A new U.S. Coast Guard Cyber Command report on cybersecurity trends in the maritime environment said that organizations in the marine transportation system suffered from similar cybersecurity deficiencies in 2022 compared to the previous year while emerging technologies including cloud-based environments and AI introduce new attack vectors to the marine environment.
Timely information sharing of incidents was also stymied in 2022 as “many organizations remain reluctant to report or share information with the Coast Guard or other partners,” though CGCYBER did see “a promising increase in voluntary reporting” last year. Cyber criminals, meanwhile, continue to target vessels, ports, shipyards, companies, and other points in the marine transportation system with phishing and malware.
The marine environment — through which about $5.4 trillion flows on an annual basis — includes 25,000 miles of coastal and inland waterways, 361 ports, 124 shipyards, and more than 3,700 maritime facilities. In addition to 20,000 bridges, there are 95,000 miles of shoreline that interconnect with highways, railways, airports, and pipelines. Under the sea, cables carry 99 percent of U.S. communications abroad.
A cyber attack on the port environment can compromise physical facility access control systems, manipulate terminal and gate operating systems for the purpose of leaking sensitive supply chain data or facilitating smuggling or cargo theft, stop port operations by compromising the terminal headquarters, compromise operational technology systems such as cranes in a way that leads to loss of life or property, tamper with PNT so that vessels cannot safely navigate a port, or compromise shipboard systems with impacts to safety or cargo.
“Since the Coast Guard released its first Cyber Strategy in 2015, we have observed events reinforcing that cyberspace remains a contested domain including the exploitation of Federal government information networks, attacks on maritime critical infrastructure, and adversarial efforts to undermine our democratic processes,” Rear Adm. John C. Vann, commander of U.S. Coast Guard Cyber Command, wrote at the outset of the report. “…Our deployable cyber forces will stand ready to augment field commanders with subject matter expertise, assessment, and incident response capabilities, as well as critical infrastructure support in the identification and mitigation of cyber risk and threats looking to harm the Marine Transportation System, the backbone of the United States’ economy.”
The 2022 Cyber Trends and Insights in the Marine Environment scorecard reported a 20 percent increase in cyber event reporting in 2022 compared to the previous year with the average cost of a data breach totaling $4.82 million. Half of the Coast Guard Cyber Protection Teams’ missions gained access through phishing, and they had a 59 percent success rate when brute force cracking passwords (the easiest passwords to crack were 13 characters or under). And the CPTs identified 139 known exploited vulnerabilities.
The Coast Guard’s Maritime Cyber Readiness Branch and local units investigated 59 cybersecurity reports in 2022, including “several large-scale incidents affecting multiple organizations at once.”
Cyber events reported to Coast Guard Cyber Command in 2022 included phishing at sectors Guam, Buffalo, Columbia River, Los Angeles/Long Beach, Corpus Christi, Houston/Galveston, Jacksonville, Lake Michigan, Lower Mississippi, Maryland/NCR, Sault Ste Marie, Virginia, Delaware Bay, New Orleans, New England, and San Juan. Ransomware was reported at sectors Puget Sound, Los Angeles/Long Beach, Houston/Galveston, Mobile, San Diego, New Orleans, Jacksonville, Boston, and Long Island Sound.
“In 2022, criminals were observed targeting back-up systems to make recovery more difficult and to increase pressure on the executive decision makers to pay the ransoms,” the report noted. “In addition to financial extortion, these incidents often result in months of reduced operational capacity and potential reputational impacts.”
Last year CGCYBER also reported seeing “a significant increase in malicious cyber actors targeting liquified natural gas processors/distributors and petrochemical companies” with actions including “increased reconnaissance, scanning, sophisticated spear-phishing campaigns, and ransomware.” The Coast Guard said it likewise witnessed “several significant cyber-attacks targeting maritime logistics integrators and technology service providers,” including ransomware attacks that “are particularly concerning due to the extent of the second order impacts” on the supply chain and other maritime organizations.
Maritime transportation system partners fully mitigated 62 percent of all exploitable findings — an increase from 48 percent in 2021 — and 31 percent were partially mitigated within six months of a CPT Assess mission. Just 8 percent had no action taken to date, down from 12 percent who let findings slide the previous year. “These metrics validate the conclusion that organizations in the ME can take quick and effective action to reduce their attack surface, particularly if they understand the business impacts associated with the risks,” the report said.
During those CPT missions, the Coast Guard reported that 9.3 percent of phishing emails were clicked by a user and 76.4 percent of those users provided credentials when requested.
Nearly all of the passwords — 97.1 percent — cracked by USCG teams followed at least three complexity requirements ensuring that users include an uppercase letter, lowercase letter, number, or symbol, “showing that most users implement these requirements into their passwords in predictable ways without increasing the overall difficulty to crack the password.” Other issues included weak password policies, a lack of multi-factor authentication, poor patch management, outdated operating systems or applications that did not support updates, user training or account management weaknesses, and privileged account management.
The 2021 report noted a 68 percent increase in reported maritime cyber incidents. U.S. Coast Guard Cyber Command’s first Cyber Protection Team — deployable special forces that assess threats and vulnerabilities, identify the presence of adversaries on networks and systems, and respond to cyber incidents — attained full operational capability in May 2021, with the second team following in November 2021. CGCYBER’s Maritime Cyber Readiness Branch, tasked with translating “cybersecurity details into measurable operational risk,” investigated 47 cybersecurity incidents in 2021 “including several large-scale incidents affecting multiple organizations at once.” As of October 2021, Maritime Transportation Security Act-regulated facilities have operated under requirements to address cyber vulnerabilities.
Looking ahead to the remainder of this year and 2024, the Coast Guard stressed that “implementation and adaptation of emerging technologies is vital for organizations within the ME to remain up to date” and the public and private sectors should work together to mitigate risks as the Internet of Things and cloud technology increasingly connect ports and ships — and further increase the attack surface.
“Automation and artificial intelligence (AI) advances in port operations leverage massive amounts of data across an enterprise to streamline the processes for operational technology (OT),” the report said. “These advances also depend on increased integration between OT and Information Technology (IT) networks. This interdependency creates new vulnerabilities for OT network defenders by increasing the opportunities for adversaries to access these sensitive systems starting from the Internet. Industry partners will need to implement safety controls, network segmentation, and various other defenses to mitigate these vulnerabilities.”
