US maritime facilities have been on high alert over the Christmas break after the Coast Guard revealed details of a ransomware-related outage in late December.
The bulletin described a recent attack causing widespread operational disruption at a “Maritime Transportation Security Act (MTSA) regulated facility.
“Forensic analysis is currently ongoing but the virus, identified as ‘Ryuk’ ransomware, may have entered the network of the MTSA facility via an email phishing campaign. Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files,” it explained.
“The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems.”
The port facility’s operations were apparently disrupted for over 30 hours as a result of the attack.
The Coast Guard urged maritime authorities to implement risk management programs according to best practices outlined in the NIST Cybersecurity Framework (CSF) and NIST Special Publication 800-82.
Specific controls it recommended include intrusion prevention/detection systems, modern virus detection, host and server monitoring, network segmentation, up-to-date IT/OT network diagrams and regular back-ups.
Experts have been warning about a major cyber-attack on port facilities for some time. Late last year, a report from the Singapore-based Cyber Risk Management (CyRiM) project warned that a ransomware campaign targeting Asia’s ports could cost the global economy as much as $110bn.
In July last year the US Coast Guard issued a marine safety alert urging vessel and facility owners and operators to improve baseline cybersecurity, following an attack on a “deep draft vessel” bound for the Port of New York and New Jersey.