By Jason P. Atwell, Principal Advisor of Global Intelligence, Mandiant, Inc.
As the war in Ukraine drags on, the maritime industry will continue to feel mounting pressures, not least of which is the exploitation of the environment by cyber threat actors. Russia knows how critical the maritime sector is to both its own survival and the effectiveness of its opponents’ military and economic counter-moves.
The Black Sea plays a critical role in Russia’s strategic aims in its invasion of Ukraine, as depriving Ukraine of access to this body of water will severely degrade its independence as a nation state. The Baltic Sea and its ports account for 70-85% of all the oil exported from Russia, while the Artic Ocean and its associated terminals account for most of the rest, meaning these two bodies of water are critical to Russia’s economic health. The Artic in particular will be crucial to any efforts Russia makes to free its oil and gas industry from sanctions by bypassing “unfriendly” nations’ ports and waters. Finally, Russian flagged vessels are rapidly being banned from most western ports, further solidifying the maritime sector as critical to Russia’s ability to prop up its economy and wage war.
On the other side of the equation, deep water ports are the most efficient way to move large military cargoes into Europe, both to reinforce NATO forces and to get heavy weapons to Ukraine. Whether it be the most advanced Russian threat group or lowly criminals, or even other actors like China and Iran seeking to take advantage, it is likely only a matter of time before a major cyber incident in the maritime domain makes its mark on this conflict.
What then can individual ship captains and harbor masters do to survive in this fraught threat environment?
Protecting yourself from Russian hackers or intelligence operatives as well as cyber criminals or hacktivists might sound like a tall order when the number of safety, navigation, technology, and training needs are already among the highest of any industry. The rapid digitization and optimization of maritime supply chains also translates into a tech-heavy industry, but also one with a far larger attack surface than ever before. Securing and defending this attack surface means a renewal of efforts to define the roles played across the enterprise when it comes to cybersecurity, especially in the face of a crisis like the war in Ukraine. This means that everyone, from a tugboat crewman to a crane operator to a maintenance worker on an oil rig, can play a role in this effort. The good news is that many of the best practices are relatively simple and can be incorporated into existing safety checks and operating procedures.
Starting at a very high level, decision-makers in the maritime sector can reexamine the role technology plays in their ability to operate. This means revisiting technology supply chains to analyze exposure to products manufactured in places like China or Russia that could prove vulnerable. It also means revisiting risk management when it comes to technology. Decision-makers should be asking themselves what the likelihood and impact of the disruption of any deployed technology is before integrating it into their operations.
A level down from this, technology operators should be ensuring now more than ever that any equipment reliant on a computer or network connection is appropriately shielded, whether that be through software updates, limiting physical access, or through strong, cycled passwords. This applies to everything from navigation systems aboard ships to the computers used for scheduling and inventories at ports. At this level it is also critical that the footprints and signatures of these devices are managed appropriately, that is to say that accurate inventories, as well as complete knowledge of what is and isn’t networked or connected, is paramount to securing them.
Finally, at the individual level, we all play a role in cybersecurity, especially in a rapidly-evolving threat environment. Not sharing passwords, holding one another accountable for bad practices surrounding passwords (sticky notes or repeated patterns anyone?), being appropriately suspicious of unsolicited email, social media direct messages, and cellular texts that could be phishing, and not trusting items like USBs when their origin is uncertain. All of these elements together help harden any organization from the most likely and common attacks.
Additionally, the collaborative discussions across management and team levels need to pick apart the “what ifs” of networks and technology in this environment. Crews should demand that those ashore consider what the impact of a new system being hacked or degraded would be to its operators, while those making procurement decisions should also implement corresponding security controls whenever providing a system to an operator. Organizations also need strong continuity programs and incident response planning to ensure resilience and survivability in the event of a large-scale breach or ransomware attack.
Given the current cyber threat environment, organizations should plan for the eventuality, not the possibility, of an attack. It is never too late to put in place the proper retainers and relationships, both internal and external, that will be central to weathering a cyber attack. Every individual at every level of an organization has an important role to play.
Jason P. Atwell is the Principal Advisor of Global Intelligence at Mandiant, Inc. the global leader in dynamic cyber defense and response.