Basic cyber hygiene measures
“In February 2019, a deep draft vessel on an international voyage bound for the Port of New York and New Jersey reported that they were experiencing a significant cyber incident impacting their shipboard network. An interagency team of cyber experts, led by the Coast Guard, responded and conducted an analysis of the vessel’s network and essential control systems,” the U.S. Coast Guard shared.
While the malware “significantly degraded” the functionality of the onboard computer system, essential vessel control systems had not been impacted, they noted.
The vessel owner and operators were extremely lucky, it seems, as the damage could have been much worse: the team discovered that the vessel was operating without effective cybersecurity measures in place.
“It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep draft vessels,” the CG noted, but nevertheless decided to offer security advice to all vessel and facility owners, operators and other responsible parties.
- Segment the used networks
- Create unique network profiles for each employee, secure them with passwords and/or physical authentication (ID card), employ the “least privilege” principle, and sparingly use admin accounts
- Install and routinely update basic AV software
- Regularly patch OSes and applications
- Avoid using external media or, if they must, scan it for malware on a standalone system before plugging it into any shipboard network.
“This incident revealed that it is common practice for cargo data to be transferred at the pier, via USB drive. Those USB drives were routinely plugged directly into the ship’s computers without prior scanning for malware,” the Coast Guard noted.
Judging by this comment, the source of the incident was likely a generic malware infection (i.e., not a targeted attack).
Adapting to the changing technologies and threat landscape
“With engines that are controlled by mouse clicks, and growing reliance on electronic charting and navigation systems, protecting these systems with proper cybersecurity measures is as essential as controlling physical access to the ship or performing routine maintenance on traditional machinery,” the Coast Guard pointed out.
“Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational imperative in the 21st century maritime environment.”
Andrew Tierney, a maritime cyber security consultant at UK-based Pen Test Partners, says that the situation described in the alert is typical of the industry.
“Crew have become hugely reliant on computers to perform day-to-day and safety critical tasks. Even if a vessel ‘only’ loses the general purpose desktop machines, it’s likely to have severe impact – a lot of communication is done electronically, along with most load calculations,” he told Help Net Security.
“Crew are often precious about their ability to operate without electronic aids, and today’s tight schedules and quick turnarounds mean that it’s difficult for them to practice emergency procedures. Even if the master can fall back to years of experience, that doesn’t mean the rest of the crew can.”
While the advice the Coast Guard provided is good, Tierney noted that it’s very basic and pointed towards their own, which also include things like teaching crews about cybersecurity and auditing the security of the technologies used.