U.S. Coast Guard Issues Safety Alert Following Cyber Incident - Beeping Computer
The U.S. Coast Guard issued a marine safety alert including cybersecurity guidance following a cyber incident experienced by a deep draft vessel during February which affected the ship’s entire network.
An investigation conducted by an interagency cyber analysis team led by the Coast Guard “concluded that although the malware significantly degraded the functionality of the onboard computer system, essential vessel control systems had not been impacted.”
Despite this, the interagency team discovered that the ship impacted by the cyber attack did not have effective cybersecurity measures to counteract such attacks, thus exposing “critical vessel control systems to significant vulnerabilities.”
Good, now let’s take this as a reminder to limit systems integration to where it’s needed.
There are no reasons to have mission critical systems and personal computing platforms on the same network, except for the flimsiest resource rationalization and cost cutting excuses. Even the Coast Guard seem to have grasped that network segregation is in order, take the first bullet point in their advisory:
• implementing network segmentation to “make it harder for an adversary to gain access to essential systems and equipment,”
Every now and then, viruses come along with such effective infection vectors that entire networks go down, and even though most of those are e-mail borne these days, sooner or later we’ll have one that transmits on a low level protocol. When that day comes, he who doesn’t have his autopilot running on a MS window platform with virtual NMEA over ethernet will laugh all the way to port, while the rest of us steer by hand.
Seriously, what with all the bureaucratic safety BS in the wind, it’s high time someone made network segregation a class requirement.
From what I have read, the infection came from a memory stick carrying the cargo plan. This method of transferring data is so common in the industry yet there are very few controls we have at our disposal when some stranger walks aboard with one. I feel the same way when a class surveyor asks to print a report for them off of one of their sticks. A good start would be a dedicated cargo computer with no ties to the on board network at all. I think some companies do this, but not mine.
As with everything on a ship this is a matter of cost. Maybe a clear cut incident like this and the recommendation of the Coast Guard to step up security measures is enough to convince some companies to make the minor expenditure for a single computer, or better network security measures, but I’ve been here long enough to have my doubts.
Convenience trumps everything until somebody loses an eye. I wonder how Maersk feels about this sort of thing.
Why I’m so happy to be retired:
The Modern Tech Stack
(If your nerd quotient is insufficient to get the joke, tech stacks are explained at the beginning of this essay.
Basically it is a simplified dependency chart, where upper level functions are dependent on lower level ones.
Thus ends the first and last lesson on the state of computer security today.
From MaritimeLink July 9: