Desperate for information, a work-at-home employee of an industrial port tenant clicks on what appears to be an official looking source promising the latest Covid-19 updates, only to innocently launch malware that for a time disables his employer’s GPS system.
Experts say the risks of such a hypothetical scenario occurring within the vulnerable maritime and offshore communities has grown appreciably as the coronavirus has forced most offices to lock down. This left information technology (IT) specialists scrambling to ensure updated security patches are installed on widely dispersed computers and has intensified monitoring of their respective networks for signs of malicious malware, ransomware and email phishing.
Advancing digitalization and connectivity, combined with more employees exiled to work from remote and sometimes poorly secured locations, has provided fertile ground for cybercriminals set on injecting their own brand of virus into the pandemic-induced anxieties of companies from the inland waterways industry to the deepwater Gulf of Mexico.
“This experience reinforces that cybersecurity has got to be a focus for everyone,” said Jennifer Carpenter, president and CEO of the American Waterways Operators, Arlington, Va., which, so far, has helped headed off any network disruptions to its tug and barge company members. “It doesn’t matter where you’re located, the size of your operation, or the complexity of your operation, we all have to make sure we have the network system that will get us through unusual events.”
The maritime sector is well-versed in monitoring and initiating response plans to unfolding events like slow-developing hurricanes, but the full brutality of Covid-19 slammed the U.S. quickly and with unexpectedly dire health and economic consequences.
“I think it caught a lot of people off guard,” said April Danos, director of homeland security and technology for the Greater Lafourche Port Commission, Port Fourchon, La. The southern Louisiana port is widely recognized as the world’s premier deepwater oil and gas service and supply base. “When this all started happening, I put my security team on high alert and upped the vigilance of our network. I could see what was coming, so we got proactive. We want to be efficient, but we still have to be secure.”
In a joint advisory issued on April 8, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and its UK counterpart warned that “a growing number of cybercriminals and other malicious groups online are exploiting the Covid-19 outbreak for their own personal gain.” However, putting a precise number to the threats or the dollars lost to cybercrime is inexact, at best. Save for widespread disruptions, like the heavily publicized Maersk malware attack in 2017, most companies elect to quietly and internally resolve cyberissues, mainly to save face or preserve client relationships.
“There are more of these cyber related instances coming to the forefront,” said Arinjit Roy, vice president, North America, for the American Bureau of Shipping (ABS) in Houston. “There have been quite a few already. Some we’ve heard of, but many others kind of go under the radar. This will become more prominent.”
As Covid-19 restrictions laid bare the soft underbelly intrinsic of many remote communication and teleconference technologies, many companies, like those engaged in offshore oil gas development, had recognized the criticality of maintaining network security well before the virus’s furious stampede across the nation. “We’ve been seeing more and more companies asking us to show up and do a breach assessment or a compromise assessment,” said Dr. Mate Csorba, global service line leader for cybersecurity, DNV GL Digital Solutions Group.
CHANGING COURSE
Given the travel risks associated with the highly contagious new coronavirus, DNV GL had to redefine the “show up” component during the late March execution of a planned cybersecurity assessment for a Gulf of Mexico asset. Normally, a certified ethical hacker would be installed aboard the asset to simulate a cybersecurity breach and evaluate the company’s vulnerabilities to a major attack. With travel off the table, the Maritime Advisory and Digital Solutions groups collaborated closely with the client to enable the assessment and penetration tests to be carried out remotely between client personnel and DNV GL offices across three countries.
“We shipped hardware that was installed inside the company and could be remotely controlled,” Csorba said from his office in Trondheim, Norway, where he works with clients from the maritime, offshore oil and gas and utilities industries, among others. “Basically, we simulated an attacker on the inside of the corporate network and if a breach happened, we then looked at what the attacker can do from there, and what are the vulnerabilities offshore that an attacker would be able to exploit.”
A second remote assessment was underway in Europe in May.
Though cybersecurity occupies a high profile among many companies, especially within the increasingly digitized offshore oil and gas arena, Csorba said the pandemic has further driven home the need for companies to elevate cybersecurity to a level equal to their uncompromising safety programs. “Generally, there is very good safety awareness within the oil and gas industry and there should be equally good security awareness, because there’s no safety without security.”
Any renewed focus on cyberawareness, he said, must begin and end with the human factor. “Even before Covid, what we’ve seen from assessments is that some of the major threats you have in offshore cybersecurity come from the crew taking short cuts. They often breach natural segregation by not following policies and procedures, by installing (contaminated) USB devices in drive ports, making networks connections they’re not supposed to make, and thereby circumventing the technical defenses that are out there. The crew also has onboard email access, so that’s a primary threat factor, even more so than remote access.”
Indeed, the mass office exodus reinforces the weight that must be placed on enforcing corporate security policies, even when the user is working outside the office-based firewall, said Robert Guidry, chief technology officer at Global Data Systems (GDS).
GDS is a Lafayette, La.-based IT managed service provider with complimentary desktop and security management technologies designed to secure data centers, networks and the critical end points. “This is where we get into end point security, and making sure the users, even though they are disjointed from their regular corporate networks, still have a governance about them,” Guidry said. “Which websites can they reach and, more specifically, which ones can they not reach, to make sure they are not subjected to malware or ransomware activities.”
Widespread work-from-home orders also further exposed the technical vulnerabilities of popular telecommunications technologies, which were on the rise well before the blanket pandemic lockdowns. “What happened with Covid is that the hackers started looking at these remote collaboration tools,” Csorba said. “Recognition of the vulnerabilities of remote access was rising before Covid, so hopefully now it will get more focus.”
He said the longer offshore hitches resulting from Covid-related crew change difficulties provides an ideal training window for improving cyberawareness.
Guidry agreed, emphasizing that even with top-of-the line security measures, “no one will ever be 100% secure. Along with technical solutions, we have to stress end-user education. Phishing training campaigns, for instance, are very important.”
PORTS TARGETED
In the early days of the Covid-19 assault on the U.S., Coast Guard Commandant Adm. Karl Schultz spoke of port vulnerabilities during his annual State of the Coast Guard address in February. While not pointing specifically to the then emerging threat, Schultz said over the past year the service’s new Cyber Protection Team had been dispatched to New York, New Orleans and elsewhere as part of an intergovernmental response to what he described, as “an emerging vulnerability in the increasing cyberattacks targeting our ports.”
The Lafourche Port’s Danos said conversations with her peers show that ports and maritime interests have “absolutely” seen more targeted hits amid the pandemic. The 60-year-old port, however, managed to avoid any cyberissues and remained secure, even as most of its employees were forced to work outside the port’s Galliano, La., administrative office.
“We’ve been very safe here so far,” Danos said. “There’s always issues with people working at home and one concern is the wireless networks and how they’re being segregated and if they’re being segregated. We advise people working at home to make sure your business wireless is on a segregated channel, so you don’t have that crossover between personal and business.”
More than 250 different companies, with varied levels of cyberprotection, use Port Fourchon as an operational base. Louisiana’s southernmost port also is home to the separately managed Louisiana Offshore Oil Port (LOOP), the nation’s only deepwater oil export and import terminal with drafts capable of accommodating very large crude carriers (VLCC). With Port Fourchon’s strategic importance to U.S. energy infrastructure, security gets top billing and the initiation of established response plans critical for any impending threat.
Danos said that pandemic response protocol included installing updated security patches without interruption while the work-at-home mandate was in effect. She emphasized, however, that any security upgrade is never a one-and-done proposition. “Just because you’re working from home doesn’t mean you don’t continue to patch. But this not something you fix one time and never touch again. You may put up a gate or fence on the physical side and hope it blocks out the bad people, but in cybersecurity you’re constantly having to upgrade, because they are constantly trying to get ahead of you.”
While the port and its tenants operate under totally different networks, Danos said it is incumbent on her security team to help all companies operating out of the port stay secure. “As a port authority, our goal is to try to help everybody stay cybersecure, especially with so many working from home. It’s important that I know what my tenants’ cyber posture is, because if they’re not doing proper cyber hygiene to protect themselves, the port could get shut down and that would impact us all.”
Danos said tenant outreach includes sharing the pertinent alerts and updated information that come only from trustworthy sources such as CISA, the Maritime Transportation System–Information Sharing Analysis Center (MTS-ISAC), and the American Association of Port Authorities (AAPA). “We also do cyberassessments every year and cyberawareness training for our employees and tenants, which is paying off with everybody working at home,” she said.
Among the port’s largest tenants is Edison Chouest Offshore (ECO). The Cut Off, La.-based offshore service vessel operator has built, what it claims, is one of the maritime sectors most robust cybersecurity infrastructures. Other than adding a small section to the business continuity plan to address the pandemic, ECO Fleet Cybersecurity Manager Joseph Jaubert said the company had no need to develop any special crisis response. “We haven’t really needed to change anything, because we had some of maritime’s highest cybersecurity standards way before any of this,” he said. “We’ve been ahead of the curve for years and was doing this when nobody else even thought it should be done.”
MARITIME VULNERABILITIES
That alone puts Edison Chouest in an exclusive club within the maritime community, said GDS sales consultant Justin Getzinger, who works exclusively with inland marine, offshore maritime and offshore oil and gas clients. “Before this pandemic came to the doorstep of the maritime and offshore sectors, a basic survey of maritime companies showed that 70% were unprepared for a cyberattack,” he said. “They either lacked a business continuity plan or lacked the resources just to be able to identify when an attack was happening, detect where the attack was happening, and mitigate it in an organized fashion.”
Getzinger, who worked 12 years for a major vessel operator, said the maritime industry’s susceptibility to cyberattacks can be traced, in no small part, to 2015 and the height of the previous oil and gas industry downturn, which filtered down to supporting industries. With companies operating in survival mode, the limited capital available was allocated only to what was deemed absolutely critical to maintain operations. Cybersecurity did not qualify.
“What I saw firsthand among many clients across the industry was that a lot of IT managers and IT staff struggled to get executive management buy-in,” he said. “They were unable to communicate the importance of identifying cyber risks on a regular basis and communicate the impact of those risks if they’re not addressed. This (Covid-19) is a great opportunity for IT managers to have the leverage they may not have had previously to get executive buy-in.”