Ransomware hackers could hit U.S. supply chain, experts warn
The global supply chain, where goods are shipped all over the world, is already stretched thin thanks to a year and a half of operating during a pandemic. It really doesn’t need hackers mucking things up further.
But experts warn that the $100 billion shipping industry — especially the heavily computerized ports that receive cargo ships, as well as the actual crafts — are ripe targets for ransomware attacks. And the U.S. shipping industry is already backed up, as the coronavirus pandemic has caused a backlog with Americans ordering more goods to their home than ever before.
Ransomware can hamper practically any organization that’s connected to the internet: Schools, hospitals, manufacturers, city governments and police departments are all frequent targets. But the shipping industry, more than most, relies heavily on the interaction between a number of different digital systems, from ports and cities to individual ships and the companies that own them.
That makes shipping particularly susceptible to cyberattack, said Rear Admiral John Mauger, the Coast Guard’s assistant commandant for prevention policy.
“This is an industry that relies on free flow of information,” Mauger said. “And as such, they are vulnerable to disruptions because of ransomware attacks.”
Ransomware, a criminal enterprise where a hacker or hacker group will encrypt a victim’s computers and demand a payment to restore them, has surged in recent years. But only in June, with the hack of a major U.S. oil pipeline, did the worry that ransomware could interrupt critical infrastructure take hold.
The White House has expressed particular concern about ransomware attacks on critical infrastructure, issuing an executive order mandating such companies adopt some basic cybersecurity standards and asking President Vladimir Putin to rein in hackers in Russia, where many ransomware operators live.
But so far, at least some hackers don’t appear to have gotten the message. At least five U.S. health care facilities — which, like the shipping industry, are among the country’s 16 categories of critical infrastructure — have been hit with ransomware since June.
In recent decades, shipping ports have become significantly more reliant on robotic operations and digitized inventory rather than human labor. That, coupled with the enormous value of goods that go through ports, makes them ripe targets for ransomware, said Nina Kollars, associate professor of strategic and operational research at the U.S. Naval War College.
“It keeps me up at night,” Kollars said. “Most of those systems weren’t designed with the notion that somebody was going to try to mess with them. Wasn’t part of the calculus.”
Knocking a port offline can slow its normally extremely efficient operations to a crawl, she said.
“If I had to use a paper manifest — if I had to walk over to a crane operator who wasn’t assisted by a computer in some way, if it wasn’t all being tracked by barcodes and scanners — it would take excruciatingly long to load those ships,” she said.
Ransomware attacks on ports are already happening. Ports in San Diego and Barcelona, Spain, were hit with minor ones in 2018. In July, hackers locked up Transnet, a South Africa-owned company that oversees operations for the country’s major seaports. A ransomware attack halted operations at four of the eight ports. While many of the company’s computer networks were quickly restored, it led to rolling delays that pushed back some shipments by weeks.
In one case, the effects were devastating to the industry. In the summer of 2017, hackers later traced to Russian military intelligence unleashed a malicious program called NotPetya, believed by many experts to be the most destructive cyberattack of all time. It locked up files, spread to as many computers as it could and demanded a payment, but the hackers didn’t actually build in a way for victims to recover their files.
NotPetya was targeted to disrupt Ukraine as it prepared to celebrate Constitution Day, a national holiday, but it quickly spread around the world, infecting the Danish shipping giant Maersk. Several Maersk ports were infected, too, including one in Elizabeth, New Jersey, which was paralyzed for several days.
Ultimately, the attack cost Maersk an estimated $300 million, and the company took two weeks to resume operations at full speed.
For most ransomware hackers, their criminal enterprise is akin to a business. A leaked manual for one major group, for instance, detailed that the first step in any operation is to Google for a potential victim’s revenue and to adjust their financial demand accordingly. Some make a deliberate attempt to target businesses that need to get back online immediately, like hospitals.
That’s why a potential ransomware attack on a ship at sea, which can each carry a billion dollars’ worth of food, retail goods or fuel, can be such a tempting target for criminals, said Dave Burke, the chief engineer at Fathom 5, a cybersecurity company that specializes in the maritime industry.
“My concern has been those with valuable enough cargos for people to start to look at,” Burke said. “They’re definitely a high-value target.”
To date, most ransomware attacks on infrastructure companies have only hit their business networks, rather than the networks that are used to actually run machinery. But if a hacker were to make that jump, they could find themselves with enormous power to disrupt or even halt a cargo ship at sea, Burke said.
“If you get down to the internals at the industrial controllers — steering, or the generators, targeted propulsion — there really is no security,” he said.
“They were designed in a lot of cases with the assumption they were separate from the rest of the network on board the ship,” he said. “But we are continually seeing systems that are cross-connected,” he said.
Historically, there’s been little standardized guidance forcing cargo ships to protect themselves from hackers. In March, the Coast Guard issued updated cybersecurity guidance for commercial ships entering or leaving U.S. ports, with the goal of reducing the risk of such an attack.
But still, enforcing cybersecurity standards for multinational ships coming from around the world is an enormous task, Kollars said.
“I can’t imagine that international companies are going to be in a real hurry to comply,” she said.