A rash of incidents in which outsiders have tried to gain access to commercial vessel operations has prompted the Coast Guard to issue an alert to mariners and remind vessel owners, operators and masters of their regulatory obligation to report suspicious activity and security breaches to authorities.
The alert came in the form of a May 24 Marine Safety Bulletin informing the maritime community of “recent email phishing and malware intrusion attempts” that target commercial vessels.
The bulletin said that “cyber adversaries are attempting to gain sensitive information including the content of an official Notice of Arrival using email addresses that pose as an official Port State Control authority....” Foreign vessels are required to file these notices at least four days before arrival at a U.S. port to help the Coast Guard prioritize vessel inspections.
The Coast Guard said it has also received reports to its National Response Center (NRC) from vessel captains about malicious software designed to disrupt shipboard computer systems.
The Coast Guard urges vessel operators and managers to verify the validity of the email sender prior to responding to unsolicited messages. If uncertain, they should directly contact the Port State Control authority using a verified contact number.
Vessel owners are also urged to review their cyberdefense and response measures.
Federal law requires the reporting of such suspicious activity, which enables the Coast Guard and other federal agencies to research and respond to cyberthreats across the global maritime network. The reporting requirement applies to all vessels that must follow maritime security regulations, including U.S.-flag vessels subject to the Safety of Life at Sea Convention, and foreign commercial vessels in U.S. waters.
There are two ways to report cyber incidents. For suspicious activity and breaches of security, a report should be made to the NRC at 1-800-424-8802. For cyber attempts/attacks that don’t impact vessel operations or result in a pollution incident, owners or operators could alternatively report to a 24/7 National Cybersecurity and Communications Integration Center at 888-282-0870.
The Coast Guard bulletin was triggered by a series of targeted attempted cyberattacks against commercial vessels operating near New York, according to H. Allen Black, a partner in at Winston & Strawn, a Washington, D.C. law firm that specializes in maritime law. He wrote in the firm’s MaritimeFedWatch blog that the email phishing attempt occurred aboard a commercial vessel in the vicinity of New York in January and requested information about the vessel, its crew and cargo. “The master recognized that the email appeared false and managed the incident under the vessel’s security plan for cyberincidents, including a report to the local Coast Guard sector,” he said.
Then in March, a different commercial vessel operating in the same area received an email on its satellite communication system also simulating a port state control communication and requested information on whether the vessel had explosive or radioactive cargo onboard, Black wrote.
Additionally, last fall, vessels operating in the Eastern Mediterranean, the Suez Canal and near Saudi Arabia reported significant GPS interference, known as spoofing. This resulted in lost or otherwise altered GPS signals affecting bridge navigation, GPS-based timing and communications equipment, according to the Coast Guard.
As part of its four-year strategic plan, the Coast Guard is actively working with the U.S. maritime industry to prevent cyber breaches. Last year in cooperation with the Coast Guard, the American Waterways Operators released “best practices” guidelines for tugboats, towboats and barges to help them manage cyberrisks that they could face on the waterways. Meanwhile, the International Maritime Organization has set a January 2021 deadline for shipping companies to incorporate cyberrisk management into their Safety Management Systems.
Despite these efforts, the global maritime industry needs to do more to protect itself from cyber intrusions. There is still a “false confidence” that if a shipping company has implemented basic IT security on its vessels than they are safe, Daniel Ng, CEO of CyberOwl, a U.K.-based cybersecurity firm, wrote in a May 21 article in Marine Electronics and Communications magazine.
Shipping companies need to follow the example of non-maritime companies that have appointed a chief security officer to be responsible for both IT and OT (operational technology). He also said there’s a “naive assumption that cyber incidents are easy to detect,” and that shipping companies aren’t taking seriously that losing the integrity of positioning data poses serious threats.
Ng cited a common problem in the maritime sector. “Cybersecurity is still being dealt with as an IT problem, but IT directors are typically afforded limited decision-making powers and small budgets.”