A Marine Safety Information Bulletin issued this month cautions the maritime industry that even if they haven’t used SolarWinds Orion they might still be hurt by the continued exploitation of the software.
In December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an emergency directive “in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors,” calling on “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
Through breaching the SolarWinds Orion products, an attacker was able “to gain access to network traffic management systems,” the directive said, stressing that “disconnecting affected devices… is the only known mitigation measure currently available.” About 18,000 entities downloaded the malicious update.
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger told reporters last week that the investigation continues but nine federal agencies are known to have been compromised along with “about 100 private sector companies,” mostly in the technology sector — “including networks of companies whose products could be used to launch additional intrusions.”
The MSIB says that the Coast Guard “continues to monitor the maritime impact from the ongoing Advanced Persistent Threat (APT) cyber incident,” which “will require a sustained and dedicated effort to remediate.”
“Even if you do not own SolarWinds Orion, you may be impacted as your third-party networks, services, and vendors may use SolarWinds Orion,” the bulletin continues. “It is critical that the Coast Guard understands the potential risks of this APT actor on marine transportation system networks and supply chain connections. Reporting malicious cyber activity enhances maritime domain awareness and allows us all to be better postured to prevent and respond to cyber incidents that could disrupt commerce or jeopardize national security.”
Any owner or operator of a Maritime Transportation Security Act (MTSA)-regulated facility or vessel utilizing SolarWinds software to support a critical security function is asked to report a security breach if they have They have downloaded the trojanized SolarWinds Orion plug-in or “note any system with a critical security function displaying any signs of compromise, including those that may have not originated from the SolarWinds Orion compromise but utilize similar TTPs.”
Recommended open-source tools — including Sparrow, developed by CISA — can help detect and respond to potential breaches from the SolarWinds hack.
“Any potential threat to the physical security or cybersecurity of your vessel or facility should be taken seriously,” the bulletin states, adding that breaches or suspicious activity should be reported to the National Response Center at 1-800-424- 8802.
The USCG Office of Commercial Vessel Compliance also updated the Vessel Cyber Risk Management Work Instruction on Feb. 18 to include a compliance timeline for Non Safety Management System vessels that are subject to the Marine Transportation Safety Act of 2002. These vessels are required to address cybersecurity vulnerabilities within their Vessel Security Assessment no later than Dec. 31.
“As maritime operations become more reliant on the systems integrated through automation, cyber risk is an area of increasing concern in the Marine Transportation System,” the document states. “The USCG recognizes that not all shipping companies and ships are alike, and therefore the SMS provides shipping companies the ability to tailor a structured system to address evolving cybersecurity vulnerabilities unique to a company/vessel’s specific management and operations.”
The Coast Guard “expects that U.S. flagged vessels and companies will incorporate cyber risk management into their SMS. Additionally, as a port state… companies with foreign flagged vessels that call on ports in the U.S. should ensure cyber risk management is appropriately addressed in their SMS no later than the first annual verification of the company’s Document of Compliance (DOC) after January 1, 2021.”