Maritime Ransomware: Impacts and Incident Response
The maritime community continues to see a rise in cybersecurity incidents. For instance, earlier this year, DNV, a Norwegian shipping classification society, suffered a ransomware attack through its ShipManager software, forcing the organization to shut down its servers. The attack affected approximately 70 customers operating around 1,000 vessels (close to 15 percent of the total fleet using DNV’s service). The interconnected and fragile ecosystem of numerous stakeholders depending on uninterrupted logistics networks makes this industry especially attractive to cyber-attacks and ransomware attempts.
Ransomware is defined as a type of malicious software designed to block access to an entity’s systems and/or networks until the entity pays a sum of money. Cybercriminals monetize their operations by extorting their victims and can further sell extracted data on the dark web. As shipping becomes increasingly digitized and dependent on internet, network and satellite transmissions, bad actors are finding new forms to infiltrate systems ashore and afloat.
Common forms of maritime ransomware attacks can include phishing emails, direct hacking into vulnerable systems and networks, malicious advertisements, or compromised websites, whereby ransomware can infect a computer by clicking an advertisement or downloading a file, among other means. Ransomware can infiltrate not only local computers but entire networks, and, in some cases, interconnected systems with third-party suppliers have been compromised.
Cybersecurity breaches that occur from ransomware, a common attack vector, can have immediate and long-lasting effects in the maritime industry. Sensitive and critical data can be encrypted restricting the accessibility and control of key systems. Without access to certain systems, operations can cease, causing delays, and in some cases, spoliation of time-critical cargoes. There are also concerns with the dissemination of captured business-critical data. Of course, there are financial and reputational repercussions as well. In some cases, there could be legal consequences such as the threat of governmental regulatory enforcement or litigation from customers, employees, or business partners for the lack of adequate data security safeguards or violation of economic sanctions laws if ransom payment is fulfilled to certain blocked entities or individuals.
As vessels sail around the world, the operating profiles and systems differ from those protections offered by land-based systems. There are also various levels of sophistication among equipment, especially on older ships, which can require independent software and a variety of upgrades, or patches, at different intervals to maintain security protections. Typically, there are systems on board performing different functions including general information technology (IT), serving a communication and administrative function, and operational technology (OT), which directly monitor and control equipment. Furthermore, OT systems, which are usually segmented from IT systems and not typically exposed to networks with external access, can be infiltrated through updates that are done locally, via USB flash drive (e.g., to obtain updated electronic charts), or disrupted when remote network connections are utilized. Both IT and OT systems must have cyber prevention and detection measures and be included in cybersecurity plans. Thus, it is essential to understand the ship-to-shore interface and identify vulnerabilities, preferably quarterly.
Shipowners and operators can take steps to prevent cyber-attacks aboard and limit threats to vessels by being prepared and responding accordingly. Cybersecurity plans and policies should be created to identify vulnerabilities, threats, and impacts. Proper training and cyber awareness should be conducted for employees shoreside and shipboard. Regular software updates and multi-factor authentication are important, as well as encryption of sensitive data and reminders to implement proper cyber hygiene onboard.
Companies should also understand how to respond to and recover from cybersecurity incidents. Response plans should be updated annually to address all relevant contingencies and shipboard personnel should keep a hard copy onboard in case system access is compromised. Ideally, procedures in the ship’s safety management system should already address onboard contingencies if the vessel experiences a loss of critical systems and equipment. The response plans should also contain information regarding communications and escalation management to ensure there are channels to gain shoreside support if an event occurs. Post-incident recovery should consist of an initial assessment to investigate the incident and preserve evidence. Evaluating the incident and its impacts will aid in continuous improvement to prevent recurrence.
Cybersecurity not only prevents hackers from obtaining information and access to networks and systems, but it also protects digital assets and data. Therefore, identifying vulnerabilities, developing cybersecurity plans, and executing regular cybersecurity exercises aid to improve the safety and security of seafarers, ships, and the environment in which they operate.
"Maritime Ransomware: Impacts and Incident Response," by Vanessa DiDomenico, Sharon R. Klein, and Karen H. Shin was published in Maritime Executive on May 10, 2023.