Researchers at NHL Stenden University of Applied Sciences in the Netherlands have launched the Maritime Cyber Attack Database (MCAD), a database of incidents involving the worldwide maritime sector. Drawing from open-source information, the NHL Stenden’s Maritime IT Security research group collected information on over 160 cyber incidents in the maritime industry for the MCAD. The database not only covers incidents impacting vessels but also ports and other maritime facilities worldwide. According to the researchers, “the scope of what is possible today is surprising, so we need to educate governments and companies about these kind of cyberattacks and help them understand not only how to react to them, but how to be prepared for them.”
As my control system cyber incident database also contains maritime and port control system cyber incidents, I wanted to see what was in the MCAD database that I was missing. As the name “IT security research group” suggests, most of the MCAD database incidents were ransomware, IT malware/phishing and GPS compromises, which I don’t count unless they affect ship or port operation. The impact from the A.P. Møller Maersk NotPetya malware was immense. In total, there were 17 shipping container terminals affected in Ukraine, Russia, Germany, United States, United Kingdom, France, Denmark and the Netherlands. Maersk suffered $250 million-$300 million financial loss and data contamination, delayed container deliveries and traffic jams in and around ports. Maersk has often been the example case for cyber impacts on maritime even though there was no damage to ships or port equipment. This is similar to the July 2023 Port of Nagoya ransomware incident where the port was affected but no physical damage done to any port equipment.
The MCAD database was missing the cases where control system cyber-related incidents caused physical impacts to ships and port facilities. In addition to the ransomware cases that affected port operations, many of the incidents in my database caused physical impacts to ships including losing power, steering, and/or crashing. Port cyber-related incidents included cranes dropping containers, ships’ radars shutting down port/critical infrastructure SCADA systems, and other physical impacts. There were also impacts that prevented ships from transiting waterways. Many of the cases in my database were not malicious but could have been. As such, they were not in MCAD which also makes it hard to meet the MCAD goal of how to react and prepare for control system cyber incidents.
As my previous blog suggests, recognizing control system cyber-related incidents is a problem in every infrastructure sector and special training is required.