Logistics: Ransomware Targets Ports

Archives

July 23, 2023: Hackers that specialize in ransomware have found that many major cargo container ports have computerized their record keeping. Ports which adopted these software systems find they have a time and cost advantage over ports that still use manual systems. This caused a rush by port operators to adopt the port management software. The benefits of this software were immediately felt. It was now much easier to track the location and progress of individual containers from the container ship to the transportation company that is picking up the container and transporting it by road or rail to the customer.

Less attention was paid to the vulnerability of the new port management software to attacks by hackers. These outlaw software developers created software that could be secretly installed within the port management code and render the port management software unusable until a ransom was paid. Port managers were warned about the risks of such attacks and how they could protect themselves by promptly updating and patching their port management software as well as adding additional hardware and software to keep hackers out. The ransomware hackers tend to go after the ports with the most vulnerable software systems.

Some nations with major container ports have made extraordinary efforts to deal with port management software vulnerability. An example of this is how, for over a decade, the U.S. Coast Guard has been trying to get a better idea of what potential problems ports and large ships face from hackers. In 2013 the Coast Guard established a Cyber Command. The new CGCC (Coast Guard Cyber Command) quickly discovered that they were barely aware of the extent of the vulnerabilities they were responsible for finding and reporting on.

CGCC was responsible for inspecting large container, oil and dry cargo ships that increasingly depend on networked automation systems to run the ships. Ports also have networked software systems for rapidly identifying, unloading and moving cargo out of the port. It was only in the last six years the shipping companies and port operators realized how vulnerable they were. In 2020 Israel attacked the computerized network that handled the management of a major Iranian cargo port, seriously disrupting port operations for several days. This was in retaliation for less successful Iranian attacks on Israeli utilities. In 2017 Maersk, one of the largest shipping companies in the world, handling about a fifth of global maritime trade, was hit with a ransomware attack. Maersk has operations in 76 ports worldwide and over 800 large container ships. The software attacks had encrypted all the network files and the hackers demanded $16 million in bitcoin for the decrypt keys. Maersk was advised it was safer to rebuild their network, a process that took ten days and cost Maersk over $200 million in losses due to delayed cargoes. A variant of that software destroys rather than encrypts files and was used by Russia against Ukraine in 2018.

Within the United States, the Port of Kennewick in Washington State was hit with a ransomware attack in late 2020. The hackers demanded $200,000 for the decrypt keys. The port refused and spent more than a month rebuilding their systems. These ransomware attacks have led to ports and shipping companies paying more attention to defenses and preparations to deal with attacks. The United States is particularly vulnerable to such attacks because maritime commerce depends on a lot of rivers with choke points. A targeted attack in ship automation systems could cause ships to run aground or sink at choke points and halt movement for days, weeks or months.

The CGCC was able to establish three CPTs (Cyber Protection Teams) in 2020 to handle inspections of ports and, eventually, ships. The Coast Guard had problems finding people who had the technical skills to handle the CPT work, and eventually offered direct commissions for qualified civilians to become officers in the CPTs without going through the usual lengthy process of becoming a Coast Guard officer.

At the same time CGCC found there was a lot more to inspect than anticipated. This was a shock because for over a century Coast Guard inspection teams have been inspecting ships and ports for problems. Twenty years ago, these inspectors noted that more ships and ports were depending on computerized systems, as was the Coast Guard on its own ships. For a while the inspections were adequate for this. Then the extent of the automation and use of worldwide networks escalated beyond anything the Coast Guard was able to handle. That led to the CGCC and the discovery that a solution to the problem was far more difficult to implement than anyone ever imagined. The port operators and shipping companies may have had misgivings about these larger and more expensive systems, but they did work and greatly reduced the cost of running ships and ports. Those who hesitated in adopting the new systems found themselves losing business.

CGCC found that they were just not facing the need to protect American ports and ships they inspected but also a new threat; deliberate cyber-attacks on ship and port networks to greatly reduce the ability to move cargo. This was a new, worldwide vulnerability in which defense was a lot more difficult and offensive use of these hacks. CGCC is trying to establish minimum standards for what ports and ships must meet and CGCC inspectors can verify. This is not a solution but it is a step in that direction because it will detect the ports and ships that are most vulnerable to attacks.

CGCC is trying to steadily improve and expand its inspections but is up to commercial software developers to come up with better security for the networking and control systems they sell to port operators and shipping companies.