Ransomware: The IT Danger on the Horizon
Two decades into the 21st century, we’re seeing a growing and pernicious threat to global information security: ransomware. Even non-technical folk have loosely heard of it, but the broader implications haven’t yet penetrated the public consciousness. In different industries, that general lack of awareness could be a big problem—and the maritime sector is a good example.
Ransomware hits at the confluence of two critical trends in modern technology: the ever-increasing integration of IT systems into daily life, and the interconnectedness of those IT systems. In its 2019 report “Evasive Threats, Pervasive Effects,” Trend Micro recorded a 77% uptick in ransomware attacks between the second half of 2018 and the first half of 2019, and it’s clear that this threat will only get worse.
So how does this affect the maritime industry? And how should a global business network struggling with technology integration across the board deal with this aggressive mode of attack?
Over the last 10 years, the integration of operational technology (OT) and information technology (IT) systems in the maritime environment has accelerated dramatically. Onboard ships, modern network technologies allow for greater control and monitoring of engineering and mechanical systems, leading to increased reliability and efficiency for vessel operators. For ports and other infrastructure hubs, many key industrial systems now have physical connectivity with the outside world through integration with internal IT-based control systems. Autonomous cranes and driverless flatbed vehicles are now crucial elements in the world’s largest ports.
Yet the threats that get the greatest attention are not always those that pose the most imminent threat. Attacks that could cause safety-critical failures are theoretically possible—in fact, NCC Group has modelled such attacks with customers. However, the cascade of physical and technical failures required for this contingency remain highly unlikely. This kind of damage requires malware that is system-specific and broad enough to override manual safety checks. The only two confirmed instances of such attacks in the wild are Stuxnet and ‘Crash Override,’ both highly targeted, and nation-state-level attacks.
The real risk is disruption: The attacks on the Port of San Diego, COSCO and Maersk underline how heavy reliance on IT systems coupled with huge outage costs make this a serious concern for the industry. Different maritime facilities were put on high alert after news broke of a ransomware attack during the Christmas break. A virus labelled ‘Ryuk’ apparently penetrated the MTSA facility through an email phishing attack, then potentially allowed access to important network files and disrupted the port’s facility operations for over 30 hours.
Ports across the country and the world are learning from this new breed of attacks, where the targets can be random rather than intentional. For most of the world’s port operators, protection from cyberattacks, and ransomware in particular, is a top concern at the board level, and many are collaborating on defense strategies. The first pan-U.S. Maritime Cybersecurity Conference, focusing on port and vessel security, took place in Walnut Creek last December, and brought together experts from across the industry spectrum to enhance knowledge of these threats.
Here’s the takeaway at this point: Ransomware attacks are inevitable, and port or vessel operators need to plan accordingly. Building defenses is important, but it’s also vital to have a robust and rehearsed response and recovery plan that can help to alleviate the damage.
For ransomware prevention, efforts must always begin with people. Ransomware typically relies on user mistakes to gain access; business users must be trained to identify malicious emails or spoofed websites and therefore prevent ransomware from taking control of the network. Robust mail-filtering systems add another line of defense. Helping users and administrators identify signs of compromise in their systems, and advising them on the best responses is also key to avoiding the widescale spread of ransomware across networks.
Strong network segmentation with robust incident response processes offer the best protection against catastrophic outages, and make restoration from well-managed backup processes more effective.
Again, the maritime sector faces the same threats as most other sectors. The reliance on IT systems for critical operations, and the integration of IT systems into the operational technology stack, has massively increased in a very short space of time: Even 10 years ago, most ships had no internet access. Today, many are effectively floating branch offices, and they need to ramp up the level of protection just as fast.
About the author
Brendan Saunders is a Technical Director and Maritime Lead of the Transport Assurance Practice at NCC Group (https://www.nccgroup.trust/us/), a global cyber security and risk mitigation specialist. In 2016 he assisted in the development of the BIMCO Guidelines for Cyber Security Onboard Ships, now the de-facto cybersecurity standard for vessel operators, and he continues to advise on the development of these guidelines. He also serves on the Board of Directors for CIRM (Comité International Radio-Maritime) -- the international association for marine electronics companies -- and Chair of the CIRM Cyber Risk Working Group, which fosters relations between all organizations concerned with electronic aids to marine navigation, communications and information systems. Outside of work, Saunders serves as an Officer in the Royal Naval Reserve where he leads teams in challenging situations and briefs senior command staff on complex technical issues.