The investigation into Baltimore’s Francis Scott Key Bridge collapse has only just begun, but we’ve already seen news reports containing an unclassified memo from the Cybersecurity and Infrastructure Security Agency (CISA) and comments from the Department of Homeland Security concerning the cause. Maryland Governor, Wes Moore, said he could confirm that "The crew notified authorities of a power issue," adding that the ship had lost power before smashing into one of the columns supporting the bridge.
At this time, there is no evidence that the incident was anything more than a tragic accident, but the involvement of these U.S. government agencies indicates concerns of a cyberattack. Those concerns are highly warranted.
For some time, maritime cybersecurity has been top of mind for regional, national, and global policymakers. In February, the Biden administration issued an executive order to bolster and safeguard critical maritime infrastructure across the United States. Other countries and regions are on alert as well. NIS2, the updated Directive from the European Union slated to go into effect later this year, also addresses maritime cybersecurity. The International Maritime Organization’s (IMO) cybersecurity guidelines encourage shipping companies and vessel operators to address cybersecurity risks and implement measures to protect their assets, as do frameworks and guidelines from additional regulatory bodies.
Vulnerable Maritime Systems
The numerous operational technologies (OT) on seafaring vessels have kept pace with digital transformations in other industries. Once powered solely by onboard fuel and propelled by engines, modern ships are hybrids, utilizing a combination of solar energy and fossil fuels in concert with a variety of smart engines. Modern propulsion systems now employ multiple connected technologies that reduce fluid friction and optimize performance. But these and other technologies can be cyber-compromised.
There are plenty of onboard systems to attack. Hackers are known to intercept satellite communications used extensively by ships at sea. They can also spoof or jam GPS systems, manipulate the automatic ID system (AIS), steal vital data, or inject malware or ransomware into any number of onboard systems via infected devices or files.
Such attacks can throw a ship off course, and when combined with a compromised propulsion system, the consequences can be horrific.
Attacks on operating vessels aren’t the only vulnerabilities that shippers need to be concerned about. Risk starts early in the shipbuilding process. The long, complicated process of shipbuilding introduces a complex supply chain, where numerous parts and software products originating from multiple locations and a variety of international vendors become part of the ship’s essence. During production, ship components may be compromised with latent malware, as threat actors patiently wait for the right future moment to interfere with communication or navigation systems, or to exploit a remote-access backdoor to take control of the ship.
Ports and offshore facilities are also major elements of the maritime ecosystem, and they expose a collection of additional attack surfaces. Equipment and systems operating on loading docks, and even oil rigs, are inviting targets. These communicate with ships and can unknowingly share malware. Equipment and systems – from Chinese-made cranes to container-stacking machinery to drilling mechanisms – are in the hacker’s sights.
So, was this latest incident an accident or the result of a cyber attack?
Captain Jeffrey Spillane, the Dean of the School of Maritime Education and Training at the State University of New York System Maritime, expressed his expert opinion. He told one publication that the smoke and flickering lights of the 1,000-foot ship – visible in the videos of the collision with the Key Bridge – may be indicators of a loss of electricity, which could produce a sudden loss of propulsion and steering.
Also, black smoke emanating from the vessel prior to contact with the bridge could be a further indication that a significant event occurred onboard. We will have to wait for further investigation by the experts before drawing conclusions.
Consequences of Maritime Cyber Attacks
Regardless of whether this disruptive, deadly crash was an unfortunate accident or the result of a repugnant cyberattack, it highlights the potential consequences of cyber terrorism on the maritime industry. Contacting just one column of the 1.6-mile-long bridge, the ship was able to bring large portions crashing into the water and tragically end the lives of six construction workers.
The economic damage is extensive. The Port of Baltimore – one of the busiest car import/export points in the U.S and home to some of the largest retailer distribution centers like FedEx, Amazon, and Home Depot – is shut down until further notice. Many of the 15,000 employees who work directly for the Port and 140,000 other employees supported by the Port’s ecosystem are out of work.
Safeguarding maritime vessels and infrastructure against cyberattacks is complicated, especially considering the deployment of Chinese-manufactured cranes throughout U.S. seaports. Maritime cybersecurity demands a multifaceted approach rooted in robust cybersecurity measures and continuous vigilance. A comprehensive prevention program encompassing accurate risk management, stringent access controls, continuous threat detection, and incident response planning is called for immediately.
By prioritizing cybersecurity measures in the face of evolving threats, maritime organizations can fortify their resilience against cyberattacks, ensuring the safety and integrity of their operations and to the public at large.
While this particular incident may turn out to be a very unfortunate accident, the next one might come as a result of a cyber incident. Let’s not wait.