Editors note: This is the second in a series of articles addressing cyber risk management and cybersecurity within the Marine Transportation System (MTS). The maritime community is facing daily threats to their information and operational technology systems, whether through malicious actors, antiquated systems, or lack of emphasis on securing the cyber landscape. Cyber threats are constantly evolving, and it is crucial that our stakeholders have the guidance, resources, and awareness to mitigate these risks.

Ransomware prevention, recovery and reporting requirements for MTSA regulated facilities

Among the many threats and vulnerabilities that come to mind when discussing cybersecurity and risk management, one that immediately comes to mind is ransomware. Recent events have highlighted the rapid and widespread impact that a ransomware attack can have on a company, industry, or even the national economy.

Ransomware is malicious software (malware) used by adversarial or criminal parties that encrypts data on a computer system, making it unusable for the end user. The parties encrypt, or hold the data hostage until a ransom is paid, in order to then receive decryption instructions. If not paid, data could remain unavailable indefinitely, or it could be released to the public at large.  Even if the ransom is paid, there are no guarantees that the data will be decrypted or released to the public, putting affected parties in extremely difficult situations in determining how to respond.

These type of attacks have already impacted maritime operations and facilities.  Some more recent attacks on Maritime Transportation Security Act (MTSA) Facilities include:

• 2019 –Ryuk malware entered the network of an MTSA regulated facility via an email phishing campaign. The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems. These combined effects required the company to shut down the primary operations of the facility for over 30 hours while a cyber-incident response was conducted.
• 2020 – An entire Port was victimized by a digital ransomware attack, whereby cyber-criminals circumvented its systems and placed an encryption lock on the port’s servers and demanded $200,000 in ransom to restore the port’s servers. 

Below are some measures that can be taken to help mitigate the risk of and minimize the impact of a successful ransomware attack to your organizations:

• Secure Assets & Software –Implement controls to prevent unauthorized software from running on your computers
• Access Control –Restrict the use of accounts with administrative permissions to only necessary functions, to include restricting access to email and the web
• Training – Ensure your staff knows how to identify and avoid ransomware, what the indicators are if affected, and who to call to quickly neutralize and mitigate the spread. More specifically, CISA identifies phishing emails as an infection vector for ransomware and recommends providing staff with training and guidance on how to identify and report suspicious emails
• Backup – Ensure that sufficient, routine system and information backups are conducted so that data can be restored; store backup information offline to reduce the risk of being impacted by the attack and, test backups to ensure they are in working order and capture all the data required to quickly resume normal operations in the event of an attack.
• Maintenance – Ensure computers, devices, and applications are patched and up-to-date, that software and system updates are conducted immediately upon availability of new versions, that “default” or “factory” logins are secured, and that unused or unnecessary ports, protocols, and services are disabled.
• Malware Defense – Implement endpoint security tools, to include endpoint detection and response capabilities.  Install and regularly update anti-virus or anti-malware software on all hosts; use network segregation to isolate critical functions from non-critical functions; ensure use of multi-factor authentication for remote access; and, ensure accounts follow the principle of least access.

For more information on ransomware-related best practices and other resources please visit the Cybersecurity and Infrastructure Security Agency (CISA) ransomware resource page at: https://www.uscert.gov/ransomware.

As a reminder, MTSA regulated facilities and vessels must report suspicious cyber activity or breaches of security to the Coast Guard. Cyber incidents that impact an MTSA regulated facility or vessel must be reported to the National Response Center (NRC) at 1-800-424-8802.

For more information on reporting suspicious activity and breaches of security, including cyber incidents, please review CG-5P Policy Letter 08-16, Reporting Suspicious Activity & Breaches of Security.

Additional Coast Guard Cybersecurity resources can be found at U.S. Coast Guard Cyber Command and also at Maritime Cyber Readiness Branch.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official publications, such as the Federal Register, Homeport and the Code of Federal Regulations. These publications remain the official source for regulatory information published by the Coast Guard.