of intelligence on the threat environment affecting the entity and its supply chain, but also a discipline in developing, updating, and practicing contingency plans. Companies must perform risk assessments, they must educate staff, promote cybersecurity hygiene, and take a good hard look at the various surprises that they may find, such as bad practices from work-from-home staff, unpatched software and operating systems, access management issues, third party vendor risks etc. etc. This is not helped by economic pressure which saw a possible decrease in budgets dedicated to cybersecurity for industrial control systems and operational technology in 2023, according to a SANS Institute survey in 2023. It is not just about the money, there has to be a strategic cyber culture in the entity that facilitates adaptation to the new reality, otherwise we will keep facing the issue pointed out by the Safety at Sea and BIMCO Maritime Cyber Security survey, which said that 77% of its respondents thought that cyber-attacks were a medium to high risk, but only 42% actually had OT-security in place, 62% had some contingency plans and only 24% actually tested them every three months (15% tested them every six months).

Awareness is growing, not just from industry actors, but also from other stakeholders. New developments in critical infrastructure governance in Europe, such as the Critical Entities Resilience Directive and the NIS 2 Directive, help, although dedicated maritime infrastructure or maritime cybersecurity frameworks elude European decision makers. I can report, through the experience of my institute, a growing awareness of the importance of protecting the maritime domain from hybrid threats. May 2023 saw a European Defence Agency tabletop exercise on critical energy infrastructure security against hybrid threats with an important maritime component take place in Sofia, with an expert from ICI Bucharest in the organizing committee and coordinating one of the exercise groups. The exercise was especially interested in exploring the reaction of stakeholders to threats expressed in the maritime domain through a cyber vector and successfully raised awareness of a host of issues related to maritime and energy. ICI Bucharest will also have a representative in the “Cyber Security Incident Response Exercise: Constanta Port” scheduled for February 21 and 22, 2024 in Constanta, Romania. This tabletop exercise will be organized by the Maritime Cybersecurity Centre of Excellence at the Constanta Maritime University, in partnership with the Romanian National Cyber Security Directorate, aiming to promote collaboration, improve communication and enhance problem-solving capabilities in the realm of cybersecurity. The Black Sea region is, for many reasons, both structural/long-term and related to the conflict in Ukraine, a petri dish for all manner of hybrid threats, including cyber maritime issues. Decision makers and other stakeholders try to get to grips with the rapidly changing security environment and to get ahead of threat actors in order to promote resilience in the maritime domain. Cyber resilience will have to be a part of it because, while the Houthi forces will eventually be silenced in their assaults on neighboring trade routes, there is nothing stopping the long march of cybercrime and cyber warfare through our critical infrastructures and our assumptions about our level of security.