Recently, a boatbuilder reached out to our team at Cherry Bekaert because an external-facing system with vulnerabilities had allowed an assailant to get inside the manufacturer’s network. The assailant already had gained access to confidential data, trade secrets and artifacts when things escalated to an even more severe disruption through a ransomware attack.
This is every company’s cybersecurity nightmare. We needed to control the damage by detecting, responding to and recovering data from the incident. Once everything was contained and controlled, our team worked on lessons learned to mitigate these risks and further develop the manufacturer’s incident response program. We created an IT modernization assessment and plan, including upgrades to network systems and a cloud migration. We also simplified and hardened the IT and security compliance controls.
Of course, life would have been a lot easier for this manufacturer if the assailant had been unable to get inside from the start, but marine businesses are just as open to cyberattacks as all kinds of other businesses in nearly every industry. These attacks can hit even the largest companies that have defenses in place; in August, Bombardier Recreational Products, a company with a $6.14 billion market capitalization, reported a cyberattack that compromised confidential employee and supplier information, which then was uploaded to the dark web.
Companies in the marine industry generally are not the size of Bombardier, of course, but they do generate a huge amount of data and are heavily reliant on intellectual property to gain a competitive edge. That’s why marine businesses have become an increasingly attractive target for adversaries aiming to seize that information and use it to commit fraud, disrupt operations and extort large sums of money.
It’s also why the time is now to put defenses in place and to reinforce the defenses that are already there but are fast becoming obsolete.
Ashore and On Board
It’s tempting to think that ransomware attacks and other cyber threats apply only to the technology systems and processes that tend to power operations onshore. Indeed, the leaders of many marine companies may feel they are protected by the absence of a direct connection between the onboard systems they produce and the broader company network.
Not so. Many vessels employ satellite or some other form of wireless communication, meaning these companies are still susceptible to a cyberattack. Malware can infiltrate through operational technology (hardware and software), the Internet of Things, and USB or mobile devices. Hackers may also be able to attack specific technology on board, such as these operational technology and Internet of Things systems.
For example, if someone connects an infected laptop to a vessel’s devices, the malware from that laptop can spread to the vessel’s devices, too. These devices may then act as an entry point to an interconnected charter or rental fleet, as well as to other corporate systems that hold sensitive or confidential information.
And, of course, the more critical a piece of intellectual property is to business operations, competitiveness or even human safety, the higher the subsequent ransomware demand will be.
Cyberdefense In-Depth
Marine industry participants must accept the fact that they cannot eliminate the threat of being subject to a cyberattack. That’s the bad news. The good news is that they can take steps to mitigate their level of risk by establishing a robust cyber and data governance program.
This program should be based on a thorough risk assessment of overall IT operations, as well as the operational technology and Internet of Things technologies that are used throughout their operations. This assessment should include all installed electronics that rely on over-the-air software updates that route through company servers in one way or another.
Once a company has identified and understands any potential vulnerabilities, management then needs to create proper policies, procedures and technical cybersecurity controls to provide in-depth defense.
These policies, procedures and controls may include network and system segmentation, strong access control, and identification protocols (including multifactor and/or privileged access management). All of these tools can help organizations identify, protect, detect, respond to and recover from cyber incidents.
Good examples are the ISO/IEC 27001 (information security management standards) and the National Institute of Standards and Technology cybersecurity risk framework. Both of these tools can be accessed online, and can be voluntarily used by critical infrastructure owners and operators. They also can be adapted to meet specific guidelines and standards for the marine industry.
Beyond installing cybersecurity solutions and protocols, there are several other steps marine companies can take to mitigate the effects of any security breach, and loss of intellectual property and critical data, including robust incident response procedures and conducting a full business impact assessment. These steps help businesses respond to incidents and understand the potential consequences of a successful attack. Having this information can assist companies in the development of plans to isolate systems containing restricted intellectual property while promoting business continuity.
Educating owners, operators, employees and crew is also vital when defending against cyber and intellectual-property threats, to ensure that all people involved can respond quickly and appropriately in the event of an attack. All vendors, partners and suppliers should also undergo a rigorous evaluation of their own security programs and procedures before being granted access to the network or other systems.
An Ongoing Voyage
Companies must secure the buy-in of leadership to maintain and upgrade their cybersecurity programs and solutions on an ongoing basis, in line with the evolving tactics of adversaries. Every solution that is deployed needs to be constantly monitored for new security patches, updates and strong encryption technologies that can help keep intellectual property protected — even if that property is properly segregated.
After all, cybercriminals are only too aware of how costly the exposure of design assets, product patents, research and development data, and more can be for marine companies. The bad guys invest considerable time and energy in finding more sophisticated and innovative ways to seize that information to extort. Marine companies that succeed in the future will be the ones that invest the same amount of effort into staying one step ahead.
Steven Ursillo Jr. is a partner and national leader of Cherry Bekaert’s information assurance and cybersecurity practice.
This article was originally published in the October 2022 issue.
