Sea Transportation: Cyber Security Stumbles

Archives

March 6, 2022: For over a decade the U.S. Coast Guard has been trying to get a better idea of what potential problems ports and large ships face from hackers. In 2013 the Coast Guard established a Cyber Command. The new CGCC (Coast Guard Cyber Command) quickly discovered that they were barely aware of the extent of the vulnerabilities they were responsible for finding and reporting on.

CGCC was responsible for inspecting large container, oil and dry cargo ships that increasingly depend on networked automation systems to run the ships. Ports also have networked software systems for rapidly identifying, unloading and moving cargo out of the port. It was only in the last six years the shipping companies and port operators realized how vulnerable they were. In 2020 Israel attacked the computerized network that handled the management of a major Iranian cargo port, seriously disrupting port operations for several days. This was in retaliation for less successful Iranian attacks on Israeli utilities. In 2017 Maersk, one of the largest shipping companies in the world, handling about a fifth of global maritime trade, was hit with a ransomware attack. Maersk has operations in 76 ports worldwide and over 800 large container ships. The software attacks had encrypted all the network files and the hackers demanded $16 million in bitcoin for the decrypt keys. Maersk was advised it was safer to rebuild their network, a process that took ten days and cost Maersk over $200 million in losses due to delayed cargoes. A variant of that software destroys rather than encrypts files and was used by Russia against Ukraine in 2018. Within the United States the Port of Kennewick in Washington State was hit with a ransomware attack in late 2020. The hackers demanded $200,000 for the decrypt keys. The port refused and spent more than a month rebuilding their systems. These ransomware attacks have led to ports and shipping companies paying more attention to defenses and preparations to deal with attacks. The United States is particularly vulnerable to such attacks because maritime commerce depends on a lot of rivers with choke points. A targeting attack in ship automation systems causes ships to run aground or sink at choke points and halts movement for days, weeks or months.

The CGCC was able to establish three CPTs (Cyber Protection Teams) in 2020 to handle inspections of ports and, eventually, ships. The Coast Guard had problems finding people within the coast guard who had the technical skills to handle the CPT work. The coast guard eventually offered direct commissions for qualified civilians to become officers in the CPTs without going through the usual lengthy process of becoming a coast guard officer. At the same time CGCC found there was a lot more to inspect than anticipated. This was a shock for the coast guard because for over two centuries coast guard inspection teams had been successfully inspecting ships and ports for problems. Twenty years ago, these coast guard inspectors noted that more ships and ports were depending on computerized systems, as was the coast guard on its own ships. For a while the inspections were adequate for this. Then the extent of the automation and use of worldwide networks escalated beyond anything the coast guard was able to handle. That led to the CGCC and the discovery that a solution to the problem was far more difficult to implement than anyone ever imagined. The port operators and shipping companies may have had misgivings about these larger and more expensive systems, but they did work and greatly reduced the cost of running ships and ports. Those who hesitated in adopting the new systems found themselves losing business.

CGCC found that they were just not facing the need to protect American ports and ships they inspected but also a new threat; deliberate cyber-attacks on ship and port networks to greatly reduce the ability to move cargo. This was a new, worldwide vulnerability in which defense was a lot more difficult and offensive use of these hacks. CGCC is trying to establish minimum standards for what ports and ships must meet and CGCC inspectors can verify. This is not a solution but it is a step in that direction because it will detect the ports and ships that are most vulnerable to attacks.

CGCC is trying to steadily improve and expand its inspections but is up to commercial software developers to come up with better security for the networking and control systems they sell to port operators and shipping companies.