Securing Maritime Assets

What is a successful Cybersecurity Program for Maritime Assets?

In 2017, the shipping giant Maersk Line became victim of the NotPetya malware. Like ransomware, this malware propagated through networks, encrypting data rendering 4,000 servers, 45,000 PCs and 2,500 apps useless.

Except NotPetya was not really ransomware. It was not designed to decrypt upon reception of payment only to spread damage. The target was Ukrainian organizations, but due to the efficient spreading mechanisms, Maersk’s reported $300M loss became part of vast collateral damage

Back in 2013, researchers at University of Texas, Austin demonstrated how they, by building a GPS spoofer, could manipulate ship navigation. 4 years later, around the same time Maersk was fighting the effect of NotPetya, an incident affecting GPS signals caused about 20 ships in the Black Sea to head towards a specific airport, far out of their positions. It has not been determined if this was a targeted spoofing attack or an unintentional incident. It did however demonstrate the effect of geolocation interference that today can be achieved using commercial hardware and software – compared to years of significant effort the researchers had to spend only a few years ago.

How to Secure Maritime Assets from Cyberthreats?

The examples above illustrate how vulnerable maritime operational technology (OT) assets become when they are connected with IT units.

If you are an owner of maritime assets, how can you secure them from cyber threats?
A successful cybersecurity program is crucial for OT security. Roughly, a ‘cybersecurity program’ refers to an organization’s processes, technology, and awareness with respect to cybersecurity. What are the key elements of a successful cybersecurity program?

Digitalization of the maritime industry makes it an attractive target for adversaries.

Key to a Successful Cybersecurity Program

The first step is to understand the scope of a successful program. Protecting maritime infrastructure from cybersecurity attacks requires the right processes, the right technology and sufficient awareness among key personnel. All these elements must play together in order to develop and maintain a secure environment capable of handling all types of events – from targeted attack like GPS spoofing of ships, or attacks where critical OT infrastructure is a random victim of carefully designed damaging malware like NotPetya.

Many asset owners and operators are looking for one or a few technical solutions to secure their assets and fail to sufficiently embrace the need for having the right competencies and processes.

As we note in a different article (Norwegian), a strategy encompassing all three dimensions – technology, processes and competence – is crucial for securing assets in critical infrastructure in general. To stay secure, it is important to continually maintain an overview of the situation, periodically revisit all security measures and improve as required to stay ahead of the attackers.

Once the required organizational support and scope of the Cybersecurity Program is in place, the strategy and requirements for the program must be established. The ISA/IEC 62443 standard series is particularly relevant for the maritime industry. The International Association of Classification Societies (IACS) will require ships constructed on January 1st, 2024, and onwards to satisfy a set of minimal cybersecurity requirements, in order to be classified. These “unified requirements,” as they are called, draw upon foundational requirements and system requirements from the ISA/EEC 62443 standard.

Security Policy

Second, a Security Policy must be established. The policy defines the goals specific to your organization or asset to implement the strategy in compliance with the relevant requirements. When defining a Security Policy, ownership and responsibilities of the various elements required should be determined.

Cybersecurity standards typically contain requirements to assess and manage cyber-risk. When planning the actual implementation of the cybersecurity program, it is a good idea to start with a Risk Assessment. The results from this assessment will guide later efforts to where they have the most impact. Cyber-risk management and assessment will become important elements for the maritime industry going forward, as they are featured in IACS’ unified requirement E26.

Aerial of cargo ship carrying container and running for export goods from cargo yard port to other ocean.
Once risk Assessment results are ready, it is time to focus on planning and implementing actual security improvements. Examples of technical security improvements are network segmentation, perimeter defense and access control, system hardening and monitoring of blind spots. Security improvements can also be non-technical, such as training of personnel and process improvements.

Securing maritime assets against cyberthreats is not easy. A good cybersecurity program, though, is an important starting point place for OT security.