Port and maritime operations are critical to the stability of the global supply chain and the global economy. When terminals cannot move cargo, the costs can escalate quickly. When shipping giant Maersk fell victim to NotPetya malware in 2017, the costs were estimated at between $200 and $300 million. Should we call the Maersk attack an OT-level attack or an IT-level attack? Since the systems affected were controlling the flow of vessels and freight around the world, these can be classified as OT-level supervisory type systems. The line between IT and OT level assets is also blurring with the continued introduction of IoT technologies at the operational level. “IT level attacks” will often have consequences at the operational level, which we witnessed with the shutdown of the Colonial Pipeline network when they lost visibility into their billing and accounting systems.
Maritime and port cybersecurity has not received the same level of attention that other industry sectors have, even though the sector has already fallen victim to attacks that have brought supply chains to a halt. The situation is changing, however, and cybersecurity is starting to generate the attention it deserves thanks to new standards and guidelines and an increased focus on the part of certifying bodies like DNV GL, Lloyds Register, and TÜV Rheinland.
More standards and guidelines are being developed specifically for maritime and port sector cybersecurity. Many operators and end users will have to make changes to their cybersecurity posture and develop stronger, risk-based cybersecurity approaches. Maritime cybersecurity organizations must incorporate the requirements of operations, while increasingly adopting the same technologies and even cybersecurity practices from the IT domain.
OT Cyber Vulnerabilities Abound in Ports and Maritime
Numerous cybersecurity vulnerabilities exist in the maritime transportation system (MTS) when it comes to OT level technologies, products, and systems, from cranes and container management systems to fuel terminals, shipboard controls, navigation systems, buoys, HVAC controls, and more. These vulnerabilities are becoming more numerous due to the new generation of IoT-enabled devices and systems.
A huge range of connected assets now exists, from cargo movement systems found in cranes to intelligent pumps, positioning, navigation, and timing systems (PNT), and vessels. These new connected solutions are not always installed with cybersecurity in mind, and many ports and facilities do not have sufficient personnel to manage cybersecurity for the overall port or facility, and staff responsible for cybersecurity may have IT experience, but be unfamiliar with OT level systems, networks, and assets.
Like the manufacturing sector, the critical OT level assets and network infrastructure found in the port and maritime sector should be properly segmented and some defense-in-depth model should be followed, but this does not always happen, and there are few regulations or standards that have been embraced by this sector to enforce good cybersecurity lifecycle management at the OT level.
Attacks on Maritime Transportation System Are Increasing
Attacks on the maritime transportation system (MTS) have increased in the past couple of years, in no small part due to the COVID pandemic and the ensuing wave of remote workers, border closures, and supply chain issues. According to a July 2020 report by Israeli cybersecurity firm Naval Dome, “cyberattacks on the maritime industry’s operational technology (OT) systems have increased by 900 percent over the last three years, with the number of reported incidents set to reach record volumes by year end.” The UN International Maritime Organization, which is the primary worldwide governing body of the MTS, was itself the target of a cyberattack in September of 2020, disrupting the organization’s web site and other web-based services.
At least part of this reason is increased reliance on remote monitoring and maintenance of assets that were previously unconnected. Border closures and social distancing mandates have required the increased use of remote technologies to monitor, diagnose, repair, and update assets, systems, and applications.
ARC Advisory Group clients can view the complete report at ARC Client Portal
If you would like to buy this report or obtain information about how to become a client, please Contact Us