Cyber-attacks on the Ports and Maritime industry
This blog examines some examples of the diverse types of cyber-attacks that have occurred in the Ports & Maritime industry. By gaining insights into some of the various impacts across OT & IT we then look at what areas to consider building resilience against such attacks.
What are the different types of cyber-attacks that could potentially occur and what are the impacts of these cyber-attacks in the Ports and Maritime industry?
- Malware: Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels
In February 2019, a deep draft vessel on an international voyage bound for the Port of New York and New Jersey reported that they were experiencing a significant cyber incident impacting their shipboard network. They noticed that they were the victim of a cyber incident that had infected their network with malware. Malware is malicious software that is designed to damage or destroy computer systems. The malware infected the vessel’s onboard computer systems, and while this did not affect the vessel’s control system that was used to control the ship’s directions; it was discovered that the vessel did not have appropriate security measures to prevent cyber-attacks from occurring.
- Ransomware: Port of San Diego victim of a cyberattack
In September 2018, the port of San Diego experienced a cyber-attack that affected their ability to process parking permits, record requests, and other business-provided services. The port of San Diego was the victim of a ransomware attack that affected their systems by encrypting their system’s files (including personal files) and demanding a ransom to decrypt and restore the encrypted files. While the files are encrypted, they remain unusable and unreadable until they have been decrypted by a decryption key provided by the malicious actors involved.
- Distributed Denial-of-Service (DDoS): Port of Vancouver meeting hindered by cyberattack
In March 2017, the Port of Vancouver’s computer system was attacked by a DDoS attack while a meeting regarding the fate of Vancouver Energy was occurring. This attack occurred due to an attendee connecting to the port’s Wi-Fi connection without knowing that they had malware on their computer. When the computer connected to the Wi-Fi, it began attacking the network and causing it to go offline temporarily. A DDoS attack is an attack that uses multiple zombie computers or botnets, (computers or devices that have been affected by malware), to target and take a network or service offline, cause them to crash, or cause disruption to the network or service. While in this case, the impact of the DDoS attack was not severe as it only affected the live feed streaming of the meeting; it could have potentially caused more harm such as causing disruptions in internet-connected operational technologies such as cargo management systems (e.g. causing missing or damaged cargos), it could cause significant delays or disruptions thus affecting revenues and profits, and it can also cause web applications to be unavailable to customers and employees.
- Phishing: Hackers can bring ships and planes to a grinding halt
In December 2021, Hellmann Worldwide Logistics was the victim of a phishing attack that impacted its operations. Due to the cyber incident, Hellmann had to disconnect infected systems from the workplace network to prevent the attack from spreading to other devices; this caused their booking systems to be temporarily offline while the attack was being handled. A phishing attack is an attack that relies on the usage of email and SMS services to send malicious messages that look like they originated from a legitimate organisation or person but are designed to collect personal information or install malicious software on their systems. While in this example, Hellmann was fast at detecting and stopping the spread of the phishing attack; it could have potentially caused more harm such as causing operational technologies that rely on the internet to stop functioning, causing losses in profits and revenue due to being unable to process logistic goods, cause delays in logistics processes, and it can cause the theft of an organisation’s finances or information.
What organisations within the Ports and Maritime industry should do to increase protection against cyber-attacks and reduce the impacts of cyber-attacks .
- Create a contingency plan (CP) A contingency plan is a plan that is used when an incident occurs. The CP typically contains information on what to do when a cyber incident occurs, such as how to recover from the incident, how to return to normal business operations as quickly as possible, how to restore data, and how to continue business as normally as possible while the incident is being contained.
- Regularly train and increase employee awareness Employees should be regularly trained to increase their awareness of cyber security issues such as phishing emails, maintaining a good password practices, and other social engineering tactics. Employees should be regularly trained in cyber security awareness as employees usually forget information after a while; regularly training them will help employees retain information learnt.
- Patch systems and keep them up to date It is best to regularly patch systems as they usually fix critical flaws and vulnerabilities; try to patch systems at least once a week (Patch Tuesdays). It is best to discontinue the usage of the software that is in the end-of-life cycle and do not get any security patches from vendors.
- Regularly backup and encrypt data Important business data should be regularly backed up and encrypted. This backup point can later be used to restore systems in the case of an emergency where important data is lost or in a damaged or corrupted state where it is unusable and inaccessible. Backed-up data should be encrypted to prevent unauthorised third parties from accessing the backed-up data.
- Monitor systems and logs Monitoring systems and logs is important as it may help system administrators in identifying anomalies within logs. As system administrators look through logs, they will notice patterns in traffic/logs and will be able to pinpoint anomalies in the data if an attack is occurring (For example data being transferred from the organisation to an unknown IP address outside the organisation).
- Use the “Zero Trust” model The Zero Trust model is a model that is designed to increase the security within the organisation by always requiring all users to be authenticated and authorised before giving them access to the resources on the network. Employees should also only be given enough permission (authorisation) to perform their job tasks and should not have more access to other parts of the organisation.
- Cyber insurance Cyber insurance is important for organisations as if an incident occurs, cyber insurance can help organisations in other physical ways such as recovering any lost or compromised data, fixing and restoring computers alongside the possible fees and fines that are associated with that cyber incident.
- Anti-Malware services Using Anti-Malware services at endpoint devices is highly recommended as it will protect employees from malware and suspicious links by quarantining them before they do any damage to endpoint devices, thus reducing the risk of a cyber incident occurring within an organisation.
References available on request.