Maritime Cybersecurity Topic Week

Maritime Cybersecurity Week Concludes on CIMSEC

1 Comment

By Dmitry Filipoff

CIMSEC recently featured a series of pieces submitted in response to our call for articles on maritime cybersecurity, issued in partnership with Cyber Nation Central as a part of Project Trident.

Authors highlighted the ever-changing landscape of cyber threats and countermeasures. The maritime sector is particularly critical to defend because of its extensive and broad linkages. Yet ships require steady upgrading of their systems and defenses in order to a pace threat that is constantly evolving. Crews require regular training to prepare for possible worst-case scenarios, many of which could be precipitated by a seemingly friendly email. As state and commercial actors seek to reinforce their resilience against cyber threats in the maritime domain, they can look to improve their cross-stakeholder relationships with one another, and consider enhancing international law to provide more common ground for interpretation and action.

Below are the authors who featured during the topic week. We thank them for their excellent contributions.

Sieges, Containerships, and Ecosystems: Rethinking Maritime Cybersecurity,” by LCDR Ryan Hilger

“…as cyberattacks only continue to grow in pace, scope, and impact, we must engineer and operate for resilience to ensure that the company or mission does not irrevocably lose the credibility and trust needed to survive in the ecosystem. Beyond practical approaches like expansive defense in depth, zero trust architectures, and redundancy or watchdog mechanisms to balance against complex or emergent behaviors, the approach must separate the systems from the information.”

Sea Blind: Pacing Cybersecurity’s Evolving Impact on Maritime Operations,” by Mark McIntyre and Joe DiPietro

“Just as the sextant enabled celestial navigation of ships far from shore, and signal flags and lights allowed ships to communicate with one another more effectively, the adoption of digital technology has allowed sailors to shoot, move, and communicate even more rapidly. While this technology allows seafarers to navigate more precisely and communicate and coordinate with others more easily, it introduces new vulnerabilities to modern warships. Just as these systems assist personnel onboard ships, they potentially offer nefarious actors an attack vector to introduce malicious code into these systems.”

Perils of A New Dimension: Socially Engineered Attacks in Maritime Cybersecurity,” by Leonid Vashchenko

“Their objective will be to obtain unsanctioned admittance into the vessel’s systems. The targeted person can either be blackmailed or contacted by a fake profile of a trusted contact with the aim of dispatching malware via the victim’s access. An untrained and unaware navigational officer could install the malicious software to the navigational computer, under the guise of ‘colleague’s friendly tip.’”  

Tackling Maritime Cyber Threats: A Call for Cross-Stakeholder Cooperation,” by Henrik Schilling

“Apart from the law itself, implementing cyber operations into international law would create a certain degree of consent between international actors regarding the handling and use of cyber operations. These measures will not solve illegal cyberattacks, but they might provide actors a common ground of action in terms of defending against such attacks or initiating consequences or counterattacks.”

Dmitry Filipoff is CIMSEC’s Director of Online Content. Contact him at Content@cimsec.org.

Featured Image: Marines with Marine Corps Forces Cyberspace Command pose for photos in cyber operations room at Lasswell Hall aboard Fort Meade, Maryland, Feb. 5, 2020. (USMC photo by Staff Sgt. Jacob Osborne)

Cybersecurity Topic Week

Tackling Maritime Cyber Threats: A Call for Cross-Stakeholder Cooperation

1 Comment

Maritime Cybersecurity Topic Week

By Henrik Schilling

“Cyber War does not take place in the present, and […] it is unlikely that Cyber War will occur in the future,”1 stated German political scientist Thomas Rid several years ago, arguing that no cyberattack can be viewed as an act of war on its own. It does indeed seem difficult to imagine a war waged just by way of cyberattacks, although the quick development of new technologies makes predicting the possibilities of cyberattacks in the future increasingly difficult. What is already noticeable, however, is the sharp increase in attacks related to cyber incidents worldwide, with the maritime area being particularly affected. By the end of July 2020, cyber-attacks targeting the maritime sector had already risen by 400 percent since the outbreak of the coronavirus. The number of attacks in 2021 is likely to be much higher.

The maritime sector is especially vulnerable to cyberattacks because of its dependence on well-functioning technology for navigation, its communication requirements, and the logistics involved. The problem with cyberattacks is the multitude of challenges they present at different levels, requiring a multidimensional approach. It is insufficient to see cyberspace as a standalone domain. Even though NATO declared cyberspace as a fourth operational domain, stating that NATO “must defend itself [in cyberspace] as effectively as it does in the air, on land, and at sea,”2 this domain has the crucial feature of not only heavily affecting other domains but being directly linked to them. As the digitization and automation of systems progresses, this linking of cyberspace and all other classical operational domains will deepen even further. Moving from the technical to a more geographical and political perspective, cyber threats confront present even more problems that call for multidimensional analysis.

What Makes Cyberattacks so Harmful?

The irrelevance of geographical borders in cyberspace is connected to the dissolution of the linkage between attacks and a defined territory. Cyberattacks are not limited to defined geographical or political borders, and at the same time, no physical presence is needed for the execution of an attack. At the same time, increasingly wide range of possible actors are capable of performing cyberattacks, and cyber skillsets and capabilities are proliferating. While more sophisticated attacks require large financial and organizational resources and especially time, which makes them exclusive to state actors or their proxies, other types of attacks are becoming easier to perform for a range of actors. These factors can pose a challenge in how attacks can originate from even supposedly safe and stable regions. Military strategists know that attacking at the source of strength or the center of gravity is a viable approach, but even so, they might find it difficult to obtain political top cover for retaliation once they properly attribute cyber aggression.

The lack of a clearly identifiable actor in the cases of some cyberattacks presents states and private stakeholders with several problems. One of the most urgent difficulties is determining the consequences for such an attack. Without knowledge of the origin of the attack, possible responses, such as sanctions or counterattacks, are very difficult if not entirely impossible to implement. There is a lack of international contracts that define what kind of cyberattack is actually an act of war. The declaration of the need for immediate national defense of a country would be without real meaning without knowing the source of the attack.

The need for attribution is crucial because the consequences of such an attack vary depending on the attacker and their aim. While criminal groups may launch cyberattacks mainly for financial benefit, state actors could try to gain access to closely-held military-technological secrets, and competing business firms could launch attacks for the purpose of commercial espionage. Knowing the the origins of an attack establishes  options for responses.

The attribution and retaliation problem varies in its actionability for the private maritime sector. While state actors, especially national navies, should remain capable of answering an attack, private actors are often unable to answer a cyberattack appropriately, except for improving internal defenses. They usually cannot conduct offensive cyberattacks in retribution without fear of prosecution.

The indirect and often surprising nature of cyberattacks make any defense other than preemptive defense rather difficult. Even if an attack is detected, questions remain over when and how to respond to it. Should defenders try to deny access to a specific portion of a system, or should the whole system be taken offline? What should be done if an attack is only noticed when a system is already down? These are only some of the dilemmas that have to be taken into consideration and which are especially crucial for seaborne operating systems that cannot be easily shut down without major consequences.

The Vulnerability of the Maritime Domain to Cyberattacks

The key issue of maritime cybersecurity is the systemic need for reliable cyber technology while vessels’ onboard systems are aging as technology advances. While a cargo vessel is deeply dependent on communication systems while operating, it is challenging to reliably ensure a vessels’ cybersecurity during its whole lifespan. This is especially true when the average service life of a cargo vessel lies between 25 and 30 years, during which technology could have advanced greatly without the vessel’s own technological assets being updated to keep pace.  

The maritime domain consists of multiple additional gateways for cyber threats, especially related to critical infrastructure, such as facilities for energy, resource extraction and transportation, undersea cables and communications, as well as harbor and port infrastructure. Cyber threats are also becoming increasingly crucial for military purposes in the maritime domain, which cannot necessarily be neatly separated from the civil context of commercial maritime infrastructure. This is particularly evident when assessing the possibilities of blocking a critical geographic chokepoint, such as a canal, by manipulating the systems of a vessel in such a way that it physically blocks the channel, or manipulating the controls for the canal itself.

Another method would be the direct manipulation of the propulsion system of a vessel by either deactivating the propulsion or, for example, activating the bow thruster to maneuver a vessel crosswise to block a waterway. Another possibility, especially in canals or harbors that rely on locks, would consist of either manipulating these directly or causing a vessel to damage or obstruct locks, making these facilities even more predisposed to disruption. While the risk of attack against these structures are not new and the consequences are severe, as the blockages of the Suez Canal between 1967 and 1975 demonstrate, the key difference with cyberattacks is the lack of proximate physical presence of a perpetrator.

The implication that such attacks would have for both civilian and military actors can also be illustrated by the Kiel Canal in Northern Germany. By ship numbers it is the busiest artificial waterway of the world. The canal connects the North Sea with the Baltic Sea, and reduces the distance for vessels travelling from one region to the other by up to 250 nautical miles. Up to 140 million people live in the area. The importance of the canal for commercial shipping is evident, but a cyber-related closure of the canal could have major consequences strategically. It would make it more difficult for allied navies to enter the Baltic Sea in case of a crisis or conflict, thereby threatening timely access for potentially upholding alliance guarantees.

Proposals for a Multidimensional and Multi-Stakeholder Approach to Maritime Cyber Threats

These linkages between a broad set of actors that come together in the maritime domain, all depending on reliable cyber infrastructure, makes it indispensable to create a multidimensional cross-stakeholder approach to cyber threats. Multidimensional in this case means consisting of different defensive elements against cyberattacks, combining political, strategic, and legal components, while also keeping in mind the ability of cyber threats to compromise also all other domains. This makes it essential to cooperate with non-maritime stakeholders as well. Such an approach will require a considerable effort and will  confront difficulties regarding the ever-changing technical conditions and the ambiguity over the question of responsibilities in the defensive and offensive aspects of cyberspace.

International law shall be implemented to define rules regarding the offensive and defensive use of cyber operations. The Tallinn Manual 2.0, a broadly recognized publication on the relationship between international law and cyber operations, could inform the possibility of incorporating cyber operations into international maritime law.      

Apart from the law itself, implementing cyber operations into international law would create a certain degree of consent between international actors regarding the handling and use of cyber operations. These measures will not solve illegal cyberattacks, but they might provide actors a common ground of action in terms of defending against such attacks or initiating consequences or counterattacks.

Efforts should be made to clarify responsibilities for cybersecurity both within state and non-state levels. Cooperation between maritime stakeholders regarding cybersecurity is a major challenge, not because there is an unwillingness to cooperate, but because the structures and responsibilities for cybersecurity are often too complex, not clarified enough, or widely different, for example due to varying laws in different countries. A major reason for complexity is the outsourcing of cybersecurity, which is not as problematic in itself, but complicates the process of coordinating cybersecurity between stakeholders. Subsequently, the role that the state must play in ensuring cybersecurity for important maritime players should be examined critically.

This is of major importance for the naval forces of a state, which should have enough capability to defend themselves against cyberattacks and engage in cyberattacks themselves. The role of the state is also important  for private operators of harbors, critical infrastructures or energy suppliers, where service outages or interruptions would have a direct effect on national security. Therefore, reliable cybersecurity for key stakeholders of the maritime industry, infrastructure and naval forces is of high importance for the state itself, which should assess implementing methods of control or minimum standards to ensure its own national security.

One possibility of effectively connecting private and state, as well as multinational-actors, would be to conduct joint exercises or simulations. These would firstly encourage all stakeholders to ensure a comparable level of cybersecurity and secondly ensure a more efficient way of cooperative defense in case of an actual maritime cyberattack.

Joint exercises are already a key component for naval forces and ensure a level of professionalism and readiness. Some of the best examples are the numerous exercises that the Standing NATO Maritime Groups conduct year-round. Naval forces can become the prime victim of cyberattacks in case of a conflict, which makes it inevitable to include cyber defense measures into exercise programs. Such exercises would not need whole new structures since NATO has already created the basis for them by establishing its Centers for Excellence. While there are three different Centers for Excellence (COE) based on the maritime domain, there is a COE for Cyber Operations. Joint exercises between the two domains could therefore be conducted by the coordination of these Centers.

There are several ways a cyberattack can be aimed against naval forces. While some of them only affect a vessel in a non-physical way, like stealing intelligence-data, many cyberattacks will at some point affect the physical factors of a vessel. By manipulating a vessel’s systems directly, the propulsion, navigation, or weapons systems could be affected. A third-party vessel could also be attacked to cause harm to a target military vessel. This option is especially dangerous in frequently used waterways, canals, or even for vessels operating in civilian convoys or naval task groups. In a cyberattack conducted against a multinational aircraft carrier strike group, the vessel with the weakest cyber defenses could be attacked, such as a logistics vessel, even if the actual target would be the carrier. Gaining access to a target network through the weakest link could enable attacks against its strongest link.

While training against a solely non-physical attack may be of great difficulty, especially for smaller crewed vessels, it is possible to train for a cyberattack that culminates in a physical action. Since many cyberattacks can be classified as support operations to a physical attack, like manipulating a propulsion system to compromise navigation and safety, preparing for such attacks would be more feasible. At the same time, these exercises are becoming more and more urgent. More than a decade ago a computer virus was already able to ground French Navy fighters by simply compromising flight data downloads.

While the U.S. Navy is training its sailors in astronomic navigation again, which can indeed be very helpful in case of a cyber-related failure of digital navigation, the solution is not to return to pre-cyber era systems. Earning serious proficiency in offensive and defensive cyber capabilities will become fundamental. Especially in the maritime domain, with its vast interdependencies, cyber threats must be faced cooperatively to ensure a resilient and reliable cyberspace, which has become indispensable for the functioning of the global maritime commons.

Henrik Schilling is a research assistant at the Center for Maritime Strategy and Security (CMSS) at the Institute for Security Policy at Kiel University (ISPK), Germany. He is currently earning his Masters in International Politics and International Law and has recently published the German Navy Fleet Tracker Report for 2020 together with Dr. Sebastian Bruns.

References

1. Rid, Thomas: Cyber War Will Not Take Place. In: The Journal of Strategic Studies Vol. 35, No. 1, 5-32, February 2012

2. NATO Warsaw Summit Art. 70: https://www.nato.int/cps/en/natohq/official_texts_133169.htm

Featured Image: Locks at Brunsbüttel connecting the Kiel canal to the River Elbe estuary, and thence to the North Sea (Wikimedia Commons)

Podcast

Sea Control 230 – Coast Guard R&D & Unmanned Systems with Scott Craig & Bert Macesker

Leave a comment

By Walker Mills

Scott Craig and Bert Macesker join the show to talk about the United State’s Coast Guard’s R&D efforts. Scott is the Air Domain Lead for the U.S. Coast Guard’s office of Research, Development, Test and Evaluation. Bert is the Executive Director of the Coast Guard’s Research and Development Center in New London, CT. The conversation covers the current state of the Coast Guard’s unmanned programs, future development, space integration and under-water, unmanned vessels.

Note from the producers: During our recent site migration, we became aware there are two separate “feeds” for the Sea Control podcast. We have no control over the original feed, run through a site named Feedburner. On the various streaming services (Apple podcasts, Stitcher, Spotify, etc), the “old feed” is labeled as Sea Control – CIMSEC. The “new feed” is labeled simply Sea Control and includes in its description “CIMSEC’s flagship podcast…” For those fans of Sea Control, we would recommend switching to the new feed to ensure continuity, e.g. if you follow the “old feed,” episode 228 appeared with incorrect audio. Thanks to you, our loyal audience, for your continued support!

Sea Control 230 – Coast Guard R&D & Unmanned Systems with Scott Craig & Bert Macesker

Links

1. “Leveraging Unmanned Systems for Coast Guard Missions: A Strategic Imperative,” by The National Academies of Sciences, Engineering and Medicine –  Transportation Research Board, 2020.
2. “Coast Guard Begins At-Sea Testing of Unmanned Surface Vehicles to Tackle Illegal Fishing, Crime,” by Megan Eckstein, USNI News, October 15, 2020.
3. “Indonesian fisher finds drone submarine on possible covert mission,” by Helen Davidson, The Guardian, December 31, 2020.
4. “The Coast Guard Needs to Listen – Acoustically,” by Thomas V. Caero, USNI Proceedings, August 2020.

Walker Mills is Co-Host of the Sea Control podcast. Contact the podcast team at Seacontrol@cimsec.org.

Maritime Cybersecurity Topic Week

Perils of A New Dimension: Socially Engineered Attacks in Maritime Cybersecurity

Leave a comment

Maritime Cybersecurity Topic Week

By Leonid Vashchenko

Maritime digital transformation is in its most rapid and turbulent era. Such a transformation offers substantial advantages and benefits, but with commensurate risks in the cyber domain.

On June 16, 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) that “encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.” The same year the IMO developed related guidelines (MSC-FAL.1/Circ.3). While the resolution is a formal acknowledgement of the importance of cybersecurity by the UN agency, the guidelines highlighted that effective cyber risk management should start at the senior management level.

But even smart and elaborate risk management will not be effective until appropriate cyber awareness arises among all those engaged in the maritime world. The human element is the most valuable but also the most vulnerable in maritime cybersecurity. While modern technology affords a measure of protection against direct hacking, social engineering has become the most prevalent vector for cybercrime.

There is a popular opinion that the direct targeting of senior leaders (known as whaling attacks, or CEO fraud), is the most probable scenario for a lucrative cyberattack. In cases of success, offenders can get access to sensitive data or even entire networks and affect many processes within the system. In some cases, attackers could even get options to direct groups of ships. On the other hand, such a “whaling attack” is a complicated process with disputable chances of success. The obligation senior executives have toward cyber risk management is fast becoming a standard assumption. These leaders are becoming more and more aware of these hazards and are better maintaining prudent behavior to reduce cyber risks to themselves personally. Much simpler is the method of attempting to socially engineer other types of maritime workers, who at first sight appear less significant than executives, but who also enjoy broad access to maritime systems and networks.

There are two main groups that can be distinguished as desirable targets. The first group includes crewmembers onboard commercial vessels and naval ships, especially those who have direct access to the ship’s control systems or important elements of shipboard systems, like communications, engines, or cargo handling equipment and storage areas. The second group includes shore-based personnel, including technicians and advisors, third party contractors, especially those who have remote access to seaborne networks and contacts.

There are three critical areas attractive to attackers, including navigational systems and sensors, cargo handling and storage, and propulsion and power. In most cases the latter two elements require direct physical access to effectively access critical systems. In contrast, navigational systems are perhaps among the most advanced networked and digitally accessible systems onboard.

If cyber intruders got access to ECDIS (the Electronic Chart Display and Information System), they would be able to attempt offensive options such as jamming  or corrupting signals received from external sensors (GPS, AIS, Radar/ARPA, Navtex), gathering critical hydrographic information, and tampering directly with the Electronic Navigational Chart (ENC). While official ENCs often feature highly protected data, unauthorized access to the ENC’s manual correction option can be disruptive. Hackers could also go for the simpler option of disabling the operating systems of the ECDIS workstations, where in the majority cases this is a commonplace Windows operating system, and not necessarily the latest version. With the highly integrated bridge navigational systems of modern chemical tankers and passenger ships, attackers could even target the ship’s auto-steering algorithm.

Unauthorized access to such an important navigational system can be obtained with malware accepted by equipment operators via their email client and personal social media profiles. Today, with the internet widely available onboard modern commercial vessels, shipboard personnel can freely use their personal mobile devices or laptops for web access and private communications. At the same time, cybersecurity hygiene and best practices are often neglected, and the same personal devices can be used for operational data storage and transfer, including transferring data to and from ECDIS workstations.

Imagine a scenario where a chemical tanker was chosen as a target by a hacking group. Information regarding the vessel’s static and dynamic (course/speed/position) data, crew composition, type and quantity of cargo, destination, captain’s name, and other items of interest could be collected from the web. Attackers could search and exploit the social media networks of crewmembers, preferably the targeted vessel’s bridge team member. The task is made easier by social media networks and websites focused on professional groups and employment.

During the second stage, the stage of evaluation, the opted profile is carefully examined by the offenders for weakpoints. Nowadays, the majority of social media users are registered across several platforms, such as those focused on personal and professional connections, as well as entertainment preferences. Therefore adversaries can gain information not only about the mariner’s place of service but also about their family, hobbies, places visited, and other information that could be relevant to designing a socially engineered attack.

Their objective will be to obtain unsanctioned admittance into the vessel’s systems. The targeted person can either be blackmailed or contacted by a fake profile of a trusted contact with the aim of dispatching malware via the victim’s access. An untrained and unaware navigational officer could install the malicious software to the navigational computer, under the guise of ‘colleague’s friendly tip.’  

A socially engineered attack can be made to seem more credible when shore personnel, such as technicians or support desk members, are targeted. With almost the same measures in searching, evaluating, targeting, and hacking, perpetrators can infiltrate and attack even larger groups of ships due to how shore professionals often have access and jurisdiction over many vessels.

More nefarious intentions could include causing a chemical spill, setting a ship on a collision course with a naval ship or a passenger vessel, or damaging critical shore-based infrastructure. In respect of these scenarios, maritime cyber threats should be considered as a matter for the International Ship and Port Facility Security Code (ISPS), and not only the International Safety Management Code (ISM). The ISPS code consolidates various constructive requirements so that it can achieve certain objectives to ensure the security of ships and ports.

There are some important requirements under the ISPS. The security-related information exchanges among the appropriate contracting agencies, both government and private, include collecting and assessing the obtained information and further distributing it. Correspondingly, definitions are included for the relevant communication protocols for vessels and port facilities for uncomplicated exchanges of information. Another important element is attempting to prevent any unauthorized access on a vessel, port facility, or other important restricted areas. Even if unsanctioned entry is not a threat, it is always regarded as a potential danger.

The ISPS also regulates provisions of different options for alarm-raising in case a security-related incident is encountered or potential danger is evaluated. It seems logical enough to apply similar requirements for maritime cybersecurity. There are several main tasks to consider: cybersecurity information collecting, evaluation and exchange between concerned parties; prevention of unauthorized access; malware and spyware installation or transfer; and appropriate training of personnel.

Eventually, regulation should be introduced regarding the human element. Specifically, trainings and exercises should be introduced for vessels’ crew and port facilities’ staff to ensure their awareness with the security plan and that there will be no delay in procedure execution in case of a real threat. Advanced cybersecurity training and education should be encouraged, especially for critical staff like watchkeeping officers or engineers. The purpose of such an education would be to gain knowledge and develop skills in cybersecurity in order to anticipate threats at early stages. Trained personnel should also be ready to prevent unauthorized access to critical equipment and systems and be vigilant for particular malfunctions that could be caused by illicit infiltration. In cases of potential penetration, staff should be skilled enough to insulate affected areas of the system without losing control of the vessel. Their proficiencies should include the ability to manage a transition to emergency manual control and utilizing classic techniques in seamanship and communication.

Maritime security, through cybersecurity, will become a much more complex endeavor. It will require a considered combination of the human element, technical innovation, management procedures, security protocols, and classical maritime know-how. Considering the lack of cyber-awareness among some mariners, a transfer of malware from a personal device to a ship’s navigational system is just a matter of time. The international maritime community should accelerate and strengthen efforts to develop adequate measures to withstand future challenges in the maritime cyber domain.

Leonid Vashchenko is a professional mariner, currently serving as a chief officer on board ocean-going commercial vessels. He holds a Masters Degree in Marine Navigation from the National University “Odessa Maritime Academy,” Ukraine, and is a active member of the Nautical Institute, London. His views are his own and do not necessarily represent the official views or policies of the organization or companies he is employed with.

Featured Image: Hamburg port (Wikimedia Commons)

Fostering the Discussion on Securing the Seas.