The investigation into Baltimore’s Francis Scott Key Bridge collapse has only just begun, but we’ve already seen news reports containing an unclassified memo from the Cybersecurity and Infrastructure Security Agency (CISA) and comments from the Department of Homeland Security concerning the cause. Maryland Governor, Wes Moore, said he could confirm that "The crew notified authorities of a power issue," adding that the ship had lost power before smashing into one of the columns supporting the bridge. At this time, there is no evidence that the incident was anything more than a tragic accident, but the involvement of these U.S. government agencies indicates concerns of a cyberattack.
Those concerns are highly warranted. For some time, maritime cybersecurity has been top of mind for regional, national and global policymakers. In February, the Biden administration issued an executive order to bolster and safeguard critical maritime infrastructure across the United States. Other countries and regions are on alert as well. NIS2, the updated Directive from the European Union slated to go into effect later this year, also addresses maritime cybersecurity. The International Maritime Organization’s (IMO) cybersecurity guidelines encourage shipping companies and vessel operators to address cybersecurity risks and implement measures to protect their assets, as do frameworks and guidelines from additional regulatory bodies.
Vulnerable maritime systems
The numerous operational technologies (OT) on seafaring vessels have kept pace with digital transformations in other industries. Once powered solely by onboard fuel and propelled by engines, modern ships are hybrids, utilizing a combination of solar energy and fossil fuels in concert with a variety of smart engines. Modern propulsion systems now employ multiple connected technologies that reduce fluid friction and optimize performance. But these and other technologies can be cyber-compromised.
There are plenty of onboard systems to attack. Hackers are known to intercept satellite communications used extensively by ships at sea. They can also spoof or jam GPS systems, manipulate the automatic ID system (AIS), steal vital data, or inject malware or ransomware into any number of onboard systems via infected devices or files. Such attacks can throw a ship off course. When combined with a compromised propulsion system, the consequences can be horrific.
Attacks on operating vessels aren’t the only vulnerabilities that shippers need to be concerned about. Risk starts early in the shipbuilding process. The long, complicated process of shipbuilding introduces a complex supply chain, where numerous parts and software products originating from multiple locations and a variety of international vendors become part of the ship’s essence. During manufacture, ship components may be compromised with latent malware, as threat actors patiently wait for the right future moment to interfere with communication or navigation systems, or to exploit a remote-access backdoor to take control of the ship.
Ports and offshore facilities are also major elements of the maritime ecosystem, and they expose a collection of additional attack surfaces. Equipment and systems operating on loading docks and even oil rigs are inviting targets. These communicate with ships and can unknowingly share malware. Equipment and systems — from Chinese-made cranes to container-stacking machinery to drilling mechanisms — are in the hacker’s sights.
Consequences of maritime cyberattacks
Regardless of whether this disruptive, deadly crash was an unfortunate accident or the result of a repugnant cyber attack, it highlights the potential consequences of cyber terrorism on the maritime industry. Contacting just one column of the 1.6-mile-long bridge, the ship was able to bring large portions crashing into the water and tragically end the lives of six construction workers.
The economic damage is extensive. The Port of Baltimore — one of the busiest car import/export points in the US and home to some of the largest retailer distribution centers like FedEx, Amazon, and Home Depot — is shut down until further notice. Many of the 15,000 employees who work directly for the Port and 140,000 other employees supported by the Port’s ecosystem are out of work.
Meanwhile, the Key Bridge, a vital road transportation route, is shut down indefinitely, forcing 30,000 daily commuters to find alternate routes.
Shielding the maritime industry
Safeguarding maritime vessels and infrastructure against cyberattacks is complicated, especially considering the deployment of Chinese-manufactured cranes throughout US seaports. Maritime cybersecurity demands a multifaceted approach rooted in robust cybersecurity measures and continuous vigilance. A comprehensive prevention program encompassing accurate risk management, stringent access controls, continuous threat detection, and incident response planning is called for immediately.
By prioritizing cybersecurity measures in the face of evolving threats, maritime organizations can fortify their resilience against cyberattacks, ensuring the safety and integrity of their operations and to the public at large.
While this particular incident may turn out to be a very unfortunate accident, the next one might come as a result of a cyber incident. Let’s not wait.