A recent Department of Homeland Inspector General report (pdf) focused mostly on U.S. Coast Guard insider threats, stating, "Trusted insiders could use their access or insider knowledge to exploit USCG's physical and technical vulnerabilities with the intent to cause harm."
The audit also found numerous issues involving thumb drives and removable media that could be connected to Coast Guard IT systems and used to remove sensitive info, as well as issues allowing sensitive info to be sent via email. The IG also found unlocked USCG network equipment and server rooms, unsecured wireless routers and laptops.
But a real current threat, according to CyberKeel, a Copenhagen-based firm which focuses on maritime cybersecurity, is unpatched servers running Microsoft that attackers could exploit to take control of the servers. Although Microsoft released a patch in April, spot checks at 50 different maritime sites reveals that 37% of the servers running Microsoft were still vulnerable because they had not been patched.
"Complex systems, such as those provided by Microsoft, are often in need of software patching to plug security holes. Companies need their IT departments to be able to quickly install software patches, as the hacker community operates on decidedly short timeframes," CyberKeel CEO Lars Jensen told Splash24/7. "As an example, it took less than 12 hours from the point where Microsoft released the patch, until you could find simple instructions on the internet as to exactly how to exploit this weakness to cause a denial of service."
The vulnerable sites included three major container carriers, which Splash has learnt are MSC, Hapag Lloyd and Hamburg Süd, as well as important systems at a number of ports, such as the vessel traffic management system in Gothenburg, the road haulier identity system in Felixstowe and the main site of the Copenhagen port authority.
CyberKeel participated in the first "major" U.S. maritime cybersecurity event that was held in March, organized by the Command, Control, and Interoperability Center for Advanced Data Analysis (CCICADA) at Rutgers University and American Military University. According to Splash, during the symposium, USCG Vice Admiral Charles Michel "told of an incident whereby a hacker brought a port on the U.S. eastern seaboard to a standstill." Jensen said, "This shows that the risk to the maritime community is real, and it is worrying that even simple security measures such as applying software patches are not ingrained in the industry."
Various experts at the maritime cybersecurity symposium explained how cyberattacks on ports and ships could be "catastrophic." Some real instances of cyberattacks "have shut down and/or damaged ports, ships, oil rigs and cargo handling systems. These attacks have taken control of automated machinery, degraded it and in some instances destroyed it."
Steve Caldwell, author of a GAO report on USCG cybersecurity weaknesses, mentioned that efforts to secure maritime transportation systems "have focused almost exclusively on physical security." But "an attacker could use a simple, inexpensive and easily purchased GPS jamming device to shut down operations at a major U.S. port, wreaking economic havoc. The ability of hackers to remotely control port operations is the new 'hole in the fence' of port security."
Rear Adm. Marshall Lytle, assistant commandant responsible for USCG Cyber Command, explained how the cyber threat is very real by reminding the audience of the malware attack on Saudi Aramco, which "turned 30,000 networked computers into paperweights." Lytle said, "Big container ships and cargo ports are especially vulnerable. 'Most modern container ships totally rely on computer networks. Nothing happens …without bits and bytes making it happen'."
He added, "Modern ships are completely computerized. Everything is connected on networks. Today's modern ships have complex cargo operations that are entirely connected through cyber space. Cranes are moved by GPS. Most everything happens through automation and it's all connected in cyber space." Lytle gave a "real-world example" of cyber threats, saying "drug gangs were able to smuggle entire container loads of cocaine through Antwerp, one of Belgium's largest ports, after its hackers breached the port's IT network."
Peter Crain, a maritime cybersecurity expert and former ship captain, said, "Modern ships are at the mercy of their central 'brains'—highly automated and networked communications, navigational and operational systems that can literally run the ship without human help. The problem with these brains is that they are exceedingly vulnerable to cyber-attacks." Crain added:
One such vulnerability is an overreliance on GPS systems, which use satellite-signal receivers to determine a ship's position and plot its course. Sophisticated hackers can easily spoof or jam a ship's GPS system. This would throw a ship off course while making it appear to be on-course, leading to disastrous events like collisions and groundings.
"This is not about building an 11-foot fence so they (our adversaries) can build a 13-foot ladder," said Vice Admiral Michel during his keynote at the maritime cybersecurity symposium. "This is a world that moves at (cyber-) machine speed. This is the world of the quick and the dead."
Michel's keynote, referenced by CyberKeel to prove the threat is real, included a "sneak preview" of the USCG cybersecurity strategy. The three priorities for Coast Guard are to defend cyberspace, enable operations and protect infrastructure.
Michel said regulators need help with "analysis to identify greatest vulnerabilities in maritime domain; identify best options for operational and system cyber resilience; analysis and tools to map and predict dynamic maritime cyber threats; impact analysis for the maritime transportation system and cascading consequences to nation and economy; nodal and system analysis to identify single points of failure in maritime transportation system; and networking analysis solutions to support optimal information sharing with partners."
Since Michel's keynote, the Vice Admiral and Deputy Commandant for Operations, testified before a House Committee on Transportation and Infrastructure about maritime concerns such as "Enhancing our internal IT security and promoting cyber security within ports." This testimony came after the previously mentioned IG report on weaknesses in the Coast Guard's IT operations.
Michel later testified again about USCG priorities. "In 2016, we will remain in lockstep with other components of DHS and Department of Defense (DOD) efforts to enhance cybersecurity to defend our own network and work with port partners to protect maritime critical infrastructure and operators."
Hopefully that includes timely patch management, since CyberKeel claims 37% of maritime webservers running Microsoft were not patched and thereby "open to remote control risk." Granted, that risk is about hackers taking over websites, but it could certainly turn into a misinformation mess.