Captain Andrew Tucci of U.S. Coast Guard paints stark picture of cyber vulnerabilities
Live from PortSecurity2014 -- Washington, D.C.-based Captain Andrew Tucci, U.S. Coast Guard chief of Ports and Facilities, Information Issues and Supply Chain Security, delivered a chilling presentation at PortSecurity 2014 in Ottawa, CA that focused on the growing importance and ubiquitous nature of cyber security in all aspects of our lives. The presentation included a cataloging of very disturbing examples of actual cyber attacks by perpetrators as young as 12 years old.
In shipping and port security, computers and electronics are integrated in just about every function of a vessel, he pointed out -- security systems, cargo operations, communications with the bridge, navigation all represent opportunities for hackers. And although facility operators sometimes see cyber as strictly an IT issue, there are multitudinous sources of cyber breaches, including cyber espionage by foreign intelligence services; lone hackers, hactivist groups, criminal networks, insider threats, cyber drug traffickers and simple technical failures.
The fact is that electronics and computers control more things than ever before. GPS is extremely vulnerable to jamming. SCADA systems, facility networks, vessel networks, command and control systems, navigation systems, mobile devices and Wi-fi networks are all subject to hacking. vessels with Wi-fi are highly vulnerable. At the same time, Captain Tucci pointed out, it’s inexpensive to get destructive malware, and sophisticated attacks could be coming from the other side of the world or just the plugging in of a thumb drive.
Citing data from the global InterPort Police organization and other sources, Captain Tucci indicated that in recent years, cyber attacks have been traced to Russian hackers of seaports, drug traffickers hacking computer networks to follow container movements, placement of hacking devices on containers and using tracking devices and using devices to locate containers and send drivers to pick them up. The rogues gallery of known incidents in recent years has included:
- The 1991 disabling of an energy firm’s emergency alert system in 22 states by hacking into computers in 22 states. During an emergency at a refinery in Richmond, CA, the system could not be used to notify the adjacent community of the release of a noxious substance;
- In 1997, a teenager hacked into NYNFX and cut off air and ground communications in Worcester Airport for six hours;
- In 1998, a 12-year old hacked into the Roosevelt Dam. Federal authorities said that the hacker had complete SCADA system control of the dam’s massive flood gates.
- In 2000 in Russia, a hacker was able to control the computer system that governs the flow of natural gas through the pipe lines, and a Trojan program was inserted into the SCADA system software that caused a massive natural gas explosion along the Trans-Siberian pipeline. The Washington Post reported that the explosion yielded “the most monumental non-nuclear explosion and fire ever seen from space.” The explosion was subsequently estimated at the equivalent of 3 Kilotons. By comparison, the 9-11 explosions at the World Trade Center in New York were approximately .01 kiloton.
- In 2000 in Houston, Texas, an 18-year old hacker brought the systems of the Port of Houston to a halt during a reverse attack on a fellow Internet chat room user. The perpetrator hacked into the computer server at the Port in order to target a female chat room user following an argument. The port’s web server, which contained crucial data for shipping pilots, mooring companies and support firms responsible for helping ships navigate in and out of the harbor was inaccessible.
- In 2003 in Afghanistan, computers and manuals seized in the Al Qaeda training camps were full of SCADA information related to dams and other structures.
- In August of 2003, computer systems at CSC Transportation got infected by a computer virus, halting passenger and freight traffic in Washington, DC.
- In Ohio in 2003, the Davis Besse Nuclear Power Plant was infected with the Slammer Worm via the unsecured network of a contractor, by bypassing the firewall. Safety monitoring systems were down for five hours due to the denial of service attack.
- In 2008 in the U.S., a retail Chinese digital picture frame virus stole passwords, spammed entire contact lists in address book, and opened back doors for hackers who could then gain control of a computer for further attacks. The virus recognized and blocked anti-virus protection from more than 100 security vendors, as well as the security and firewall built into Microsoft Windows. Vendors found iPods, GPS units and various other devices.
- In 2011 in the Pacific Northwest, a hacker penetrated computer servers that controlled track signaling systems for a computer rail system. The area was the 24th largest in the U.S., operating 625 buses and 127 trains and light rail systems.
- In 2003, college students hijacked an $80 million yacht with GPS signal spoofing, revealing a flaw that exposed all ships to terrorism.
How to reduce the risk
- In a final straw scenario, the U.S. determined that a Chinese electronics manufacturer and online retailer, had sold 285 models of signal jamming devices to U.S. consumers for more than two years. The response of the U.S. FCC was to apply the maximum fine for each jammer model allegedly marketed, resulting in a $34,912,500 fine.
“All companies, whether domestic or foreign, are banned from marketing illegal jammers in the U.S.” said Travis LaBlanc, Acting Chief of the Enforcement Bureau. “Signal jammers represent a direct danger to public safety, potentially blocking the communication of first responders. Operating a jammer is also illegal, and consumers who do so face significant civil and criminal penalties.”
Additionally, the U.S. National Response Center requires reporting of a) suspicious activities, b) breaches of security, and c) transportation security incidents (TSI). Among the risk reducing measures recommended by Captain Tucci of the Coast Guard were:
Inventory your systems and map your network; identify and evaluate vulnerabilities; think what could lead to a TSI; study the NIST Framework and other sources providing resources to reduce risk; set up a homeport cyber page; consider including cyber in FSP/VSPs; and work with your AMSC.
He also pointed out that the U.S. Coast Guard is now evaluating cyber risks, facilitating cyber training requirements, working with IMO and the NIST Framework [www.nist.gov/cyberframework]. His final recommendations at PortSecurity2014 were: Develop a Cyber Capability Model; Use a Cyber Security Assessment and Risk Management approach (CARMA); and create a Cyber Resilience Review including a one-day assessment of cyber practices, with a focus on critical infrastructure protection.