All Hands on Deck: Malware Is Infecting Cargo Vessels Arriving in the United States
It’s time for the U.S. maritime industry to wake up to the dangers posed by ships docking in our ports that have inadequate (or nonexistent) cybersecurity measures. Here, in the first of four articles for National Critical Infrastructure Security and Resilience Month (November), FTI Cybersecurity looks at this unrecognized crisis.
Cargo vessels have been carrying essential goods to U.S. ports for hundreds of years. Increasingly, they are arriving with hazardous goods — debilitating and potentially destructive malware and malicious cyber tools that pose a threat to our critical infrastructure.
In February 2019, the Port Authority of New York and New Jersey alerted U.S. Coast Guard (“USCG”) authorities about a U.S.-flagged cargo ship that intended to dock in New York. The alert was in response to the ship’s reporting “that they were experiencing a significant cyber incident impacting their shipboard network” as a result of being infected with malware.1
Want more insights from our latest content? Click here to subscribe based on your specific area of interest.
Although the initial investigation concluded that the ship’s control systems were not affected, the incident is indicative of an increase in intrusions across the global maritime industry and the exploitation of easy targets due to their lack of security controls and staff awareness. The event was the second such USCG maritime alert in three months, casting a harsh light on the industry’s lack of preparation for attack on its digital infrastructure.
In fact, a subsequent investigation of the same ship by a joint USCG and Federal Bureau of Investigation team revealed that the vessel did not employ even the most basic cybersecurity practices. It relied on a single crew password for accessing the ship’s computer system, for instance. USB drives used to transfer ship and cargo data were unscanned for malware, and there was no basic antivirus protection. It’s very well likely that the infection was spread far beyond the individual vessel through its connection to port facilities in Pakistan, India, Oman and the holding company’s networks.
The unprepared state of the maritime industry to combat cyber threats does not portend well. FTI Cybersecurity sees several trends on the horizon including these four:
- Changes to regulations for implementing basic cybersecurity practices will cause liability to fall on ship operators and parent companies
- Increased liability and litigation for cyber disruptions originating from one entity will affect another entity
- Unsecured maritime facilities and vessels will accelerate the potential for a “cyber contagion”
- A cyber incident will involve destruction or damage to physical assets and/or injury to shipboard or maritime facility personnel
Amazingly, despite a 2010 report from the U.S. Government Accountability Office that identified the need for cyber threats to critical infrastructure to be addressed, the maritime industry still has not given this significant issue adequate attention almost a decade later.2
That leaves the industry in a precarious place.
Today’s ships are essentially floating data systems that are sitting ducks for cyber criminals to pick off with ease. Without immediate action to mitigate risk and combat cyber threats, the significant financial losses already occurring in the industry will only escalate. Making matters worse, any business disruption also has the potential to cause physical destruction, endangering people and property.
As vessels become even more connected internally and across the global logistics environment, implementing basic cybersecurity policies and practices is imperative for improving operational efficiency and continuity. Those shipping companies that make the effort to implement change in the near future will be better prepared and will likely find the proactive stance a business differentiator that boosts client confidence. The time to act is now.
© Copyright 2019. The views expressed herein are those of the author and do not necessarily represent the views of FTI Consulting, Inc. or its other professionals.