So you got your new Starlink? Congratulations! Now you need to step up your cyber protection as well.
The traditional approach of firewall+antivirus is not enough to protect ships that transitioned from very low bandwidth connectivity to Starlink with up to 100 megabits. We collected 7 reasons why you need to strengthen your cybersecurity with the added bandwidth.
Transitioning from the low connectivity bandwidth that until recently was ubiquitous in the maritime industry to new high-speed connectivity services provided by Low Earth Orbiting (LEO) satellite services such as Starlink—with 15 and even 100 megabit bandwidth—can significantly enhance vessel connectivity and support for smart devices that improve safety, operational efficiency, and even crew digital welfare.
However, the jump in bandwidth and the new low latency also come at a cost: increased cybersecurity risks. The higher bandwidth expands the vessel attack surface, and connecting additional digital assets to the internet accelerates the attack surface expansion even more. Attackers are also getting more sophisticated: 2023 saw almost double the ransomware attacks from the previous one, and hundreds of actively exploited new vulnerabilities (“Zero-day”) were discovered for leading routers, firewalls, and remote access software. AI tools also accelerate the creation of new exploits and make them harder to detect.
In the maritime industry, the traditional cybersecurity approach relied on a firewall and antivirus/anti-malware to protect vessels. But this is no longer viable in the era of high connectivity. As vessels adopt more digital technologies, shipping companies need to manage both legacy and new IT and OT assets, leading to a highly complex architecture and being very attractive to attackers. One report finds that 37% of industrial ransomware attacks target both the IT and the OT of the organization. Vessels and maritime companies are high-value targets, and we also see a significant increase in cyberattacks on maritime targets, with cyber attacks occurring every three days (on average) during September–October 2023.
The following analysis explains the various angles where firewalls and antivirus software fall short of protecting high-connectivity environments and what shipping companies need to implement to protect their vessels:
1. Increased Attack Surface
With higher bandwidth and lower latency, significantly more data flows through the network, expanding the potential attack surface. Also, it is harder to detect information leakage among all the traffic.
Why a firewall isn’t enough: A firewall alone might not effectively manage and inspect this increased data flow to prevent threats, especially outbound data leakage.
What you really need: a modern Intrusion Detection / Intrusion Protection System (IDS/IPS) that monitors all traffic flowing through the network and can detect anomalies. Preferably, use an IDS/IPS that was developed specifically for maritime IT and OT systems.
2. Digital diversification
The increased bandwidth enables the implementation of new digital devices: modern navigation systems, connected ship management systems that provide status information to the back-office, digital cargo maintenance, connected safety systems that provide alerts in real-time, and many others.
Why a firewall isn’t enough: traditional firewalls are not designed to protect such equipment; they do not scan and map asset inventory, are not able to identify vulnerabilities (especially for maritime assets), or present up-to-date risk status – they just passively filter data communications as they take place.
What you really need: based on the NIST cybersecurity framework, it is recommended to combine three cybersecurity measures:
- Automated asset mapping that is designed to identify both maritime IT and OT for a complete inventory of assets you need to protect;
- Proactive vulnerability detection that can manage maritime IT and OT to provide an up-to-date picture of the cyber risk situation and prioritize which areas require immediate attention;
- Real-time protection to identify suspicious changes in the asset inventory, whether a new device connected to the ship networks or devices that connect to different networks than those designated for them, such as a new mobile phone that suddenly connects to the business network.
3. Diverse Threat Landscape
Modern cyber threats come in many forms, from malware to sophisticated targeted attacks. Some bad actors try to gain access by using social engineering methods like phishing; others invest in sophisticated attack vectors called “zero-day attacks” – exploiting previously unknown vulnerabilities in common applications and infrastructure. Just recently, the US government was hacked through a vulnerability in Microsoft Outlook, DP-World was allegedly hacked through a remote-access vulnerability called “CitrixBleed” and hundreds of new critical, actively exploited vulnerabilities were identified in many common platforms – from internet browsers to firewalls, routers, VPNs and virtual infrastructure.
Why a firewall isn’t enough: firewalls are effective in blocking known threats based on predefined rules, but they may struggle against zero-day exploits or advanced persistent threats (APTs). They also can’t block attacks that exploit known vulnerabilities that have not been patched yet, leaving the entire vessel completely unprotected.
What you really need: as before, the best practice is to combine proactive vulnerability scanning to detect critical risks and mitigate (either by updating or, if that is not feasible, by containing the risk for example by isolating its network), combined with real-time protection that uses anomaly detection that was trained specifically for maritime equipment and it’s unique patterns of behavior.
4. Lack of Granularity
Why a firewall isn’t enough: firewalls are limited in the level of protection granularity they can reach. They control traffic based on ports, IP addresses, and protocols, which might not be sufficient to identify and block more sophisticated threats that can hide within legitimate traffic.
What you really need: built-for-maritime cybersecurity protection that utilizes Deep-Packet-Inspection (DPI) capabilities, the ability to understand the data flow on a much more granular and accurate level, and identify the correct usage of maritime IT and OT.
5. Inadequate for Application-Level Attacks
Advanced attacks often target specific applications and services rather than just network ports. When attackers target known, or unknown, vulnerabilities in the applications themselves – email clients, internet browsers, remote access, VPNs, and even the firewalls themselves—the traffic appears completely legitimate and will not be blocked by the firewall.
Why a firewall isn’t enough: firewalls might not have the capability to inspect the content of the data packets deeply enough to prevent application-level attacks effectively, and even if they do – the traffic would usually appear legitimate as it’s exploiting specific application vulnerabilities. Also, firewalls, in most cases, monitor traffic on the perimeter of the vessel and are not exposed to traffic within the internal networks, such as unauthorized access across systems and networks.
What you do need: a modern IDS/IPS system that monitors the connectivity of all IT and OT systems in real-time, including inbound and outbound traffic as well as internal traffic, and that is designed to specifically identify abnormal behavior patterns of maritime systems. This way, abnormal patterns of traffic that are legitimate by itself will be alerted.
6. User Behavior and Insider Threats
The leading method used by ransomware attacks is compromising inside users, whether through phishing or other methods.
Why a firewall isn’t enough: firewalls can’t prevent insider threats or users who might unknowingly compromise security by clicking on malicious links or downloading infected files. Also, firewalls struggle with monitoring internal traffic, and they protect mostly inbound and outbound communication. If a valid user is compromised, then firewalls won’t stop that traffic since they have no way of knowing the transmission is compromised.
What you do need is a modern protection system that constantly detects intrusions (IDS/IPS) and can identify abnormal patterns of behavior and access in areas where they are not supposed to reach.
7. Firewalls are a Common Target by Themselves
The most common firewalls can pose a threat by themselves, as they are frequently exploited by attackers. In the past 2 months, we saw more than 150 new critical vulnerabilities published for CISO and Fortinet firewalls alone, and reportedly, those were being actively exploited. Also, in a maritime environment, frequent patches to firewalls can be challenging.
What you do need is a multi-layered cyber protection system that does not rely on a firewall alone but rather has multiple lines of defense against known and new threats.
As we can see, while a firewall is an essential component of network security, relying solely on it, especially in an environment that was upgraded to significantly increased bandwidth like Starlink, is insufficient. Implementing a robust security strategy that includes multiple layers of defense, continuous monitoring, threat intelligence, and user education is crucial to protecting against a wide range of cyber threats in such environments.
