Digital Ship, a commercial maritime publication, has presented an update on the marine cybersecurity landscape covering potential threats, mistakes shipping companies make and vulnerabilities that are frequently exploited.
In its recent ‘Maritime Cybersecurity Threats and Mitigation Methods’ webinar held on 5 March, Digital Ship broke down the threats and challenges the maritime industry faces with cyberattacks.
Jacek Walaszczyk, EY Polska, OT/IoT Security Hub, Senior Manager, discussed three major cyberattacks in the maritime sector that have occurred over the past seven years.
Four years later, in August 2021, the Port of Houston was the target of a cybersecurity attack that exploited a weakness in a software platform used for password management and single-sign-on (SSO).
Walaszczyk added that less than a year later in June 2022, Freeport LNG facility out of Texas suffered an explosion that caused speculation for months as to the root cause.
According to Walaszczyk, the Pipeline and Hazardous Materials Safety Administration (PHMSA) identified shortcomings in valve testing methods, as well as a failure to reset alarms that would notify operators of rising temperatures during operations and procedures.
Walaszcyk elaborated on the most experienced type of intrusions, comparing the years 2020 to 2023 in a case study.
READ: White House releases National Cybersecurity Strategy
In 2023, the threat landscape heightened with malicious software (Malware) remaining the most commonly detected intrusion into systems.
Furthermore, the amount of ransomware-based assaults grew, as hackers saw this as an effective way to get benefits.
The study also discovered phishing to be the most common access route into maritime organisations’ networks and systems, with psychological influence tactics becoming increasingly advanced.
Walaszczyk pointed out that sectors that use critical infrastructure have much shorter times to detect and contain data breaches than the rest of the industry due to additional regulations.
Malicious breaches took longer to uncover and contain than any other root cause, resulting in a far more severe long-term impact on marine organisations.
Walaszczyk also highlighted that serial network cabling is not the ideal approach to transmit operational technology (OT) data around a vessel, and converter security must be strengthened with administration passwords to prevent security threats.
READ: DNV strengthens cyber security portfolio with new acquisition
Magdalena Wrzosek, Manager of EY Poland’s Technology Consulting, OT/IoT Cybersecurity Hub, emphasized the significance of the NIS 2 Directive, an EU-wide cybersecurity legislation.
She noted that infringements of the NIS2 Directive are punishable by an administrative fine of at least €10 million ($10.8 million) or a maximum of at least 2 per cent of the total annual turnover in the preceding financial year of the undertaking to which the essential entity belongs.
Wrzosek went on to outline the critical NIS 2 cybersecurity risk management strategies that all major marine businesses must implement.
These measures include basic cybersecurity training, human resources security, information system security policies and the use of multi-factor authentication or continuous authentication solutions.
READ: Port of Baltimore receives federal cybersecurity funding
The NIS 2 Directive establishes two primary reporting duties for a serious incident:
- Something that has caused or has the potential to create serious operational disruptions or financial loss to a company.
- Something that has harmed or has the potential to affect other natural or legal persons by creating significant material or non-material damage.
In the event of a serious incident, companies must provide an initial notice within 24 hours, a detailed incident notification within 72 hours, and an intermediate and progress report.
Organisations must produce a final report within one month that includes a thorough description of the event, its severity and effect, the kind of threat or root cause that most likely caused the incident and any mitigation measures that have been implemented and are ongoing.
Wrzosek revealed that a new cybersecurity legislation would be implemented in October 2024, requiring Member States to incorporate the terms of the NIS2 Directive in their national laws.
When asked if maritime cybersecurity is achievable, Jacek Walaszczyk answered: “Definitely, but it is not cheap. It always requires some effort and then the budget not only to implement all the security controls but to maintain it as well.
“It is worth taking the journey, as cybersecurity is always an ongoing journey. There’s always something to improve.”