Two hundred years ago a skull and crossbones flag on the ocean signaled an imminent threat. Now, those who defend and make their living at sea face a new lawless and unpredictable threat: cyberattacks.
When it comes to cyber threats, industry and military experts agree: U.S. maritime operations are vulnerable.
“As we have seen from recent incidents,” explained Captain Jason Tama of the United States Coast Guard, “the maritime industry’s growing dependence on continuous network connectivity and converging layers of information and operational technology make it inherently vulnerable to cyber threats.”
The Internet of Things: Ship Maintenance
Cpt Tama identifies the transition to the Internet of Things (IoT) approach as a major source of that vulnerability. IoT is an information technology term that describes a system of devices or of self-contained systems that are connected and able to communicate over a single network. This connectivity is achieved largely by the introduction of firmware into vessel and onshore hardware systems. According to the Institute of Electrical and Electronics Engineers, firmware refers specifically to the “combination of a hardware device and computer instructions or computer data that reside as read-only software on the hardware device.”
The addition of firmware and transition to an IoT system does represent an advancement in the industry. As Hiekata et. al explain in their paper for the Journal of Marine Science and Technology, when the hardware components of a ship that previously would have operated independently – and offline – are equipped with monitoring software sensors, or firmware, it exponentially increases the information that operators have about their ship at any given moment. For example, in an IoT environment, firmware allows for the constant monitoring and collection of data on hardware such as engines and auxiliary power units. The data produced by this monitoring is then stored and analyzed on shore. There, software algorithms are able to build a complete picture of a how the ships engine an auxiliary power units should be functioning at any given time and that allows for near-instant detection of abnormal activity or conditions. Near-instantaneous detection gives the crew a high chance of performing maintenance before the issue becomes critical.
Hiekata et. al point out that along with remote detection a networked ship allows for remote repair, at least in some circumstances. Therefore, IoT ships have a reduced number of emergency stops and length of recovery periods.
Cargo transport is another component of maritime operations that IoT systems have improved. A recent innovation that is expected to be very beneficial is hull-specific sensory firmware. Sensors in the hull that constantly transmit data to ship operators will keep the crew apprised of how cargo is shifting and how that impacts the ship and equipment; providing information such as where the hull might be under too much pressure and whether equipment repairs are needed. As with the engine and power units, this information allows ship operators and port crews to prepare and troubleshoot before any abnormalities become crises.
This applies to both vessels and onshore operations. “Logistics planning of all cargos and accuracy of port operation management have [a] large impact on the efficiency of port operation,” report Hiekata et al in Systems analysis for deployment of internet of things (IoT) in the maritime industry.
“By constantly monitoring cargo movement and operation with IoT technology, it is expected that adequate port operation will be possible.”
These benefits of IoT technology make it clear why maritime industry is embracing the IoT approach. However, Cpt Tama is not alone in pointing to IoT as a major reason the maritime industry is cyber “insecure.” The President and Chief Executive Officer of the Chamber of Shipping of America, Kathy Metcalf, agrees. During an October 2020 panel discussion she said, “With enhanced technology, the interconnectivity—while improving the efficiency of the system itself—also presents multiple nodes which provide opportunities for cyberattacks.”
Vessel & Port Vulnerability
The Interconnectivity inherent to IoT systems leads to overall vessel and port vulnerability because it means that an attack on one device or system is very easily spread to all systems onboard and even those onshore. A cyber-attack may target the firmware monitoring a ship’s cargo-moving equipment, which in itself is a non-essential system but shares a network connection with, and is constantly transmitting data to, critical systems throughout the ship. The interconnected nature of IoT environments also magnifies the other the vulnerabilities that tend to be present in IoT systems.
According to a survey of IoT vulnerabilities by Natalia Neshenko et al for the National Science Foundation, there are several such aspects of IoT systems that make them vulnerable to cyber-attack when implemented in a maritime context. One is the use of legacy hardware and software. Dr. Xavier Bellekens of the Institute for Signals, Sensors, and Communications, University of Strathclyde referred to this problem when he said, “In its current state, the maritime industry is a prime target due the many moving parts of ports and vessels, the increasing attack surface (e.g. adding connectivity to devices that had never been thought to be connected), the current lack of security and privacy by design.” The software systems and Operational Technology (OT) on many ships pre-date the IoT trend and were not designed to be part of an integrated network. Therefore, cyberthreat detection and protection is often not an inherent part of the software running maritime systems. Those measures must be added on later, namely through patches and updates.
Patches, or revised code designed to layer onto and improve embedded software can be effective in addressing known attack vectors and enhancing overall function. However, Neshenko et al note that patches and updates are not an infallible solution. They require maritime system manufacturers and end users to regularly apply the patches and updates, which research has showed is often not the case, leading to protection gaps. Furthermore, sometimes the patches themselves can be dangerous. Neshenko et al state, “even available update mechanisms lack integrity guarantees, rendering them susceptible to being maliciously modified and applied at large.”
Energy capacity is another characteristic that leaves maritime systems vulnerable. For the purely hardware components of a vessel, connection to the IoT does not require overly-sophisticated firmware sensors. Temperature or motion monitoring, for example, likely only require a straightforward signaling device not equipped with complex energy supply technology. Without the ability to mitigate and generate energy flow, a barrage of data and messages, either real or fake, cyber-attackers can overwhelm these sensors with will overwhelm these sensors until they shut down.
Other weaknesses specific to the software components of an IoT system are poor encryption and programming. In A large-scale analysis-scale analysis of the security of embedded firmwares by A. Costin et al found that across 693 firmware images there were 38 previously unknown vulnerabilities. These issues are typically another result of running legacy systems, which were coded before the latest developments in encryption and software design became widely practiced. They can also result from rushed firmware development and lack of adequate cyber training in the maritime field.
The maritime cyber threat is not confined to civilian operations. According to Dr. Erica Mitchell of the Army Cyber Institute at West Point, the Army will send equipment overseas through civilian shipping channels. Therefore, the threat of maritime cyberattacks not only impacts civilian industry, but puts deployment schedules, military resources, and deploying troops arriving before their equipment at risk.
Beyond the overlap of civilian and military maritime activity, maritime military operations face constant cyber-attacks, making cybersecurity innovation in the defense arena a necessity for the future.
The Navy has long understood both the technical and strategic advantages of IoT-type sensory connectivity and is well-aware of the risks. Through systems such as PLUSNet, the Navy uses a network of distributed sensors and data-gathering firmware to build the detection and communication capabilities necessary for undersea dominance. The Naval concept of a “distributed sensor field” could be equated to a large-scale IoT system. It uses both mobile sensors, such as Unmanned Undersea Vehicles (UUVs) and Aerial Unmanned Vehicles (AUVs), and fixed sensors, such as Sonobouys, to create a network of acoustic and RF gateway signals that are continuously reporting on the environment and monitoring for potential threats.
There are measures in place to protect these data-gathering networks, such as using lower frequency signal transmissions, which create frequency waves that are larger and slower, and therefore less detectable. However, with the pace of innovation between the United States and its adversaries’ sensory firmware can quickly fall under the “legacy” classification, opening the door for patching gaps and even for the same energy-centric attacks described above for civilian IoT networks.
U.S. Navy Cybersecurity Strategy
These dangers are in part why the Navy has a robust cybersecurity strategy that continues to evolve and improve. According to Space and Naval Warfare Systems Command’s (SPAWAR) Anatomy of Attack publication, a cyber-attack can be described as a series of eight steps or a “kill chain.” The steps are: motive, discover (data-gathering on target), probe (identify vulnerabilities), penetrate, escalate, expand, persist, and execute. The Navy’s Next Generation Network (NGEN) is designed to prevent the initiation of these “kill chains” and includes enterprise-wide network firewalls, or software that monitors data transmission through maritime networks and will block any packets, or small units of data, that violate coded in security “rules.” Anti-virus and multi-factor identification software are heavily employed as well. Notably, according to the Navy’s National Cybersecurity Framework Handbook, a “scan-patch-scan" system requires all systems to check for and implement patches or updates on a monthly basis. This avoids the civilian industry pitfall of faulty or unused patches.
Another notable element of the Navy’s cybersecurity measures is the implementation of SPAWAR’s technical control system. The technical control system model is unique in assigning the “controls,” or the firewalls, vulnerability scanners, and other countermeasures, equal roles. No control node dominates or instructs another, rather they work equally to halt the “kill chain” progression.
“The key is defining interfaces between systems and collections of systems called enclaves,” said Vice Admiral David Lewis, a former commander of SPAWAR, “while also using ‘open architecture.’” Open architecture is crucial to ensuring that new innovations in cyber defense can be easily added to existing cyber controls, in the form of patches or updates, for example.
The Navy’s maritime cyber defense developments prove that cybersecurity at sea is not an unreachable goal. Yet, experts are increasingly warning that civilian maritime cyber-defense requires both a change in technical and policy best-practices.
On the technical side, data encryption must become a common component of firmware in the IoT. Regular software patching, firewalls, and multi-factor authentication must be more widely implemented across systems such as GPS, Electronic Chart Display and Information Systems (ECDIS), and Automatic Identification Systems (AIS).
Creating a policy of cybersecurity collaboration across military and civilian maritime operators is equally important. A representative from the Office of Maritime Security, Maritime Administration, US Department of Transportation told Warrior Maven that “maritime industry executives have limited information about cybersecurity threats."
Sharing information on cyber-attacks and incidents across military and civilian lines will build a much clearer picture of the latest cyber threats and how to combat them. As the Office of Maritime Security representative said, “Having this complete cybersecurity threat picture is key to making corporate cost-benefit decisions on increased investments in cybersecurity, and to ensuring that those investments achieve the best possible cybersecurity protections.”
-- Katherine Owens is a Junior Fellow at Warrior Maven. She previously wrote for Defense Systems and holds a B.A. in International Affairs from the George Washington University, where she studied security policy and specialized in arms control and nuclear deterrence. Katherine will be attending Columbia University in Fall 2021 where she will pursue an M.A. in Political Science from the Columbia University Graduate School of Arts and Sciences.