U.S. Coast Guard responds to a cyber incident aboard a vessel

A recent security advisory from the U.S. Coast Guard provides interesting details about a cyber incident that occurred in February 2019 aboard a deep-draft vessel (no further details were provided). The vessel, which was sailing on an international route bound for the Port of New York and New Jersey, notified the Coast Guard that it was experiencing a significant cyber incident affecting its onboard IT network.

A team composed of several experts from different government agencies, led by the U.S. Coast Guard, responded to the report and conducted an analysis of the vessel’s network and its critical control systems. The team concluded that although the malware had significantly degraded the performance of onboard computers, the ship’s essential command and control systems had not been affected.

However, the investigators noted that the vessel was operating without any cybersecurity measures in place, exposing critical control systems to significant vulnerabilities. This security risk was apparently well known by the crew. Although most crew members did not use the ship’s computers to check personal email, shop online, or access bank accounts, the network was used for official communications. Electronic chart updates, cargo management, and communications with pilots, agents, the Coast Guard, and other shore-based organizations all relied on this network.

The U.S. Coast Guard stated that it is difficult to determine whether this vessel reflects the general state of cybersecurity across other deep-draft ships. Nevertheless, with ship engines now controlled through digital interfaces and with growing dependence on electronic charts and navigation systems, protecting these systems with dedicated cybersecurity measures is essential—just as important as physical ship security or routine mechanical maintenance.

The Coast Guard also stressed that the maritime community must adapt to technological evolution and organize itself to face emerging threats by recognizing the need for basic cyber hygiene and implementing appropriate safeguards. Among the measures recommended (none particularly surprising) are the following:

• Network segmentation: flat networks allow an adversary to move easily across connected systems. Segmenting networks into sub-networks makes lateral movement more difficult.
• Strict identification and authentication: eliminate generic accounts and create individual user profiles. Require authentication using passwords or smart cards, and limit access privileges to the minimum necessary for each user. Administrative accounts should only be used when strictly required.
• Caution with removable media: the incident revealed that cargo information was often transferred ashore using USB drives. These devices were traditionally connected directly to the ship’s network without prior antivirus checks. All external media should be scanned in an isolated antivirus station before being connected to onboard systems. Executables from unknown sources should never be launched.
• Install basic antivirus software: fundamental cyber hygiene can prevent incidents before they affect operations. Antivirus software should be installed and kept up to date.
• Apply operating system patches: patch management is a basic component of good cyber hygiene. Vulnerabilities affecting operating systems and applications evolve constantly and must be addressed promptly.

Maintaining effective cybersecurity is not only an IT concern but also a fundamental operational requirement in the 21st century. The Coast Guard encourages all maritime owners and operators to conduct cybersecurity assessments in order to better understand the extent of their vulnerabilities.

They also remind the industry that the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) provide many free resources to help shipowners evaluate their networks and identify cyber vulnerabilities. In the United States, dedicated cyber response groups—called Hunt and Incident Response Teams (HIRT) — operate under the National Cybersecurity and Communications Integration Center (NCCIC). These teams are capable of investigating cyber incidents and responding by providing containment, remediation, and recovery support to both government organizations and private companies.

Any organization can request assistance from HIRT through their website (https://www.us-cert.gov) or by calling the 24/7 hotline at (888) 282-0870. One can only hope that similar structures will eventually be developed in France as well.