When the Coast Guard released an update to its 2015 Cyber Strategy this past August, it revealed that during the course of 2020, there were more than 500 “major operational technology cyberattacks” in the marine industry. “The threats we face from the cyber domain,” Coast Guard officials wrote, “have outpaced threats from the physical domain.”
These cyberattacks were part of an “epidemic” that included $1 billion worth of ransomware attacks last year on more than 100 federal, state and municipal agencies; more than 500 medical centers; and 1,680 educational institutions in the United States, according to testimony before the U.S. Senate Judiciary Committee in late July from Eric Goldstein of the Cybersecurity and Infrastructure Security Agency in Washington, D.C. And contrary to what many people assume, today’s hackers are not just targeting the biggest corporations and government agencies. Nowadays, the bad guys are coming after everybody.
“Most ransomware attacks generally do not use … exquisite tradecraft, but rather exploit known security weaknesses or a failure to adopt generally accepted best practices,” Goldstein testified. “Much of CISA’s efforts to mitigate ransomware are focused on ensuring that all organizations in our country understand the risks of ransomware, and providing proactive measures governments, organizations and businesses can take to prevent themselves from becoming a victim of a ransomware attack in the first place.”
Taking proactive measures against cyberattacks in general, and ransomware in particular, is what cybersecurity expert John Sileo (sileo.com) talks to business owners and their staffs about all day long. Cyberattacks can come in numerous forms, such as stealing data or using a breached computer system to launch additional attacks. Ransomware is a type of cyberattack where hackers freeze up a system, rendering it encrypted and inaccessible until a ransom is paid.
“The most immediate concern is ransomware,” Sileo says. “If you’ve seen the headlines about JBS meatpacking paying $11 million to unlock their systems, or Colonial Pipeline having 45 percent of the fuel going to the East Coast shut down for six days, these are incidents where cybercriminals have locked up and encrypted their systems. Because it’s so easy to do — you can literally go on the dark web and buy code that lets you launch this against your enemy, your competitor, anybody on the Internet, and then pay anonymously in bitcoin — it’s happening to companies big and small. It’s constant, it’s pervasive, and it’s the number one thing I’d have organizations prepare for.”
Most company owners he speaks with, Sileo says, have a false sense of security about whether their own infrastructure or products can, and likely will, fall prey to a ransomware attack, especially since all it takes for ransomware to launch throughout an entire organization is a single person clicking on an email.
“Probably 70 percent of the people affected are small- and medium-sized businesses,” he says. “We hear about the big ones in the media, but these cybercriminals will turn on a program that seeks out anyone who is weak, and the small- and medium-size businesses have less protections.”
Sileo’s best advice for business owners trying to protect against cyberattacks is to understand that defenses should be layered, with everything from substantial offsite backup files to staff-wide training programs.
“They have to train their people not to click, not to do the things that cause all of these problems,” Sileo says. “The problems are called social engineering — that’s the act of getting somebody to click on the link. People need to be trained in anti-social engineering.”
Mark Oslund, director of standards at the National Marine Electronics Association, says cybersecurity challenges are now so profound that the marine industry also needs to create jobs to address them from day one of the manufacturing process.
As consumers demand more and more on-board features that involve the Internet of Things — as the systems and devices all become more interconnected — boatbuilders have to decide which technological products they’re going to incorporate into boats. Each technological addition is also a potential entry point for hackers. Somebody, Oslund says, needs to be in charge of assessing the cybersecurity features of all those products being integrated into the boat.
“If I was a mom-and-pop boatbuilder, I’d be thinking that the integrator is just as important as the fiberglasser,” Oslund says. “I’d have an IT guy for computers in the office, and I’d have an IT guy on the floor at every stage, ensuring that the components going into the boat are the latest technology with security in mind.”
The NMEA’s OneNet standard for maritime data networking was built in keeping with this thinking about cybersecurity, he says. OneNet has a robust device/application pairing process for devices to create a secure network connection. That means OneNet certified devices must, in essence, know a “secret handshake” in order to plug and play with other OneNet-certified devices into the on-board network to function.
“You can put up fences, brick walls, shield barriers to try and dissuade a hacker from attempting to come into your system, but not every system is 100 percent secure,” Oslund says. “That’s why, when we thought of OneNet and its security, we wanted closed-network security and an aspect that when devices, when they connect to the OneNet network, for sensitive data there’s a secured pairings operation that must occur.”
As more and more cyberattacks occur worldwide, Oslund says, consumers are going to seek out these kinds of features. He envisions a mass consumer gravitation toward boats that have the kinds of technological features people want, but wrapped within the toughest layers of cybersecurity they can find.
“There’s an opportunity here for boatbuilders to offer it as service, sort of like Tesla does,” Oslund says. “If you buy a Tesla, there’s a level of connection between the car and the company. Tesla knows what that car and that customer are doing, and they’re using that information to build a better car. How do you prevent that car from being hacked? Tesla has deployed several layers of encryption, so it’s less advantageous for hackers to try to attack.”
Indeed, Sileo says, the hackers who shut down Colonial Pipeline used what was, at its core, a basic combination of ransomware and the Internet of Things. “It’s no different from shutting down every boat in somebody’s fleet,” he says. “It works for any business.”
All in all, Sileo adds, owners of small- and medium-size marine businesses need to be evolving their thinking about cybersecurity needs sooner rather than later. “If you think about it in advance, you tend to think, Wow, it’s going to cost so much to hire these people and implement this system,” he says. “But the costs on the back end, the reputation damage, it just destroys small businesses. Should you invest $10,000 now or have a $1 million problem on the back end?”
This article was originally published in the October 2021 issue.