Cyber Breaches of Maritime Transportation System Caused by Stovepiped Software Designs, Expert Says

December 20, 2021 4:48 PM
An MH-65 Dolphin helicopter crew based out of Air Station Kodiak and deployed aboard Cutter Alex Haley, prepares for a helicopter in-flight refueling at sea evolution with the cutter crew during a search and rescue case near Dutch Harbor, Alaska, Wednesday, Dec. 30, 2020. US Coast Guard Photo

Cyber attacks on the global maritime transportation system – like last month’s breach at the port of Houston – should not be considered a digital Pearl Harbor surprise, a leading security expert said last week.

Gary Kessler, of the Cyber Statecraft Initiative, pointed to a known problem of stovepiped software designs as a reason for why these types of breaches happen.

Speaking at the online Atlantic Council forum last week, Kessler asked rhetorically “why is the hacker community running circles around the software engineering community” in these breaches. He laid the responsibility on software engineers “not thinking through their designs” and how one design will work with others on extended networks.

Other panelists added that senior executives also need to be actively involved in seeing these systems as critically important to profitability, not just as routine accounting functions or personnel management.

Those networks extend to basic infrastructure – from telecommunications to electrical power to rail and road transportation on land. All are vulnerable to major security ransomware strikes like May’s attack on the major energy distribution system for the East Coast, Colonial Pipeline.

Complicating matters in the maritime transportation system in protecting its thousands of networks are “too few professional mariners” and “too few cyber professionals.”

Sean Kline, director of maritime affairs at the Chamber of Shipping of America, added that as an American mariner “you’re training constantly” to retain certification and advance. He noted companies also require more training to meet their specific requirements and those requirements differ between firms.

“Giving them a 20-minute video” on cyber security may check off a requirement box, but “is not addressing the core of the problem,” which can be found often in a business’ digital practices ashore.

Coast Guard Rear Adm. John Maugher, assistant commandant for prevention policy, said the service was “very sensitive [to] how much training we put on them [mariners]” ashore and afloat. He added the Coast Guard is stressing to maritime companies the risks they are accepting in having poorly designed software.

The idea is “getting [senior executives] to the understanding” that by accepting this situation as is, the decision “affects the bottom line.” He said particular attention must be paid to systems involving the ship’s stability, monitoring of cargo climate controls and navigation.

“We have to realize these attacks are going to happen” and there needs to be built in resilience and procedures and practices to restore system.

Maugher said the Coast Guard has made “cyber security an operational imperative” for its own networks and also extended that knowledge and experience into the private sector through its cyber protection teams.

He added those teams work with businesses not only in developing plans to improve cyber security but more importantly are “assessing … how well it is doing” in real-time.

Cyber security “is not a back office, IT function,” Maugher said. Cyber is also a national security issue, since 25 percent of the nation’s gross domestic product moves through the maritime transportation system.

Josie Long, cyber security consultant at MITRE corporation, said her work with industry includes identifying what functions are vital to their operations and must be hardened. What also is needed is business leaders recognizing across the private sector that it is to their benefit to have cross-pollination of best practices.

In keynote remarks at the forum, Sen. Angus King (I-Maine) said “we have to re-think our ideas of international conflict” when dealing with cyber actors by nation states, terrorists or criminals. He said “85 percent of the target space is in the private sector.”

King called for governments to do more “red-teaming” of problems jointly at all levels and with the private sector, including information sharing of what works and acknowledging breaches.

All sectors need to “realize [cyber strategy and plans] must constantly be updated,” he said.

The senator noted the disruption in international trade when operators lost control of the 20,000-ton Ever Given that closed the Suez Canal for a week in March and its impact on global economies during the pandemic.

With autonomous vessels on the horizon and a growing use of unmanned systems, the risks are growing.

“You’re going to have to have some remote connection” to them for a host of functions from navigation onward and that connection would be vulnerable “to bad actors,” Kessler said.

Kline said members of the chamber have “just ID’d what was missing” in terms of cyber security for autonomous vessels, “but not what to do.”

He doubted whether ocean-going merchant vessels in the immediate future would be truly autonomous. But these vessels “might be drastically different than the 20ish we have aboard now.”

John Grady

John Grady

John Grady, a former managing editor of Navy Times, retired as director of communications for the Association of the United States Army. His reporting on national defense and national security has appeared on Breaking Defense,,,, Government Executive and USNI News.

Get USNI News updates delivered to your inbox