USCG: Malware Attack Exposes Cyber Vulnerabilities at Sea
On Monday, the U.S. Coast Guard issued a marine safety alert to warn the maritime community of a potentially serious cyber incident aboard a merchant ship early this year. In February, during an international voyage to the Port of New York and New Jersey, an unnamed deep draft vessel reported that it had been affected by a malware attack. A Coast Guard-led team analyzed the vessel’s network and found that while the malware had "significantly degraded" its functionality, essential control systems had not been affected.
However, the team determined that the vessel was operating without effective cybersecurity measures in place, exposing safety-critical control systems to "significant vulnerabilities." What is more, these risks were "well known among the crew" prior to the incident.
To address the deficiencies that came to light in this incident, the Coast Guard provided a short list of simple starting points for cyber hygiene. These include:
- Use individual credentials for each employee on the network, not just one generic username and login for everyone. Avoid the use of administrator accounts for non-administrator purposes.
- Do not use USB sticks without scanning them for malware first on a standalone, isolated computer system.
- Segment your computer networks into subnetworks to make it harder for an adversary to gain access to essential systems.
- Use basic antivirus software and update it regularly.
- Install patches and updates for computer software and operating systems regularly. Patches are often issued to fix known security vulnerabilities.
- Conduct cybersecurity assessments to understand the extent of cyber vulnerabilities.
"It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep draft vessels," the USCG said. "It is imperative that the maritime community adapt to changing technologies and the changing threat landscape by recognizing the need for and implementing basic cyber hygiene measures."
The advisory drew an incredulous response from several cybersecurity experts. "What comes as a shock to me, if I am honest, is that the measures which the Coast Guard 'strongly recommends' . . . are hardly advanced in nature," wrote cybersecurity reporter Davey Winder for Forbes. "That [this list] was the outcome of the investigation speaks volumes for the lack of security awareness at sea."
The incident is far from the first account of an onboard malware attack. The 2018 edition of the ICS Guidelines on Cyber Security Onboard Ships describes two incidents in which outside vendors accidentally introduced malicious software into a ship's systems, including one incident affecting a ship's electronic power management system and another affecting the ship's business network.