The U.S. Coast Guard last month issued a safety bulletin following a ransomware attack that impaired both the IT systems and industrial control systems of a facility regulated by the Maritime Transportation Security Act (MTSA), and prompted a 30-hour operational shutdown.
The ransomware program, identified as Ryuk, was delivered via a phishing email containing a malicious link that was clicked by an employee. According to the alert, the ransomware encrypted critical network files, then “further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations.”
“The impacts to the facility included a disruption of the entire corporate IT network (beyond the footprint of the facility), disruption of camera and physical access control systems, and loss of critical process control monitoring systems,” continued the alert continued, which was issued back on December 16.
The Coast Guard did not name the specific facility that was affected, but did say that damage and delays caused by the attack were likely mitigated by a series of protections including intrusion detection and prevention systems, virus detection software, centralized and monitored host and server logging, segmentation between the IT and OT environments, up-to-date IT/OT network diagrams and back-ups of critical files and software.
Enforced as of July 2004, the MTSA was created to safeguard the U.S. maritime industry and commerce by requiring vessels and port facilities to assess vulnerabilities and develop security plans using risk-based decision-making.
“Ransomware was one of the most disruptive forms of cyberattack[s] in 2019 and it seems that this will continue to be the case in 2020,” said Stuart Reed, vice president of cybersecurity at Nominet, in emailed comments. “With countless emails and links being sent across the network it is no small task to mitigate the risk of employees falling victim to an attack, and reminds us of the importance of a layered approach to security.”