Cyber Attacks on Navy Port Supply Operations

As large-scale cyber attacks by China and Russia on American government agencies and corporations have demonstrated, it can be difficult to prevent nation-states from planting malware on sensitive networks—even those with strict access controls. It can also be difficult to know that it has happened. Suspected Russian hackers in the SolarWinds supply-chain attack remained undetected on networks for as long as 9 months before they were discovered.

This kind of vulnerability has significant implications for Navy cybersecurity, including at ports in the Pacific where replenishment ships take on supplies. One of the risks is that an adversary could plant malware on port computer systems and then activate it at a critical moment, crippling resupply operations. This might unfold, for example, if a naval confrontation between the U.S. and an adversary in the U.S. Indo-Pacific Command Area of Responsibility (INDOPACOM AOR) seemed imminent, and the Navy wanted to top off fuel, munitions, and other supplies on combatant ships for maximum mobility and flexibility.

It wouldn’t be necessary for the malware to infect and disable every supply-related computer system in a port—a single attack anywhere along the line could disrupt the entire resupply operation. For example, malware could disable the pumps that transfer fuel to the replenishment ships, or the cranes that load palletized munitions and other supplies. Malware could freeze the inventory-control systems that dictate which supplies go on which ships, or it could cut the power in critical places.

Ports around the world are being increasingly targeted by hackers. Cyber attacks on the maritime industry’s operational technology (OT) systems have grown by at least 900% over the last 3 years, with some port operations being knocked out for days or even weeks, according to the maritime cybersecurity company Naval Dome.

Current cybersecurity measures at Navy-controlled and commercial ports tend to focus on identity and access management, dictating who has access to which systems. While that is critical, it is not enough. Nation-states like China and Russia are increasingly adept at bypassing identity and access controls in sensitive networks—such as with last year’s SolarWinds attack, which came through a routine software update to thousands of customers, including in parts of the Pentagon and other federal agencies. China is accused of an even more massive attack on U.S. government and business organizations this year, in which hackers exploited vulnerabilities in a Microsoft email service to plant hidden malware.

While such attacks have proven hard to prevent, the Navy can take specific steps to strengthen cybersecurity at Navy-controlled and commercial ports in the Pacific and elsewhere. There is no silver bullet, however. Defending ports against sophisticated cyber attacks calls for a multifaceted approach—one that combines traditional methods, such as redundancy and manual backups, with advanced technologies such as artificial intelligence (AI)-enabled threat detection. Such an approach focuses not just on protecting the IT and OT systems in ports from malware intrusion, but on keeping them resilient in the face of a successful breach.

Redundancy and manual backups may seem to be obvious solutions, but such compensating controls are actually among the most challenging aspects of port cybersecurity. Navy-controlled and commercial ports typically have dozens of complex IT and OT systems. No port has the resources to fully back up every part of every system, either through redundant systems or manual processes. Some areas will inevitably have less protection than others.

The key is to identify and back up the most critical systems, so that even if a cyber attack disables some port operations, the resupply operation can continue. This calls for determining how much disruption an attack on any IT or OT system might cause, and then prioritizing resources to protect the most important systems. For example, can a backup server reside in the same rack as the primary one, or does it need to be in a different building, or even in another part of the Pacific? Does the port need an entire backup power grid, or is it sufficient just to back up certain systems?

Cybersecurity hygiene is also critical. Currently, this tends to vary from port to port, and often does not fully consider the kind of sophisticated cyber attack that might come from a nation-state like China. To protect against such attacks, there must be regular and comprehensive penetration testing of both IT and OT systems. Such testing should focus not just on known vulnerabilities, but on architectural and system-integration weaknesses.

Other hygiene measures include frequent software updates to reduce vulnerabilities. However, software updates can take critical systems offline for extended periods, and they can have unintended effects, causing parts of systems not to work properly. Updates also carry the risk of a malware attack. So, while frequent updates are necessary, they must be done strategically, balancing benefits and risk.

The same kind of balancing should be applied to identity and access controls. The fewer people who have access to the various networks in a port, the more cybersecurity protection—but at the same time, overly strict controls could slow resupply operations to a crawl.

The next layer of defense is aimed at detecting malware that has been hidden on port systems, but not yet activated. Such malware is often very difficult to find—cybersecurity experts may not know where to look, or even what to look for. However, AI can hunt for second-order effects of an attack—subtle evidence that hackers are or have been active in a system.

The AI does this by finding unexpected patterns, or anomalies, in the massive data that courses through systems every day. In some cases, the AI recognizes these anomalies as known activities of cyberhackers, while in other cases, the patterns may be unfamiliar—but still suspicious. When either of these situations occur, cybersecurity experts can investigate the potential threat, and then take mitigating actions.

Despite these and other defensive measures, an adversary may still find a way to plant and activate malware on port systems. Ports need to be ready for this possibility with measures in place that will rapidly isolate and limit any damage, keeping essential resupply operations up and running. Such measures—many of them automated—range from incorporating targeted access controls and “zero- trust” architectures to taking systems offline and putting manual backup plans into action. Many of these same actions can be taken if cybersecurity experts discover significant vulnerabilities in systems that could open the door to adversaries.

Through a full awareness of the risks, and careful planning to mitigate them, the Navy can build cyber resilience into port supply operations in the Pacific and beyond.