The Nation’s First Maritime Cyber Security Symposium, Organized by CCICADA and AMU, Focused on How to Protect the Maritime Transportation System
Read related articles:
High-level experts on cyber security and the maritime transportation system from around the country and the globe met at Rutgers University this month to discuss how to protect one of the nation’s most critical infrastructures: its maritime transportation system, which includes 360 ports that account for 95% of US trade and $1.3 trillion in economic activity.
The March 2-3, 2015, Maritime Cyber Security Learning Seminar and Symposium was organized by CCICADA, the Rutgers-based homeland security research group, and the American Military University. It is believed to have been the first national symposium on this topic.
Speakers from industry and government conceded that we are, for the most part, totally unprepared to deal with existing and emerging cyber threats from criminals, terrorists and nation states that could shut down large pieces of the country’s critical maritime transportation system in the blink of an eye.
The goal of the symposium goal was to start a national dialogue at all levels of government, industry, and academia on how to identify those threats and develop strategies to mitigate them. To jump start the conversation, US Coast Guard Vice Adm. Chuck Michel, a keynote speaker, publicly shared for the first time details of a proposed USCG strategy on the Coast Guard’s role in defending cyber space.
Especially over the past 20 years, Michel and other symposium speakers said, government agencies and whole industries have focused their attention on the development of ever faster and more automated computerized machines and systems, all digitally networked in cyber space. Meanwhile, the “enemy” has focused its attention with equal intensity on how to exploit the growing vulnerabilities of these networks.
These vulnerabilities go far beyond the theft of personal information from ordinary citizens by hackers who breach the computer networks of large banks and stores.
They now include real instances of cyber-attacks that have shut down and/or damaged ports, ships, oil rigs and cargo handling systems. These attacks have taken control of automated machinery, degraded it and in some instances destroyed it.
Cyber Attacks Real
“Maritime cyber security is not in the news a lot today,” said Professor Fred Roberts, director of CCICADA, the US Department of Homeland Security University Center of Excellence that hosted the event. “But we’ve seen enough events to make us worry about the maritime transportation system.”
Clay Wilson, director of cyber security studies with the American Public University System, said government and industry are often ignorant about the vulnerabilities of the networked, mission-critical computers and equipment at the heart of their operations.
“We need MORE THAN technology to protect us,” Wilson said. “We need to have people of all industries come to the table and talk about technology, our vulnerability and what we can do to protect ourselves.”
Wilson, who helped organize the symposium, cited the dramatic example of skilled hackers who took control of a German steel mill’s production network, causing massive damage to the mill’s blast furnace.
30,000 Dead Computers
“The (cyber) threat is very real. These intrusions and attacks are taking place very minute and every second of every day,” said keynote speaker Rear Adm. Marshall Lytle, assistant commandant responsible for US Coast Guard Cyber Command. Rear Adm. Lytle cited the example of a malware attack on Saudi Aramco, one of the world’s largest oil producers, which “turned 30,000 (networked) computers into paperweights.”
Big container ships and cargo ports are especially vulnerable. “Most modern container ships totally rely on computer networks. Nothing happens …without bits and bytes making it happen,” Lytle said.
He said port security used to be all about “guns, guards and gates.” Now, operations at large cargo ports are controlled entirely through computers, modern technologies like GPS, WiFi towers, and Internet connections. (See Lytle’s condensed remarks.)
These comments were echoed by Steve Caldwell, who wrote a GAO report on the lack of awareness of and attention to maritime cyber security issues. He said maritime transportation system secure efforts have focused almost exclusively on physical security.
For example, an attacker could use a simple, inexpensive and easily purchased GPS jamming device to shut down operations at a major US port, wreaking economic havoc. The ability of hackers to remotely control port operations is the new “hole in the fence” of port security.
In one real-world example, Lytle said, drug gangs were able to smuggle entire container loads of cocaine through Antwerp, one of Belgium’s largest ports, after its hackers breached the port’s IT network.
Symposium speakers said cyber vulnerabilities are magnified by our increasing reliance in all aspects of our work and lives on the Internet of things—from smart phones to highly automated ports and container ships—which are interconnected in a ubiquitous digital world that moves at near light speed.
Dr. Phyllis Schneck, the DHS Deputy Under Secretary for Cyber Security, who gave the symposium’s final keynote, talked about the need to work at the speed of cyber adversaries, who have no lawyers and “infinite money.” This requires us to build “immune systems” to protect networks from unknown threats and to develop real-time machine-to-machine communications.
The more we rely on automated cyber machines, and the less we rely on human control and intervention, the more vulnerable we become, observed Professor Dr. Mark Hagerott, who has written extensively on the subject. Hagerott is Deputy Director of the Center for Cyber Studies at the US Naval Academy.
Especially in the area of human warfare, greater automation creates greater risk. “If machines can control the sensing-thinking-reacting process entirely,” asked Hagerott rhetorically, “will warfare move at such speeds that humans will be left out of it?”
In the event of a stalemate between the automated war machines of two nation states, he said, we better have a backup plan and preferably one run by people “who can manually debug and restore the system faster than the other guy.”
Tony Cole, vice president and Global Government CTO with the cyber security consultant FireEye Inc., said cyber-attacks are not a matter of if, but of when.
“You will get breached. You will get breached,” warned Cole, as if speaking to the entire world of networked people and things.
Cole said cyber attackers, be they terrorists, criminals, or nation states, are “professional, organized and well-funded. If you kick them out, they will return.” A new reality, he said, is that these actors “are going after entire governments, entire industries.” Another reality is that nation-state hostilities now begin in cyber space, often as a prelude to physical conflict.
A FireEye cyber-attack research report found that it took victim organizations an average of 205 days to discover that their digital networks had been comprised. And a vast majority of these organizations had up-to-date security software and architecture in place.
An important principle of cyber security emerged from these discussions—the principle of resilience. “If an attack occurs, degrading or disabling a network, what then?” asked Professor Steve Flynn, Co-Director of the George J. Kostas Research Institute for Homeland Security at Northeastern University. How should the organization or agency respond? What’s the backup plan? The answer is to build resilience. He said a resilient-centric approach to cyber security aims to reduce the “intent” of adversaries and elevate the capability to respond.
Essential steps in the mitigation of cyber-attacks are to identify network vulnerabilities and then to develop and implement strategies for network protection. A third essential step is to build resilience by developing backup plans to manage an all-but-inevitable attack.
Modern Ships Vulnerable
Nowhere is the challenge of building resilience more apparent than in the large, modern ship.
Modern ships are at the mercy of their central “brains”—highly automated and networked communications, navigational and operational systems that can literally run the ship without human help. The problem with these brains, explained maritime cyber security expert and former ship captain Peter Crain, is that they are exceedingly vulnerable to cyber-attacks.
One such vulnerability is an overreliance on GPS systems, which use satellite-signal receivers to determine a ship’s position and plot its course. Sophisticated hackers can easily spoof or jam a ship’s GPS system. This would throw a ship off course while making it appear to be on-course, leading to disastrous events like collisions and groundings.
In their search for resilience in modern ships, many cyber security experts are looking backward, not forward.
The US Coast Guard and other agencies are discussing the resurrection of a World War II radio technology called Loran to back up failed GPS systems.
“GPS systems are at the heart of modern navigation, modern port operations, and even the positioning systems for oil rigs, and there have been numerous examples to illustrate the damage that can be done by spoofing or hacking them,” said Professor Fred Roberts, Symposium chair from Rutgers University.
An updated version of that technology, called eLoran, relies on low-frequency, land-based radio signals to plot a ship’s position. ELoran is still in the early stages of development and adoption. Capt. David Moskoff, a US Merchant Marine Academy professor, said eLoran complements GPS. Speaker Dr. Paul Williams of the General Lighthouse Authorities of the UK and Ireland, whose organization’s experiments led the UK to adopt eLoran as a GPS backup, reinforced this observation.
But even if eLoran is widely adopted as a GPS backup on modern ships, what if it fails because the radio network itself is compromised? What then?
19th Century Solution
Modern celestial navigation, discovered in 1837, could be one answer. The beauty of this technology is its simplicity. It relies on the skills of a single well-trained individual using a hand-held instrument called a Sextant.
To plot a ship’s position at sea, the celestial navigator spends long hours observing the relative positions of the planets and stars with his sextant. Then he completes 22 mathematical calculations, a tedious process. In practiced hands, however, this ancient technology can reliably do the job.
Ironically, the US Naval Academy Academy stopped teaching celestial navigation in 1998 due to the greater accuracy of modern GPS systems. Naval Academy Professor Hagerott explained that cyber-attacks were not the threat they are today when this decision was made.
No doubt the US Naval Academy will debate the merits of returning celestial navigation to its curriculum in the months to come.
If it does, this will be one small reverberation of the global conversation on maritime cyber security inspired by the CCICADA/AMU symposium.