By Nicholas A. Glavin
Introduction
The American maritime shipping industry is one of the most vulnerable critical infrastructures (CI) to ransomware and other forms of cybercrime. Maritime shipping accounts for 90-94 percent of world trade; any disruption to this sector will adversely affect the American economy and international trade more broadly. The July 2017 NotPetya ransomware attack that affected Maersk, a Dutch maritime shipping company, prompts timely action to protect American maritime infrastructure as the industry is ill-prepared to prevent and respond to attacks of this sophistication and scale. The recommended course of action encourages the U.S. Government to subsidize cybersecurity and training horizontally and vertically across the maritime shipping industry through the U.S. Coast Guard (USCG).
Cyber Assaulting Maritime Commerce
Any disruptions to global shipping companies, sea lanes of communication, or maritime chokepoints will have potentially disastrous implications for the economies and the supply chains of the U.S. and the global community. The economic impacts of cyber disruptions and damage to ships, ports, refineries, terminals, and support systems is estimated to be in the hundreds of billions of dollars. Moreover, the second- and third-order effects of a cyber attack are not limited to the maritime sector of CI; if more than one port is disrupted at the same time, a greater impact is “likely to occur” for the Critical Manufacturing, Commercial Facilities, Food and Agriculture, Energy, Chemical, and Transportation Systems of the nation’s CI.
Ransomware attacks eclipsed most other cybercrime threats in 2017. The July 2017 NotPeyta ransomware attack highlighted the vulnerabilities of the maritime shipping industry to cyber disruptions. One of the most high-profile victims of this ransomware attack included the Dutch maritime shipping company Maersk. The company estimates upwards of $300 million in losses from the attack, the majority of which relates to lost revenue. Maersk continued operating for ten days without information technology (IT) until its networks were back online, despite ships with 10,000 to 20,000 containers entering a port every fifteen minutes. NotPetya shut down several ports worldwide, reduced Maersk’s volume by 20 percent, and forced the company to handle the remaining 80 percent of its operations manually. Maersk was forced to replace 45,000 PCs, 4,000 servers and install 2,500 applications.
The maritime shipping industry is highly vulnerable to cybercrime – in particular, ransomware – because of its lack of encryption, increased use of computer services, a lack of standardized training in and awareness of cybersecurity among crew, the sheer cost of defending the maritime IT enterprise, and industry-wide complacence towards cybersecurity. Several navigation systems such as the Global Positioning System (GPS) and the Automatic Identification System (AIS) are neither encrypted nor authenticated, thus being a soft target for cyber criminals. Jamming or spoofing of these systems can ground ships or make two collide, which can close a port or shipping channel for days or weeks depending on the severity of the incident. Disruptions to Industrial Control Systems (ICS) can lead to injury or death, release harmful pollutants, and lead to extensive economic damage across the maritime shipping industry.
Course of Action A: Federal Subsidies for Mandated Cybersecurity Awareness and Training
A Federal Government-enabled focus on prevention and response would proliferate horizontally and vertically across the maritime shipping community. This approach subsidizes the buy-in for industry to approach cybersecurity as a cost-effective asset. Simultaneously, this educates lower echelons of the workforce on digital hygiene to understand the transmission of ransomware and other forms of cybercrime. A positive consequence is the mitigation of industry lacking robust cybersecurity capabilities due to complacence and overhead costs. This is highly probable due to NotPetya’s wake-up call to industry and the existing public-private cybersecurity partnerships.
As the lead agency responsible for maritime cybersecurity in the U.S., the USCG issued a cybersecurity strategy in 2015 to identify best practices and voluntary measures. However, others may argue it is not the place of the U.S. government to subsidize cybersecurity best practices, facilitate compliance, and serve as the arbiter of how industry should train and defend against ransomware and other forms of cybercrime, thus opting instead for only industry-led approaches.
Course of Action B: Leverage Manual Operations and Dated Communications Technologies
This no- and low-tech approach encourages the use of manual navigations operations and older long-range navigation (LORAN) systems to circumvent disruptions to navigational and operational systems. A positive consequence of this approach is the standardization of backup operations for seamless continuity of operations on land, while also mitigating the overreliance on technology at sea. This is a probable course of action given the existing LORAN infrastructure and Maersk operating at 80 percent capacity during the NotPetya attack. A negative consequence is a proliferation in ransomware attacks deliberately targeting this industry since the approach would be passive in nature. This is also probable in occurring given the interconnectedness of the maritime sector to other CIs. However, others may argue that manual training and a functional secondary means of communication mitigates adverse costs from future ransomware attacks.
Conclusion
Course of Action A provides the highest return on investment to address the ransomware threat to the American maritime shipping industry. This prevention-focused and proactive approach will induce a top-down, lateral, and public-private approach to address maritime cybersecurity. While Course of Action B identifies the existence and use of alternative approaches to circumvent – or, at worst, mitigate the consequences of – a ransomware attack, it fails to place a premium on industry-wide digital hygiene which is arguably the most cost-effective, scalable, and fastest approach to ransomware prevention.
Nicholas A. Glavin is a candidate for a Master of Arts in Law and Diplomacy (MALD) from The Fletcher School at Tufts University. He previously worked as a researcher at the U.S. Naval War College’s Center on Irregular Warfare and Armed Groups (CIWAG). The views expressed are the author’s own and do not represent those of the U.S. Government. Follow him on Twitter @nickglavin.
Featured Image: Albert Mærsk in the 70s (Wikimedia Commons)
I believe that Maersk is Danish.
Lars, during a tour of the Miami container port many years ago the guide made exactly the same mistake, claiming that Maersk was based in Amsterdam. So, deja vu all over again!
Thomas, I would have accepted Sweden. https://www.etc.se/inrikes/hon-tjanade-946-miljoner-forra-aret
I was curious about your LORAN comments, since North America took it offline in 2010 and much of the rest of the world shut theirs down by 2015.
There is interest in the US and other countries in adopting eLORAN (enhanced LORAN), which operates on the same principles as LORAN did, but with a smaller footprint, less maintenance, and more accuracy – +/- 8 meters, which isn’t quite good enough for precision missiles, but will certainly tell you if your ship is in the wrong part of the ocean.
There has been increasing R&D in the military services around modernizing & automating traditional navigation techniques to avoid GPS jamming concerns. For example, using sensors to automate celestial navigation. Advancements in technology enable sensors to conduct celestial observations both day and night, in a wide variety of environmental conditions, with far greater accuracy than human observations.
One such program is CosmoGator: https://athenanavy.wordpress.com/2014/02/06/project-pulse-cosmogator/
Also, this article discusses a wide variety of avenues being pursued by the military to counter GPS disruption:
http://www.nationaldefensemagazine.org/articles/2018/1/4/spoofing-risks-prompt-military-to-update-gps-devices
The commercial industry will follow suit when the economics of their business demand they do. Efforts to protect maritime shipping from cyber attacks must be a public-private partnership.