In early March 2023, the Maritime Transportation System Information Sharing and Analysis Center (MTS-ISAC) published its 2022 Annual Report.
Founded in 2020, the relatively new MTS-ISAC is an organization whose stakeholders’ operations traverse six continents and more than 160 countries and focuses on cyber threats against the global maritime industry. Stakeholders share threat information to provide early warning of future cyber-attacks and share best practices to improve cyber risk management across the global maritime industry. The MTS-ISAC published over 1,000 indicator bulletins (a more than 50% increase from 2021), 75 cybersecurity advisories, six best-practice templates, and 53 collaboration opportunities. The 2022 report captured the evolution of cyber threat activity throughout the year; with website spoofing of maritime and energy entities and phishing increasing in the first quarter; first seen malware variants targeting MTS organizations, smishing, and distributed denial-of-service attacks in the second; more new malware variants and password spraying in the third quarter; and increased credential harvesting and business email compromise attacks in the fourth.
The report came on the heels of the U.S. government’s (USG) release of its National Cybersecurity Strategy, in which the USG affirmed its commitment to the protection of critical infrastructures and willingness to employ all elements of national power to counter those cyber threats seeking to disrupt the vital services they provide. Per the MTS-ISAC report, the continued modernization of the MTS environment, the increase of third-party integrations, and insecure public-facing infrastructure has expanded the potential attack space and exposed new entry vectors into targeted networks. This makes the global MTS a high-value target for various attacks, including financially motivated theft, disruption to inflict economic damage, data theft in support of state-driven cyber espionage activities, and nuisance attacks orchestrated by politically and/or ideologically motivated actors.
When it comes to cyber attacks against critical infrastructure, those against energy, finance, and healthcare typically garner immediate international attention, likely due to the fact that any impact has an immediate effect on civilian populations. However, as seen during the COVID pandemic, any disruption to the global MTS has a larger, though less lethal, impact on the world. The global maritime industry is responsible for transporting approximately 90% of the world’s trade in goods. Per a United Nations report on maritime transport, Asia leads regions in international maritime trade in world tonnage, followed by the Americas, Europe, Oceania, and Africa. With an estimated worth of USD 14.2 billion in 2022 and projections to reach USD 18.2 billion in 2027, it is not hyperbole that the maritime industry and the infrastructure that supports it underpins the global economy and is essential for sustainable supply chains that support other critical infrastructures.
Over the past five years, there have been some notable incidents of cyber attacks impacting ports. What’s more, disconcerting is that the attackers purposefully executed them in some instances to cause maximum disruption. For example, in early March 2023, the Play ransomware group successfully attacked Dutch maritime logistics services company Royal Dirkzwager requiring nearly a week of remediation to restore systems and resume first services fully. In February 2022, a ransomware gang compromised India’s state-owned shipping container terminal at Jawaharlal Nehru Port Trust’s management system, temporarily ceasing operations. Also, in February 2022, other ransomware attacks disrupted the operations of major oil terminals in Belgium and Germany when oil prices were at an all-time high. In January 2021, a cyber attack against South Africa’s state-owned logistics firm Transnet severely impacted the operations of ports in Cape Town, Port Elizabeth, Ngqura, and Durban.
The many potential entry points into the MTS make them vulnerable to attackers. There is an assumption that cyber attacks against the MTS industry occur while the vessel is at sea. However, research by RightShip, a company dedicated to setting global safety and sustainability benchmarks in the maritime sector, revealed that at least 50% of cyber attacks on vessels occurred while vessels were in ports/terminals. This is because there are extensive vulnerabilities in the maritime sector, especially in the port environment where, when docked, vessels connect to port operations as well as supply chain providers, thereby widening the attack space. A cyber attack against a port can impact physical facility access control systems, compromise terminal headquarters, affect the Operations Technology/Information Technology environment, disrupt or degrade industrial control systems and supervisory control and data acquisition, interrupt the operations of distributed control systems, and manipulate the functionality of programmable logic controllers.
This is not to say ships aren’t vulnerable on open water. There are several notional examples where security researchers easily took advantage of a ship’s tracking system, voyage data recorders, and satellite communications. International organizations like NATO’s Cooperative Cyber Defense Center of Excellence have created scenarios involving cyber attacks on the maritime sector to test their applicability to public international law. Still, real-life examples are harder to come by, and those few incidents have been primarily linked to state actors. Between 2016 and 2019, Russia allegedly spoofed a ship’s Global Positioning System at least 7,900 times, affecting at least 1,000 vessels. In 2019, the United States suspected Iran of interfering with commercial ships’ navigation systems, a prescient apprehension given that in 2021, a British outlet allegedly obtained secret documents from an Iranian cyber unit that discussed potential targeting of maritime communications, fuel pumps, and cargo ships.
Therefore, it’s unsurprising that countries are taking a closer look at maritime cybersecurity and its role in their national and economic security interests. Since 2017, financially motivated actors targeted all four of the world’s largest shipping companies. A 2022 U.S. Coast Guard report revealed a 68% increase in cyber incidents targeting the U.S. maritime sector alone in the previous year. The COVID pandemic caused unprecedented disruptions to the global MTS. One study estimated losses between USD $225-412 billion, providing a real-world cause-effect scenario of what happens when this vital economic vein is disturbed.
The Ukraine crisis has already demonstrated how geopolitical conflict easily spills into cyberspace. Similarly, future hot spot areas can quickly assemble online agitators to conduct similar cyber malfeasance against commercial maritime assets. Depending on their intent and appetite to inflict pain, clever cyber antagonists could adversely affect a country’s economic situation and its citizens by temporarily halting its supply of key goods by targeting key maritime assets and oceangoing choke points. And while there are several capable hostile actors in cyberspace, any delinquent capability can easily be purchased in dark markets where the cybercrime-as-a-service industry thrives, providing anyone the resources to cause disruption if they can afford the price.
There is every reason to believe that hostile actors will increase targeting the global MTS, a sector rife with vulnerabilities associated with legacy systems and new vessels whose advanced technologies provide more potential access points for exploitation. Ransomware, USB malware, and worms have all been found aboard ships’ IT systems. While this is disconcerting, the attacks against shore-based systems may be even more detrimental as they manage ships, their routing, and container bookings. While cybercriminals and pirates seek to exploit this information, nation-states and their proxies pose a graver threat to the global MTS. The fact that the maritime industry is the backbone of global trade significantly influences several countries’ GDPs, where any interruption or manipulation can cause harmful effects on national economies.
And while that is disconcerting, cyber attacks against the MTS offer another potent avenue for states to exert soft power. The global environment has already seen the instruments of soft power shape perceptions by creating distrust and dividing populaces. The successful disruption of the MTS can achieve similar effects, fomenting domestic discord and encouraging the type of civil unrest that shifts national policies and catalyzes electoral changes in governments.
And this may be the true danger of MTS targeting. If governments do not take a robust and comprehensive look at the ramifications of MTS interruption, they may find themselves manipulated out of office.