Ports and ships — the maritime industry — are vital points in the global supply chain for food, medicine, consumer goods, fuel and many other products. Most of the world’s globally traded goods travel by sea. That’s why maritime security is key for supply chain security. Meanwhile, maritime cybersecurity faces threats at multiple places, including ports, communications systems and ships themselves.

Potential cyber attacks on maritime infrastructure are familiar types: phishing, malware, social engineering, brute force, denial of service, ransomware and others. What’s different is the unique placement of the targets.

Ships Rely on Digital Tools

Ships often rely on digital tools to function, many of which are automated. Even ship compasses are digital and depend on a mix of gyroscopes and GPS. All these systems could be at risk for a digital attack. Dependence on GPS puts shipping at risk because attackers can spoof or jam GPS signals.

More than most industries, maritime infrastructure tends to be old and complicated, further hampering marine cybersecurity.

Is There an IT Worker on the Ship?

Another risk factor people don’t talk about enough is the absence of IT people on ships. A ship is like a building packed with computer systems, servers and electronics. Yet, out at sea, the crew is on their own in managing these systems and dealing with breaches.

A digital attack could control or shut down a ship or drive it off-course, causing a crash. Some ships have dangerous cargo, such as explosive fuel, in large quantities.

Ports are also heavily dependent upon complex digital network logistics management systems. Some of these systems track every container on every ship. In the past, attackers have been able to delay, erase the knowledge of, redirect and steal actual cargo. They could abuse access to data on the location of cargo in a ransomware attack, or lock records.

The most likely risk is that digital attacks, through any number of possible attack types, delay shipping. That costs millions or billions of dollars to shipping companies, ports or shipping customers.

Maritime Cybersecurity Attacks Increasing

Attacks targeting maritime information systems are on the rise. In the first few months of the pandemic, attempted cyber attacks rose by 400%. We can expect this trend to continue, with rising attacks on ships and ports.

Attackers targeted the Port of Houston this year in a suspected nation-state attack, an event that raised the urgency level of maritime security infrastructure. The port is 25 miles long and handles a quarter of a billion tons of cargo every year.

The attack involved a password management program that contained a formerly unknown vulnerability. The attackers exploited that to install malicious code that granted access to the networks, which they used to exfiltrate log-in credentials needed to control network access. Luckily, “no operational data or systems were impacted,” according to a statement issued by Port authorities.

How To Handle Maritime Cybersecurity Risks

The need to address maritime cybersecurity is urgent. Here are some general approaches for how to address it:

  • Pinpoint specific possible threats. Understand what cyber criminals and nation-state actors might want from an attack. Pay special attention to the risk of ransomware. Consider attacks that could shut down the flow of goods, take ports offline and bring ships off course. Run red-team exercises and hire ethical hackers to help find likely attack points and methods.
  • Identify digital vulnerabilities. Inventory all systems and figure out what are unpatched, unpatchable, legacy or problematic in any way from a cybersecurity perspective. Think through the implications of existing physical security, and figure out how unauthorized people could gain access to digital systems. Consider how rogue or disgruntled employees could threaten security.
  • Initiate a maritime cybersecurity action plan. Address all vulnerabilities correctly, by patching or replacing problematic systems. Work with managers, leaders and stakeholders to develop these plans, then brief all concerned on how to use the plans in the event of an attack.
  • Install smart detection tools. For example, network detection and response tools use artificial intelligence (AI) to find odd and potentially malicious behavior on maritime networks. Have your software working 24/7 to watch for possible emerging attacks.
  • Launch new crew and employee cybersecurity training programs. Focus on phishing attacks, physical security and social engineering.
  • Establish contingency or continuity plans. For each possible attack scenario, develop a detailed plan for running your business through it, and also what the recovery processes are.

A threat to maritime information systems is a threat to global trade. Therefore, supply chain cybersecurity is one of the world’s most urgent business priorities.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…