The Norwegian Maritime Directorate and the Norwegian Coastal Administration have focused on a number of challenges identified in the Report on strategy for maritime digital security 2020. In its 2022 Risk Report, the Norwegian National Security Authority (NSM) points to a threefold increase in the number of serious incidents and cyber operations from 2019 to 2021. The corresponding report for 2023 addresses the issue that there are many vulnerabilities in unclear supply chains, and that with more unpredictability the industry needs to be better prepared. The maritime industry has worked with digitalization in both traditional information technology systems (IT systems) and in operational technology in systems for automation, propulsion, management and other control systems. The greater the use of remote connection, integration and digitization in operational technologies, the more vulnerable the operation can be. At the same time, the lifetime of larger ships is generally between 25 and 35 years, and digital upgrades in the entire international fleet usually happen gradually and over time. There is great variation in computer equipment on board both for administrative functions and control systems. The situation is much the same as for ports, where more and more operations are being automated. When it comes to port traffic alone, incidents have been uncovered that have result from cyber attacks IT and administrative systems. These lead to business interruptions, information theft and manipulation linked to smuggling.
European ports are preparing for a major regulatory change next year in how the hundreds of companies in their global supply chains address cybersecurity as ports have become a target for criminal hacker groups and state-sponsored attacks. Cybersecurity rules approved by the European Union for pharmaceuticals, transportation, energy and other critical infrastructure companies are set to take effect in 2024 and will require hundreds of firms that operate out of Europe’s big ports to use basic security measures and report hacks to cybersecurity authorities. The regulation will be the first such cybersecurity requirements for many companies that provide services to critical sectors. Violators face fines of up to 10 million euros, equivalent to roughly $10.7 million, or up to 2% of global revenue, whichever is higher. The war in Ukraine, rising energy prices and supply-chain disruptions during the pandemic have put port authorities on high alert for a rising number of cyberattacks. Ports in cities such Rotterdam in the Netherlands and Antwerp in Belgium, Europe’s two largest ports by cargo volume, are hubs for energy infrastructure and other critical sectors. A cyberattack three weeks before Russia invaded Ukraine in February 2022 disrupted operations at energy storage and distribution companies and a large terminal operator in Antwerp and other Belgian and Dutch ports.
The Cybersecurity and Infrastructure Security Agency and the U.S. Army Corps of Engineers released a new guide to bring together private and public stakeholders in assessing risk and enhancing resilience to better protect ports and other critical maritime infrastructure from potentially crippling effects of myriad adverse events from natural disasters to physical and cyber attacks or pandemics. The agencies co-developed the Marine Transportation System Resilience Assessment Guide (MTS Guide) to map out resilience assessments so that decision makers in industry, federal agencies, and local governments can operate from a shared understanding and have access to planning tools and important data. “The Maritime Transportation System Resilience Assessment Guide is integral to the development of a unified approach to address resilience indicators for port infrastructure systems, and functions that assess the key dimensions of critical infrastructure in the maritime domain,” Executive Assistant Director for Infrastructure Security Dr. David Mussington said.
Cybersecurity experts have called for the Cybersecurity and Infrastructure Security Agency to establish a test bed to probe the security of maritime equipment in a new report published as part of the Cyberspace Solarium 2.0 initiative. According to the report, the Department of Homeland Security agency should set up a maritime operational technology supply chain testing capability, akin to the Department of Energy’s Cyber Testing for Resilient industrial Control Systems (CyTRICS) program. The proposals come amid rising concerns about the vulnerability of critical United States ports and in response to several major cyberattacks on vulnerable European infrastructure targets last year. Current collaboration between the United States Coast Guard and CISA’s National Infrastructure Simulation and Analysis Center could facilitate the creation of a test bed program for maritime technology, according to the report. “The program can begin by testing for cybersecurity vulnerabilities in foreign-manufactured cranes in U.S. ports – as mandated by the National Defense Authorization Act (NDAA) of the fiscal year 2023 – and then expand into broader, systemically important maritime OT.”
After 70 customers were affected by the attack on 7 January, the classification society said a police investigation into the incident continues. DNV said it continues to have a regular dialogue with all affected ShipManager customers. "These customers have been advised to consider relevant mitigating measures depending on the types of data they have uploaded to the system. All affected customers were informed about their responsibility to notify relevant Data Protection Authorities in their countries," DNV said. DNV said it reported the cyber attack to the Norwegian Police, who are still investigating the attack. The attack was also reported to the Norwegian National Security Authority, the Norwegian Data Protection Authority and the German Cyber Security Authority.
Maersk denies it has been cyber-attacked by hacker group Anonymous Sudan, despite leaked customer credentials appearing on social media. The group posted a .txt file with several usernames and passwords of Maersk customers on its telegram channel, alongside AI art and threats of attacks against other Swedish and Danish companies, citing as its motivation “their burning of the Quran”. “We have more data, this is just a sample,” read the post, but Maersk says it is not obvious whether the data is current.
Dutch maritime logistics company Royal Dirkzwager has confirmed that it was hit with ransomware from the Play group, the latest in a string of attacks targeting the shipping industry. Company CEO Joan Blaas, who bought the company in October after it went bankrupt the month prior, told The Record the ransomware attack did not have an effect on operations but did involve the theft of data from servers that held a range of contracts and personal information.