Weston Hecker may wear a metaphorical white hat, but his main role is playing the bad guy.
Hecker is an ethical hacker in the Houston office of Virginia-based Mission Secure Inc., one of a host of technology companies that provide platforms and products engineered to help the progressively digitalized maritime community curb an alarming increase in cyberthreats. Without guardrails in place, experts say the flat operational technology (OT) systems that control the physical operation of a vessel, in combination with new generation monitoring sensors and multiple third-party vendors, offer clear pathways for cyber outlaws to inject potentially catastrophic viruses that can disrupt everything from navigation to the manipulation of critical valves.
Recognizing the growing threat, the International Maritime Organization (IMO) this year requires that safety management systems include appropriate cyber risk strategies as part of the annual verification audit. To comply, companies first have to identify their weak spots, which typically means penetrating and assessing their existing OT systems. That’s where folks like Hecker come in.
“We take the same approach any bad guy would,” he said. “Basically, we’re contracted to hack their environment and tell them how to fix it before the bad guys exploit their weaknesses. The last pentest (penetration test) we did, we found five different ways to get in.”
The company takes a “holistic approach” in assessing cyber fitness before deploying a protective platform that is monitored 24/7 for any suspicious activity. Particular emphasis centers around the various third-party vendors managing individual OT-controlled onboard functions, said Don Ward, senior vice president, global services. “We position our (platform) design to protect the vessel from the third parties and protect the third parties from the third parties themselves. And we can protect the vessel from incoming VSAT-based (satellite) connectivity.
“We’re down there on the control systems, monitoring the end use, including the propulsion, the ballast and even the bridge and navigation,” Ward continued. “In maritime, the navigation concerns are huge. If you hack that you can really impact the state of that vessel.”
In what it describes as an industry first, Mission Secure joined forces in late January with U.K. maritime law firm Ince Group Plc to integrate legal and ancillary services with its OT cybersecurity technology platform. The newly established InceMaritime alliance advises vessel owners on IMO 2021 cyber compliance and offers associated legal and professional services such as negotiating insurance premiums, which can fall significantly if companies prove they are compliant. “We’ve had several customers that have reduced their insurance premiums enough that it has paid for their entire assessment as well as the platform,” Ward said.
CYBERATTACKS INCREASE
Adoption of the IMO 2021 cyber guidelines could not have come at a more opportune time.
Citing data from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and other public sources, Mission Secure said attacks on maritime OT systems have increased 900% over the past three years. The risks were magnified last year as Covid forced many shore-based employees to work remotely, and in the process, exposed connectivity soft spots that elevated the risks of malware, ransomware and the like being transmitted offshore.
“Every year it’s rising, but Covid had the biggest impact,” said Ward. “The new Covid economy era we’re in will not go away completely. People realize they can get more out of their employees by having them work at home and that opens up more remote access into these typically easily compromised environments.”
As adopted, the blanket IMO 2021 mandate was found incompatible with the peculiarities of certain sectors, like the tug, towboat and barge industry, according to the American Waterways Operators (AWO). Consequently, the Coast Guard (USCG), which enforces rather than develops policies, nevertheless worked with AWO “to develop a set of cyber risk management best practices tailored to and for voluntary adoption by tugboat, towing and barge companies,” said AWO Director of Regulatory Affairs Caitlyn Stewart.
“We found that the guidance for ships wasn’t a good fit. Towing companies are incredibly diverse in size and complexity. Some have thousands of employees and hundreds of vessels, all managed with complex informational and operational systems, while others employ only a small number of mariners, operate one or two boats and still keep paper records. Given this diversity, the safeguards necessary to protect one company’s cyber system may not be practical for another,” Stewart said in an AWO-sponsored webinar earlier this year.
To enable companies to visualize the state of their preparedness against malicious attacks, information technology (IT) managed service provider Global Data Systems (GDS), Lafayette, La., recently rolled out a matrix that assigns clients an applicable cybersecurity maturity level. “What we’ve come up with is a framework where we’re able to assess the client’s environment, and review what cybersecurity solutions and risk management activity they’ve employed to date,” said Senior Business Development Manager Justin Getzinger, whose clientele comprises maritime and oil and gas companies. “What we’ve found is that in order for clients to really view their cybersecurity maturity level in a meaningful way is to create a structure that allows them to understand what they have in place today to protect them and where the gaps are.”
Plugging those gaps means working around companies’ refusal to report cyberattacks. While incidents like last year’s sweeping breach of SolarWinds Inc. are highly publicized, individual companies fear the commercial and reputational blowback that could come from public release of a cyberattack. “The biggest problem cybersecurity companies face is not being able to share meaningful threat data,” Getzinger said.
“I understand where they're coming from, but at the same time, it would help us to continue to sharpen our portfolio of offerings and sharpen our network to make sure we continue to be secure,” said Eric Griffin, vice president of offshore energy and commercial fishing for the maritime division of 42-year-old U.K.-based global satellite communications provider Inmarsat Global Ltd., which spun off from the IMO.
The SolarWinds hack, which government officials say was orchestrated in Russia, demonstrated the reach a single event can have within a broad range of public and private entities, including maritime. “A lot of network providers both for IT as well as vessel owners and service providers use SolarWinds as almost their de facto standard for network management. It’s absolutely forced everybody to take a look and ask if this the right platform we should be using long term,” Griffin said from Inmarsat’s Houston office.
DIGITALIZATION CONUNDRUM
To remain competitive, much of the maritime industry depends on digitalization, accompanied by an infusion of sophisticated monitoring technologies like automation and Internet of Things (IoT) sensors, which provide “more and more attack surfaces for threat actors to access,” Ward said.
Inmarsat said its foundational Fleet Secure Endpoint technology balances efficiency and security for subscribers within the more than 40,000 vessels employing its satellite-based network. The companion Fleet Data IoT platform is designed to enable the monitoring of an “unlimited number of data points” on a vessel through a channel securely segregated from a client’s base subscription.
“You don’t have to worry about your crewmembers or other corporate traffic and applications you’re trying to send over a link from interfering with the Fleet Data connection,” Griffin said. “Fleet Data also allows you to integrate a lot of those third-party systems into one secure platform. We’re always looking at what we can do to expand our security offerings to make sure they’re compliant as regulations become more stringent, which we all expect they will.”
Everyone also agrees that while critical in today’s cloud-connected world, any cybersecurity measure must fit within ever-tightening budgets. “The big challenge is that everything in maritime is day rate. Budgets are very tight and we have to squeeze within that budget,” said Ward. “We believe our platform and services should be packaged as a subscription service. That way, we can easily extract your cost per day on a vessel that’s being monitored and has protection in place.”
Getzinger said that one area where the return on investment can be recouped within six months is having programs that educate employees on how to avoid unwittingly spreading harmful viruses through their companies’ networks. “I’ve seen a decent amount of industry investment in employee awareness training,” he said. “You can have the best tools in the world, but they still won’t help you mitigate a threat from your weakest link, which is going to be your employees.”