Control Loop: The OT Cybersecurity Podcast 3.6.24
Ep 45 | 3.6.24

Addressing maritime cyber threats.


Dave Bittner: It's March 6, 2024, and you're listening to Control Loop. In today's OT cybersecurity briefing, NIST releases the Cybersecurity Framework 2.0., the Biden administration issues an executive order on maritime cybersecurity, a suspected Chinese threat actor continues to exploit Ivanti vulnerabilities, ThyssenKrupp sustains a ransomware attack. Our guests are Liz Martin, global advisory solutions architect at Dragos, and Blake Benson, senior director at ABS Group, talking through the latest Maritime Executive Order. The Learning Lab is taking a break but will return soon. [ Music ] The National Institute of Standards and Technology (NIST) last week released version 2.0 of its Cybersecurity Framework. The updated version has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It also has a new focus on governance, which encompasses how organizations make and carry out informed decisions on cybersecurity strategy. The CSF's governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders should consider alongside others, such as finance and reputation. Katherine Ledesma, head of Public Policy and Government Affairs at Dragos, commented, "Although the CSF 2.0 identified that functions, categories, and subcategories are intended to be broad enough to apply to both information technology and operational technology environments, as the dialogue around the CSF and related guidance continues, we will see specific attention paid to the distinct approaches needed to protect ICS and OT, given the unique purposes of and risks to those types of systems. This includes continuing to update documents such as the Guide to Operational Technology Security, and also incorporation of these concepts into broader planning and guidance documents." President Biden last month signed an executive order designed to increase the Department of Homeland Security's authority to address maritime cyberthreats. Anne Neuberger, deputy national security adviser for Cyber and Emerging Technologies, said in a press briefing on February 20th, "This executive order will give the Coast Guard the authority to respond to malicious cyber activity by requiring maritime transportation vessels and facilities to shore up their cybersecurity and institute mandatory reporting of cyber incidents. The Coast Guard will also issue a notice of proposed rulemaking to establish minimum cybersecurity requirements that meet international and industry recognized standards to best manage cyber threats." The administration will also invest $20 billion into US port infrastructure over the next five years, much of which will go toward replacing Chinese-made cranes. Neuberger stated, "As part of that, PACECO Corporation, a US-based subsidiary of Mitsui E&S, is planning to onshore domestic manufacturing capacity for American and Korean production for the first time in 30 years, pending final site and partner selection." CNBC quotes a senior administration official as saying, "Approximately 80% of the cranes used at US ports were manufactured in China and run Chinese software, potentially opening them to surveillance or attacks." Mandiant says the China aligned threat actor UNC 5325 continues to target vulnerabilities affecting Ivanti VPN appliances. The researchers state, "UNC 5325 is a suspected Chinese cyber espionage operator that exploited CVE 2024 21893 to compromise Ivanti Connect Secure appliances. UNC 5325 leveraged code from open source projects, installed custom malware, and modified the appliances' settings in order to evade detection and attempt to maintain persistence. UNC 5325 has been observed deploying LITTLELAMB WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK." The researchers believe UNC 5325 is connected to UNC 3886, another suspected Chinese cyber espionage actor that focuses on technology and telecommunication organizations and the defense industrial base in the US, Asia-Pacific, and Japan. German steel production conglomerate Thyssenkrupp has confirmed that its automotive division sustained a ransomware attack in February, SecurityWeek reports. A Thyssenkrupp spokesperson said the attack failed, but the company disconnected systems as a precautionary measure. The incident caused production to shut down at the company's Saarland-based plant. ThyssenKrupp said in a statement, "Our Thyssenkrupp Automotive Body Solutions business unit recorded unauthorized access to its IT infrastructure last week. The IT security team at Automotive Body Solutions recognized the incident at an early stage and has since worked with the ThyssenKrupp group's IT security team to contain the threat. To this end, various security measures were taken and certain applications and systems were temporarily taken off-line." [ Music ] Following President Biden's maritime executive order, I got together with Liz Martin, global advisory solution architect at Dragos, and Blake Benson, senior director at ABS Group, for their insights on the order.

Blake Benson: The big thing about the new executive order, it was kind of bucketed into a couple items in the release. One thing up front is that it allows DHS and primarily through the Coast Guard to directly address maritime cyber threats. And they say that that's through, you know, cybersecurity standards for America's ports and networks and systems to make them more secure. But the Coast Guard has had the cleanest tie to authority because of the Maritime Transportation Security Act and some other congressional authorities that are unique to the Coast Guard. So they have always had responsibility over these areas, but it was not specific to cyber. So they've expanded these. Largely part of the EO and the notice of proposed rulemaking was for the Coast Guard to expand that guidance to cover cyber, or that authority to cover cyber, rather.

Dave Bittner: Well, so given that it's the Coast Guard who's going to be heading this up, to what degree do we feel as though they are prepared to take on this mandate?

Blake Benson: Yeah, it's interesting, it's an interesting question. I work with the Coast Guard often, am a former cyber operator myself in a uniform component. And so certainly have a good understanding and intimacy with kind of the cyber operations that the Coast Guard's currently conducting. And they punch well above their weight class. But, you know, think authority without capacity is a real thing. It's difficult to do that. And the Coast Guard's been, you know, relatively underfunded. Their cyber resources, although lots of effort has been placed on increasing those, it's difficult for any component to recruit and get people engaged, you know, in the time that we live in right now. And so I think they struggle with the same things that Navy and Air Force and everyone else are struggling with to get cyber talent. But they are a very competent and very lean force, but they need to be better. I think it would be great if the Coast Guard was better funded and better resourced to get more capacity there.

Dave Bittner: Liz, what do you suppose the impact is going to be here of this executive order?

Liz Martin: I think it's going to force the Coast Guard to have to look holistically across their organization to understand from a people, processes, and technology standpoint and a solutioning standpoint, what types of outcomes they're looking to achieve to get to a place where they are achieving some of the things that have been outlined in the executive order. And some of the things have been covered in the congressional hearings as of yesterday on overall port security. And as Blake mentioned, they are a small but mighty team, truly looking to punch above their weight class, as he said. And they have the I think the capacity and capability to do so with more sort of appropriations and funding needing to be dedicated to the problem set that they're ultimately looking to tackle there.

Dave Bittner: What is the general understanding of where we stand when it comes to the security of our ports?

Liz Martin: There's a couple of factors there. And, Blake, feel free to chime in after I go forth here. But one of the biggest things that we're at least seeing from a threat perspective is really the overall supply chain risks there. Obviously, the sort of emphasis has been on the cranes at ports, those components within those cranes that are coming from places like China. So given these sort of supply chain risks there, there's been a lot of emphasis placed on that. But the sort of larger, bigger picture that I think a lot of people don't quite look at here is these ports are made up of many different sorts of critical infrastructure components -- so things that we're used to seeing in electric, things that we're used to seeing in transportation and logistics environments, as well as things that we are used to seeing in oil and gas environments. So there are a lot of common devices and protocols that span across those ports, which really increases the sort of threat surface and target for any potential threat group or adversary to want to be able to go after.

Dave Bittner: Blake?

Blake Benson: Yeah, absolutely. And to add to that, I think the approach -- I mean, the CO, and not to punch down on my own people given that I do support the government in some strategic decision-makers and the, you know, kind of risk policies and strategies that make up some of these. And not to punch down on cyber people, because I'm one of those. But in general, I don't think many people from traditional cyber backgrounds understand how to communicate risk effectively. And because of that, if you asked anyone in the US government, not just in the Coast Guard or otherwise, what we should prioritize from a cybersecurity perspective in these port environments, you would get a lot of blank stares and faces. And that's not unique to this, it's made more impactful because of the depth and breadth of the stakeholders at these ports. To Liz's point, like the variety of stakeholders that exist in any given port and the differences between them is just really vast and disparate. So a national top-down policy to address this ocean is going to be very difficult to implement.

Dave Bittner: Does the executive order provide any clarity on setting those priorities

Blake Benson: They do, although potentially misguided based on prevalence. If you were to ask industry, I think that's what they would say. Because a threat and a vulnerability in this space does not automatically equal a consequence. And that should be made clear. And I think that's what industry is going to push back on the most. A large portion of the notice of proposed rulemaking and the press release and even to Liz's point, the congressional committee hearing that was yesterday or two days ago, whichever day that was. But the biggest thing with that is, they don't understand -- like to be able to report a cyber incident, you're assuming that these owners and operators have the maturity to be able to actively identify a threat or a vulnerability that is currently existing in their platform or operation, and the reality is that they don't. So yeah, some of the areas of emphasis are, in my opinion, probably misplaced. And I think that kind of assumption of the level of maturity of some of the stakeholders and their OT cybersecurity programs is a little bit misguided.

Dave Bittner: Liz, what are your insights when it comes to that?

Liz Martin: To add to what Blake just noted there, I think what needs to be emphasized, yes, of course there's threat, there's vulnerabilities, and as Blake said, not always a consequential impact. The larger piece that's missing here is the visibility aspect; it's understanding what is actually at these various ports -- what types of devices, the vendors, the protocols -- and then from there trying to understand are there potential threats and vulnerabilities based on the visibility that they're getting into those environments, to be able to judge whether there will or won't be consequential impacts, and informing that with various sort of forms of threat intelligence and understanding what's being seen across the threat landscape in the space. And I just think that's a key component that's missing today. Where we do know that there are Coast Guard personnel that help and work with the port entities from the civilian standpoint, to be able to sort of wrap their hands around that problem. But there's a key component missing in that, again, the visibility aspect. I've had a couple conversations with a few port owners where their IT teams are insisting there is no OT to be concerned about. And that's a huge problem if you have ports saying we don't have OT to be concerned about, and you have maybe one or two individuals -- because it's usually not a large team at those ports -- from the OT security team insisting that there is a critical issue here, there is a gap in visibility, we know we have OT infrastructure, or else we wouldn't be having any type of conversation around this. So there's a big education piece as well tied to that visibility aspect.

Dave Bittner: Yeah, that's really interesting insight. You know, when we talk about critical infrastructure, one of the things that I've learned is that there is a tremendous amount of diversity, generally, you know, a lot of this stuff are one-offs. And I'm curious, to what degree does that apply to the maritime space too? Or how much does one port look like another and function like another, and how much variety is there where they are really different from one another?

Blake Benson: Yeah, 100%, you're right on point there. Like to break it down from the start, it's like, you know, one of the questions you should ask is like, what is that analysis of our nation's most critical functions in these port facilities? How do we know what cyber dependencies exist? And how do we know how to hunt those threats that impact the vulnerabilities within our most critical kind of cyber-enabled functions or dependencies that drive those critical port operations? Do we have intelligence requirements that are driving collection activities in these environments to help inform that threat? And more importantly, are our uniform Coast Guard operators able to perform, you know, hunt activities in the networks on these pre-identified threats at scale? I go back to like defending the ocean is probably not an effective strategy. And part of that is this kind of method of prioritization where there needs to be some real risk work done to identify what that is from a top-down, you know, port-to-port comparison analysis to determine what systems and components are most important to those operations that would cause, you know, significant economic impacts and detrimental effects to what is, quite honestly, our kind of economic highway, right?

Dave Bittner: Yeah. Liz, as you look at this, in your mind, what would be a potential pathway for success here? Is there a framework that you think would be most effective?

Liz Martin: Yeah, absolutely, and great question. I definitely think it's a large problem set to try and tackle and put a framework around. And I definitely think there's a path for there to look at this as, you know, foundationally, what are they trying to do, defend here at these ports? And what are they trying to defend against? And it's sort of what Blake just mentioned here, is the notion of, we have an idea of what these threats are, but do we actually know what devices are we trying to protect against those threats? And again, hitting back towards that key component of visibility, which I'll just continue to harp on because it's a critical component to this overall equation and figuring out what a framework could look overlaid on top of this problem set. I'll also add, and, Blake, feel free to add to this as well, you know, some of the key things that have been missing traditionally across the maritime space is being able to not just look at it from a physical security standpoint -- which has been very like the traditional way of looking at things -- but also factoring in those cybersecurity components. And we've had frequent conversations, Blake and I, about, you know, MISRA and being able to understand the risks to these various ports and to maritime transportation systems. And that's something his team's worked specifically on to try to break down what those cybersecurity components are factored into that overall risk equation and threat equation, not just the physical security aspects.

Blake Benson: Good point, Liz. And, you know, I think leveraging existing risk models is something that like you don't need to reinvent the wheel with this. A lot of the same approaches and methodologies are going to track, but they just need that. Like I said, the analysis of where those cyber dependencies are is something that, you know, we're going to have to be really proactive about as a country to put this together. But I don't want to lose sight of how good of an opportunity this is for the government to get something right from the US government perspective. Like I think the Coast Guard does have the cleanest path of authority in this space. And similar to the initial steps of where the TSA, you know, pipeline of security directives have gotten now, if funded appropriately and with enough capacity, you kind of get the opportunity to give industry and give stakeholders in this space a carrot, if you will, instead of a stick. The stick may be the regulatory framework or the policy that they need to abide by. But if you have enough capacity to roll out these assessments to, you know, increase that visibility, to Liz's point, you're kind of in a way subsidizing free consulting services to these stakeholders in these ports, if the Coast Guard has the appropriate threat intelligence and is performing some of this kind of left of boon threat hunt activity in these spaces. You know, those are big carrots that the government has an opportunity and the Coast Guard has an opportunity to emphasize, to, you know, build relationships with industries if this is the, you know, kind of model that the US government's going to take to improve our national security.

Dave Bittner: Liz, can you give us some insights on the port operators themselves? To what degree do we feel as though they understand the potential peril here?

Liz Martin: I think it depends on who you talk to at those ports. So the folks I've been able to interact with at some of the ports here in the US have indicated, you know, we're OT security people, so we understand there's a need, but, you know, we're one person or we're a team of two or three people trying to make a difference and help sort of train and educate the additional personnel at those ports that these are things that are of concern and we need to get better awareness around. And I think that's really another foundational element in this bigger picture that I mentioned, it's like this training component and educational piece of helping folks understand that these ports -- what are the things they need to be aware of; what are the risks and implications to operations that could have cascading effects? And we're talking about something that could potentially impact IT, and somebody may not look at it any other way of impacting OT, but it could actually have cascading effects down to the OT operation side of things. There's been half a dozen, if not more, ransomware events within the last year alone affecting various ports and causing cascading effects to operations that can transcend out to things on shipboard. So there's a lot of components there to be factored into the equation. And a lot of that's really having the conversation and education around, you know, what are these things we need to be aware of and what are the sort of wider threat pictures that we're not currently accounting for?

Dave Bittner: You know, Blake, a lot of the reporting that I've seen has focused on these cranes as kind of an example, you know, these Chinese sourced cranes. But it's my understanding that this will affect the vessels themselves?

Blake Benson: Yeah. So a lot of the guidance in the Coast Guard presser, especially, talked quite a bit about kind of the ability to inspect vessels, to leavy authorities, to, you know, try and bring vessel cybersecurity maturity up. There have been other -- this is not new. I mean, the Coast Guard has been trying to do this. They had a work instruction that was specific to commercial vessel inspections to look at cyber plans. That reg was built off of the International Maritime Organization's 2021 guidance based on essentially including cybersecurity measures and their vessel safety management system, or safety management plan and the vessel security plan. So, you know, there are precedents for the government or various, you know, industry working groups or, you know, the International Association of Classification Society saying that you need additional cybersecurity measures when you're building a new ship. And those guidelines come out later this year. So there's lots of stuff out there for vessels, but we scan -- I mean, my company and our group, my team, we scan lots of ships. We do a lot of cybersecurity assessment work on ships. And, you know, you'd really need to take into account what's important, what's critical, on these ships. And although they may have someone on board that understands cybersecurity, largely, you know, these systems need to have some sort of risk assessment done to determine, okay, what constitutes a bad day for me; what vulnerabilities if exploited could actually cause some sort of poor operational outcome, failure of the mission, whatever that might be, that could be a harmful, you know, consequence or safety operation? And I didn't see anything about that in the notice other than, hey, we're going to require these ships to have additional cybersecurity requirements, but going back to authority without capacity -- you know, who's going to inspect that; who's going to verify that; who's going to hold the vessel owners accountable? It's another gap in a capability there.

Dave Bittner: Our thanks to Liz Martin, global advisory solution architect at Dragos, and Blake Benson, senior director at ABS Group, for joining us. [ Music ] And that's Control Loop, brought to you by the CyberWire and powered by Dragos. For links to all of today's stories, check out our Show Notes at Sound design for this show is done by Elliott Peltzman, with mixing by Tre Hester. Our senior producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Monserrat Thomason. Our executive editor's Pilter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]