Ghost Ships, Shadow Brokers and Cryptoworms: October is National Cyber Security Awareness Month

In a chillingly apropos follow-on to the mid-summer global Petya and WannaCry cyber/ransomware attacks, which crippled businesses and government interests around the world, October has been dubbed “National Cyber Security Awareness Month.”  And the month that concludes with Halloween and Dia de Los Muertos is a metaphorically fitting one for cyber awareness:

  • a group known mysteriously as the “Shadow Brokers” were allegedly behind the leak of top-secret NSA data that included the Windows XP vulnerability that enabled the May 2017 WannaCry and NotPetya ransomware attacks, which resulted in estimates of $300 million in lost revenues for international ocean shipping giant Maersk;[1]
  • these attacks utilized a ghoulishly named “cryptoworm” ransomware virus[2];
  • and not long after, a June 2017 GPS “spoofing” incident was reported (including directly to the United States Coast Guard (USCG)) in a busy shipping lane of the Black Sea, causing AIS displays to show that certain vessels were located many miles inland, and to show other “ghost ships” on the water where there were none.[3]

And more recently, various cyber security concerns have been raised regarding various aspects of both commercial and military fleets around the world:

  • After the year’s fourth collision between a U.S. Navy vessel and a commercial cargo ship, rumors swirled regarding whether cyber attacks could have caused the incidents;[4]
  • Cybersecurity consultancy IOActive issued a recent report (in the wake of NotPetya) warning of “two security vulnerabilities in a particular version of the AmosConnect software, which supports narrowband satellite communications and integrates vessel and shore-based office applications such as email, fax, telex, GSM text, interoffice communication and access for mobile personnel into a single messaging system.”[5] These vulnerabilities could allow a hacker to take control of all communications and IT infrastructure aboard a vessel, and potentially company-wide;
  • The British Royal Navy faced questions of whether the force’s newest £3.5 billion aircraft carrier HMS QUEEN ELIZABETH was running Windows XP, the same software with the vulnerabilities that facilitated the WannaCry and NotPetya attacks;[6]
  • The United States Congress took several steps (in the wake of the Black Sea “spoofing” incident) to ensure robust maritime cybersecurity for American interests, including (1) passing the 2017 Intelligence Authorization Act, which requires the Department of Homeland Security to report on cybersecurity concerns in American ports; (2) the introduction of a bipartisan bill titled “Internet-of-Things (IOT) Cybersecurity Improvement Act of 2017, seeking to establish federally regulated baseline requirements for “smart” devices; and (3) a proposed bill (“Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017”) to broaden and deepen the scope of information sharing around cybersecurity issues by ensuring participation of a maritime community representative in the National Cybersecurity and Communications Integration Center.[7]

These and other terrifying tales from the all-too-real world of cybersecurity are a perfect fit for the month of jack-o-lanterns and things that go bump in the night.  And in the wake of these attacks affecting various aspects of the maritime infrastructure, as well as the ongoing global focus on water-borne cybersecurity, the USCG took the opportunity to focus on cybersecurity throughout the month of October.

To begin with, even prior to the October cyber security focus period – and in the midst of the WannaCry/NonPetya/“spoofing” incidents noted above – the IMO issued draft resolution MSC.428(98), entitled “Maritime Cyber Risk Management in Safety Management Systems.”  This resolution affirms (as previously suggested on this blog) that any ISM-compliant safety management system “should take into account cyber risk management systems no later than the first annual verification of the company’s Document of Compliance after 1 January 2021.”  The USCG worked closely “in partnership with industry associations, class societies, and other Flag States . . .through the International Maritime Organization to develop” this resolution; and used the October cyber security month as a reminder that “this resolution affirms that safety management systems should take cyber related risks into account” for any ISM-governed vessels.

Likewise, the USCG issued a reminder that the public comment period on NVIC 05-17, entitled “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities,” was extended through October 11, 2017.  This NVIC proposes USCG guidance “on incorporating cybersecurity risks into an effective Facility Security Assessment (FSA), as well as additional recommendations for policies and procedures that may reduce cyber risk to operators of maritime facilities.” 82 Fed. Reg. 32189 (July 12, 2017).  Notably, this NVIC would apply to both inland facilities and outer continental shelf (OCS) facilities, both in their capacity as MTSA-regulated facilities and presumably under their SEMS obligations under the aegis of the Bureau of Safety and Environmental Enforcement (BSEE).  See Draft NVIC 05-17, Enclosure 1, p. 1.  Thus, both inland and offshore facilities, and (necessarily) operators of vessels that use and service them, will be affected by these policies once they are formally adopted.  Notably, the draft NVIC includes (among many, many provisions in its nearly 40 pages) requirements for “drills and exercises [that] will test cybersecurity aspects of” a facility’s plan (including “combined cyber-physical scenarios”); as well as record-keeping for such drills; secure storage of facility sensitive electronic data; and “regular software updates and install[ation] of security patches as they become available.”  Id. at p. 3.  And perhaps most critically of all, the draft NVIC proposes requirements for “cyber-related procedures for interfacing with vessels to include any network interaction, portable media [i.e. “flash drive] exchange, or wireless access sharing.”  Id.  Given the multitude of different systems/software – and perhaps even different versions/updates of the same system/software – as between facilities and vessels, this proposed requirement could prove daunting (albeit critically important to ensuring cyber security).

In addition to these specific and express proposed guidelines for inland/OCS facilities, the USCG confirmed in October that it is working throughout all levels of the agency to develop cyber security guidance for interests across the spectrum of the maritime industry, including for electronic navigation concerns (like those implicated in the Black Sea “spoofing” incident):

The Coast Guard Office of Design and Engineering Standards, in partnership with industry associations and class societies, is working to develop additional best-practice guides and industry standards which can be used to assist companies with implementing cyber risk management policies. The Coast Guard Office of Port and Facility Compliance is collaborating with the National Institute of Standards and Technology, National Cyber Center of Excellence to develop sector-specific profiles which adapt the NIST Cybersecurity Framework to specific asset classes. This collaboration has already produced profiles for bulk liquid transfer facilities, offshore platforms, and will soon be kicking-off a profile on electronic navigation and automation systems.

Similarly, the USCG has called for all Area Maritime Security Committees (AMSCs, as established by the 2002 MTSA) to establish cyber subcommittees; and as of October 2017, 28 of the 43 AMSCs had done so, with a focus on incorporating cyber threat scenarios in regional security training and exercise programs.  The forthcoming 2016 annual AMSC report will include discussion of localized cyber-security best practices and issues.

Obviously, given the multitude of recent, high-profile attacks affecting not only seaborne trade but every level of private and public interest, from government entities to commercial concerns to individuals (viz .the Equifax hack), cyber security must be a focal point for any viable operation – not only during the month of October, but every minute of every day of every month.  And on this Halloween, to close out the USCG’s October cyber security focus, the ominous words of Jason Warren (Cybersecurity Specialist, Office of Port and Facility Compliance) should send chills up any maritime operator’s spine, but also encourage them to stay one step ahead of the creeping cyber ghouls:

As in every technological era, there is a dark force racing alongside the rush of innovation — criminality, exploitation, greed and even destruction. Cybercriminals are innovating fast. Enormous amounts of private information are being siphoned out of enterprises via infrastructure breaches, and traditional defenses such as antivirus and network firewalls have failed to stop the continuous stream of data losses. The attacks have moved from monthly to weekly during the past year, and it is no surprise that companies are heavily focused on enhancing their cyber resiliency posture in order to respond and recover from a critical system outage.

[1] Richard Waters, Microsoft Issues WannaCry Cyber Attack Patch, Financial Times (May 13, 2017).

[2] Nick Ismail, Avoiding incidents like the WannaCry and “NotPetya” ransomware attacks, Information-Age.com (July 17, 2017).

[3] Dana Goward, GPS Spoofing Incident Points to Fragility of Navigation Satellites, National Defense Magazine (Aug. 22, 2017).

[4]  Elizabeth Weise, Could hackers be behind the U.S. Navy collisions?, USA Today (Aug. 23, 2017).

[5]  Warwick Ashford, IOActive warns of security flaws in maritime communication system, Computerweekly.com (Oct. 26, 2017)

[6]  Ewan MacAskill, HMS Queen Elizabeth could be vulnerable to cyber-attack?, The Guardian (June 26, 2017)

[7]  Michael Bahar & Brittany Cambre, Legislative Efforts in the Wake of Maritime Cyberattacks, Maritime Executive (Oct. 24, 2017).