India's Need to Address Maritime Cybersecurity
Maritime cybersecurity is becoming an increasingly pressing concern for India’s strategic and commercial interests. As they have grown in complexity, maritime operations have become increasingly dependent on a variety of sophisticated technologies.
By Mihir Vikrant Kaulgud
Maritime cybersecurity is becoming an increasingly pressing concern for India’s strategic and commercial interests. As they have grown in complexity, maritime operations have become increasingly dependent on a variety of sophisticated technologies. Almost every area of the Maritime Transportation System (MTS) is dependent on IT systems including port management, traffic management, ship navigation, propulsion, logistics and supply chain support. With such a proliferation of IT technology, the vulnerabilities and exposure to cyber-threats also grow manifold. Anyone IT network breach has the potential to have a ripple effect and affect other sections of the interconnected MTS system. MTS is an indispensable component for the world’s economy, with around 90 percent of trade being sea-dependent. 95 percent of India’s trade by volume and 74 percent by value also involves maritime trade. Moreover, India’s “sea-dependence” for oil stands at 93 percent and for liquefied natural gas at 45 percent. Another area of strategic interest is the blue economy in the Indian Ocean Region (IOR), especially resource extraction activities such as deep-sea mining and illegal fishing. The most important strategic issue is the balance of power regarding China’s growing influence and attempts to dominate the IOR and South China Sea. Cyberattacks can also be a part of physical attacks, in the case of piracy or a naval war scenario. Since contemporary maritime operations, whether commercial or naval, depend on dedicated IT systems, robust maritime cybersecurity is essential for India to maintain secure strategic sea-lines-of-communication (SLOCs) and freedom to navigate in the interest of military and economic security.
Maritime cyberthreats result from human error and/or equipment vulnerabilities, which can both be exploited or manipulated by malicious actors. Human error could include misuse or negligence resulting from lack of training, for example opening an email attachment from an unknown source. The information provider IHS Markit reported that 80 percent of all information security-related events at sea are related to human error. The vulnerabilities of equipment like Automatic Identification System, Electronic Chart Display System or GPS are also a source of concern. Other crucial network applications and equipment integrated into the cyber landscape – logistics support software, client directories, service booking applications – are also prone to crippling cyber-attacks. Many of these systems, such as AIS, were designed when cyberattacks were not considered a widespread threat.
The most prominent cyberattack on the shipping industry was the 2017 attack on Maersk. The Danish company’s entire operation was severely affected for at least 2 weeks, costing US$250-$300 million. It is worth detailing this example, as it highlights the nature of cyberattacks and their potential scale of disruption. The attackers, connected with Russian Intelligence, used the NotPetya malware which focused on damaging and disrupting its target's operations completely. It was a case of one network node being breached to rapidly infect other nodes, with Ukrainian tax software MeDoc being the initial entry point for the software. It exploited technological, procedural and behavioural weaknesses. The damage was catastrophic, with several key network applications, servers and end-user devices, such as laptops and printers, being rendered inaccessible or damaged beyond repair. In an example of how technology integration increases vulnerability, the hackers targeted communications, with company-synced emails and phone contacts being erased in one go. Closer to Indian waters, a large part of the Jawaharlal Nehru Port Terminal (JNPT) was crippled when the global attack on Maersk brought their operations in JNPT to a standstill. Shipping companies such as CMA CGM and MSC, and agencies like International Maritime Organization and Maritime Trade Information Sharing Center, have also been hacked in a similar manner.
Chinese cyber activity is also a major maritime security threat for India. In the South China Sea region, Chinese hacking groups have initiated DoS (Denial-of-Service) attacks against Southeast Asian governments, which disable access to the targeted network or website, and malware attacks, which infect the target computer or network with malicious software. Naikon is an Advanced Persistent Threat (APT) - a campaign of coordinated cyberattacks - that conducts cyberespionage among government, military, and private agencies in the South China Sea region. Naikon uses socially engineered “spear-phishing” emails, convincing targeted users to open attachments that will infect their network and collect data. Naikon has been linked to China’s Army (PLA). Other APTs which analysts have linked to China’s government include APT30, APT16 and Numbered Panda. The high probability that these Chinese hacking groups are state-sponsored is a worrisome indication of China’s boldness to rivals like India or the United States. China is also using cyber technology in their South China Sea Anti-Access/Area Denial (A2/AD) strategy. The A2/AD strategy denies freedom of movement and navigation to rival powers, by increasing defense systems that threaten their ships/submarines. Denying network access, disrupting IT-assisted navigation and propulsion are ways in which cybertechnology is used in A2/AD.
Ethical hackers and risk analysis researchers have demonstrated the inadequacy of contemporary maritime cybersecurity, and how easy it is to hack ships through using publicly available, open-source intelligence (OSINT). So, it is not surprising that malicious state and non-state actors are exploiting these vulnerabilities. There is thus an urgent need to address and reinforce maritime cybersecurity. Several countries have developed dedicated maritime cybersecurity units, frameworks, or plans, including the US, Denmark, the UK and Singapore. Regulatory regimes are also being updated to meet cybersecurity needs. India would do well to follow their example as soon as possible, as cyberthreats are only going to increase in the coming years. The recently announced National Cybersecurity Strategy is a good foundation to develop a dedicated maritime cybersecurity strategy as well, given its importance to India's economic and military security.
In an evaluation of the cyber capabilities of countries, India was placed in Tier Three which indicates “strengths or potential strengths in some of the categories in the IISS [International Institute for Strategic Studies] cyber-power methodology but significant weaknesses in others.” The same report recommends that the Indian government can fruitfully collaborate with firms from its strong IT industry. Innovative initiatives that have been implemented elsewhere are ethical hacking challenges and conferences, where teams of cybersecurity experts can engage with maritime cyberinfrastructure in controlled environments to gain training and experience. Other capacity-building exercises that can be easily implemented are training in cybersecurity best practices for all ship and port personnel that interact with cyberinfrastructure. Institutions like MITAGS offer courses in maritime cybersecurity, which can be developed and tailored for the Indian context.
But given the transnational nature of the maritime world, isolated national policies will do little to address the ripple effects of global attacks, like how the attack on Maersk’s operations disrupted the JNPT port in Mumbai. So there needs to be a concerted global effort to build a global maritime cybersecurity regulation regime. For example, some scholars have suggested that the International Maritime Organization implement a dedicated Cyber Code, following the example of the Polar Code which provides a mandatory transnational framework for ships operating in polar waters. There are a few international firms that specialize in improving maritime cybersecurity which can be consulted as well. Lastly, there can also be international and public-private collaboration in building cyber-secure vessels and infrastructure. It is in India’s interest to take a leading role in such negotiations and developments, given its crucial position in the Indian Ocean Region and the need to protect itself against China’s growing threat in that region.
Disclaimer: This paper is the author’s individual scholastic contribution and does not necessarily reflect the organisation’s viewpoint.