As large-scale cyberattacks by China and Russia on American government agencies and corporations have demonstrated, it can be difficult to prevent nation-states from planting malware on sensitive networks—even those with strict access controls. It can also be difficult to know that it has happened. Suspected Russian hackers in the SolarWinds supply-chain attack remained undetected on networks for as long as nine months before they were discovered.
This kind of vulnerability has significant implications for Navy cybersecurity, including at ports in the Pacific where replenishment ships take on supplies. One of the risks is that an adversary could plant malware on port computer systems and then activate it at a critical moment, crippling resupply operations. This might unfold, for example, if a naval confrontation between the U.S. and an adversary in the INDOPACOM AOR seemed imminent, and the Navy wanted to top off fuel, munitions and other supplies on combatant ships for maximum mobility and flexibility.
It wouldn’t be necessary for the malware to infect and disable every supply-related computer system in a port—a single attack anywhere along the line could disrupt the entire resupply operation. For example, malware could disable the pumps that transfer fuel to the replenishment ships, or the cranes that load palletized munitions and other supplies. Malware could freeze the inventory-control systems that dictate which supplies go on which ships, or it could cut the power in critical places.
Ports around the world are being increasingly targeted by hackers. Cyberattacks on the maritime industry’s operational technology (OT) systems have grown by at least 900 percent over the last three years, with some port operations being knocked out for days or even weeks, according to the maritime cybersecurity company Naval Dome.
Current cybersecurity measures at Navy-controlled and commercial ports tend to focus on identity and access management, dictating who has access to which systems. While that is critical, it is not enough. Nation-states like China and Russia are increasingly adept at bypassing identity and access controls in sensitive networks—such as with last year’s SolarWinds attack, which came through a routine software update to thousands of customers, including in parts of the Pentagon and other federal agencies.
China is accused of an even more massive attack on American government and business organizations this year, in which hackers exploited vulnerabilities in a Microsoft email service to plant hidden malware.
While such attacks have proven hard to prevent, the Navy can take specific steps to strengthen cybersecurity at Navy-controlled and commercial ports in the Pacific and elsewhere. There is no silver bullet, however. Defending ports against sophisticated cyberattacks calls for a multifaceted approach—one that combines traditional methods, such as redundancy and manual backups, with advanced technologies such as AI-enabled threat detection.
Such an approach focuses not just on protecting the IT and OT systems in ports from malware intrusion, but keeping them resilient in the face of a successful breach.
COMPENSATING CONTROLS
Redundancy and manual backups may seem to be obvious solutions, but such compensating controls are actually among the most challenging aspects of port cybersecurity. Navy- controlled and commercial ports typically have dozens of complex IT and OT systems. No port has the resources to fully back up every
part of every system, either through redundant systems or manual processes. Some areas will inevitably have less protection than others.
The key is to identify and back up the most critical systems, so that even if a cyberattack disables some port operations, the resupply operation can continue. This calls for determining how much disruption an attack on any IT or OT system might cause, and then prioritizing resources to protect the most important systems. For example, can a backup server reside in the same rack as the primary one, or does it need to be in a different building, or even in another part of the Pacific?
Does the port need an entire backup power grid, or is it sufficient just to back up certain systems?
STRONG CYBERSECURITY HYGIENE
Cybersecurity hygiene is also critical. Currently, this tends to vary from port to port, and often does not fully consider the kind of sophisticated cyberattack that might come from a nation-state like China. To protect against such attacks, there must be regular and comprehensive penetration testing of both IT and OT systems. Such testing should focus not just on known vulnerabilities, but on architectural and system- integration weaknesses.
Other hygiene measures include frequent software updates to reduce vulnerabilities. However, software updates can take critical systems offline for extended periods, and they can have unintended effects, causing parts of systems not to work properly. Updates also carry the risk of a malware attack. So, while frequent updates are necessary, they must be done strategically, balancing benefits and risk.
The same kind of balancing should be applied to identity and access controls. The fewer people who have access to the various networks in a port, the more cybersecurity protection—but at the same time, overly strict controls could slow resupply operations to a crawl.
AI-ENABLED THREAT DETECTION
The next layer of defense is aimed at detecting malware that has been hidden on port systems, but not yet activated. Such malware is often very difficult to find—cybersecurity experts may not know where to look, or even what to look for. However, AI can hunt for second-order effects of an attack—subtle evidence that hackers are or have been active in a system.
The AI does this by finding unexpected patterns, or anomalies, in the massive data that courses through systems every day. In some cases, the AI recognizes these anomalies as known activities of cyberhackers, while in other cases, the patterns may be unfamiliar—but still suspicious. When either of these situations occur, cybersecurity experts can investigate the potential threat, and then take mitigating actions.
STAYING RESILIENT
Despite these and other defensive measures, an adversary may still find a way to plant and activate malware on port systems. Ports need to be ready for this possibility with measures in place that will rapidly isolate and limit any damage, keeping essential resupply operations up and running. Such measures—many of them automated—range from incorporating targeted access controls and “zero- trust” architectures to taking systems offline and putting manual backup plans into action. Many of these same actions can be taken if cybersecurity experts discover significant vulnerabilities in systems that could open the door to adversaries.
Through a full awareness of the risks, and careful planning to mitigate them, the Navy can build cyber resilience into port supply operations in the Pacific and beyond.
JANDRIA ALEX ANDER
[email protected], a nationally recognized cybersecurity expert and Booz Allen vice president, leads resilient platform systems and enterprise digital transformation strategy and solutions for Navy clients.
DR. MIKE GEORGE
[email protected], leads Booz Allen’s Federal Threat Hunt team and researches machine learning approaches for detecting sophisticated cyber adversaries.
GREGORY BUCK
[email protected], the coordinator of Booz Allen’s Federal Threat Hunt team, is the former Deputy Chief of Staff of the Cyberspace Solarium Commission.
CAPTAIN JEFF GRIFFIN
[email protected], a retired Surface Warfare Officer and former Chief of Staff, U.S 7th Fleet, is Booz Allen’s lead exercise planner for multi-domain operations, supporting headquarters, U.S. Army Pacific.