In late May, the U.S. Coast Guard issued a marine safety bulletin warning that commercial vessels were being targeted by deceptive email messages and malicious software. The notice reinforced past warnings from the service.
Cyberawareness has grown after two of the world’s biggest shippers were attacked electronically in the past two years. Company networks and shipboard computer systems are at risk.
“Cyber adversaries are attempting to gain sensitive information, including the content of an official notice of arrival, using email addresses that pose as an official Port State Control (PSC) authority, such as firstname.lastname@example.org,” the Coast Guard said in the bulletin. Ships submit notices of arrival to the National Vessel Movement Center before entering a U.S. port. NOAs are considered critical to port operations and security.
Suspicious activity and breaches of security must be reported to the Coast Guard National Response Center, which can be reached at (800) 424-8802, the bulletin said. Attempted cyberattacks that don’t impact a vessel’s operations or cause pollution can be reported 24 hours a day to the National Cybersecurity and Communications Integration Center at (888) 282-0870.
Port authorities are on the lookout for cyberthreats. In Port Fourchon, the southern Louisiana oil and gas hub, vessels “are better prepared to defend against cyberattacks than in the past,” said April Danos, the port’s director of homeland security and technology. “We have provided yearly FSO or facility security officer training, where we bring in the Coast Guard to brief vessel owners about the latest cybertrends and about the service’s policies, especially its CG-5P Policy Letter 08-16.”
The CG-5P letter from Rear Adm. Paul Thomas, dated December 2016, provides instructions on reporting suspicious cyberactivity and security breaches. It says any vessel or facility owner or operator who is required to have an approved security plan under Title 33, Code of Federal Regulations, Subchapter H, must report cyberthreats promptly to the National Response Center.
Danos said vessel owners at Port Fourchon “counter cyberattacks by providing cybersecurity training to crew and with the help of port security staying up to date and aware. Those are our greatest mitigation tools.”
In June 2017, A.P. Moller-Maersk, the world’s top container operator, was struck by a virus that nearly shut down its computers, forcing the Danish shipper to halt operations at many of its 76 port terminals. Maersk’s terminal at Pier 400 in Los Angeles was closed for five days. The attack cost the company an estimated $200 million to $300 million.
In July 2018, China’s COSCO Shipping Lines suffered a cyberattack that spread from the company’s Port of Long Beach terminal and through its operations in the Americas. COSCO said its ships continued to navigate, however.
In an effort to prevent attacks, the Baltic and International Maritime Council (BIMCO) in Denmark, together with other shipping groups, released “Guidelines on Cybersecurity Onboard Ships” in January 2016. The London-based International Maritime Organization published its own cyberguidelines in mid-2017. The IMO has given shipowners until Jan. 1, 2021, to incorporate cybersecurity policies in their safety management system codes, and has warned that vessels that don’t comply could be detained.
In a maritime cybersecurity survey released in October by Jones Walker LLP in New Orleans, nearly 80 percent of large U.S. company respondents (with over 400 employees each) and 38 percent of all survey participants said they’d been a cyberattack target in the past year. Ten percent of respondents said their data was breached. All of the large companies said they were prepared to prevent a breach, but only 19 percent of mid-size firms and 6 percent of small firms said they were ready.
“Remote threats have remote mitigation techniques,” Danos said. But as Port Fourchon’s homeland security director, she noted that “it’s always been local threats, or initial actions taken locally, that pose the greatest danger.”