Iran is being blamed for a drone attack last week against a commercial vessel, killing two crew members, one from the United Kingdom and the other from Romania. The Japanese-owned tanker, the Mercer Street, was sailing under a Liberian flag at the time and traveling from Dar es Salaam, Tanzania to an oil terminal in the United Arab Emirates. The vessel is managed by Zodiac Maritime, a UK-based international ship management firm founded by Israeli billionaire Eyal Ofer and his late father.
The attack, which took place about 280 kilometers northeast of the Omani port Duqm, was not the first of its kind but is the first to have caused fatalities. According to Sky News, Britain’s “Foreign Office said the drone assault followed similar attacks on three other Israeli-linked ships in the region since February and there are concerns that tensions are increasing in the region.”
The U.S. Navy’s Fifth Fleet responded to Mercer Street’s distress call and its explosive ordnance disposal (EOD) personnel immediately provided investigatory assistance, stating that “initial indications clearly point to a UAV-style attack.” The Navy provided a two-ship escort comprised of the USS Ronald Reagan aircraft carrier and the USS Mitscher guided-missile destroyer for the vessel to move to safety.
Commercial ships targeted by Iran face a wide variety of threats including drones, mines, and piracy or illegal boarding from Iranian-backed vessels and personnel. They must also be prepared for Iranian-backed cyberattacks. Sky News recently reported the discovery of “Iran’s Secret Cyber Files” which exposed what appear to be a series of authentic Iranian research reports compiled by an offensive cyber unit of the Islamic Revolutionary Guard Corps (IRGC) called “Shahid Kaveh.”
The research included a six-page report titled “Ballast Water” with diagrams showing how remote commands could be sent to a ship’s ballast controls, stating, “[a]ny kind of disruptive influence can cause disorder within these systems and can cause significant and irreparable damage to the vessel.” It also included a section on “Maritime Communications” which explored the types of satellite communications used by vessels at sea, specifically observing the percentage of those devices whose login screens could be observed from internet searches.
The story, authored by Sky News’ foreign affairs editor, Deborah Haynes, suggested that the Iranian research must have come at the behest of Iran’s top leadership, pointing to a quote that appears at the top of most of the cover pages of the various reports. It reads, “The Islamic Republic of Iran must become among the world’s most powerful in the area of cyber,” and is attributed to Iran’s Supreme Leader, Ayatollah Ali Khamenei.
Iran’s offensive cyber units undoubtedly seek to exploit what British news outlet The Times reported in 2018: that “poorly protected ships” are “at severe risk of cyberattack.” The article pointed out that “cybersecurity in the global shipping industry was about a decade behind other sectors because of outdated onboard systems and that there was already evidence of successful cyberattacks at sea.”
These assertions have been reinforced by Control Systems Cybersecurity Expert Joseph Weiss, whose “control system incident database includes more than 30 maritime control system cyber incidents (out of more than 1,300 control system cyber incidents).” Weiss explains:
Commercial ships tend to have flat computer networks. That is, these networks are generally unsegmented networks without firewalls or other cyber security measures in place. Default passwords are commonplace not just on firewalls, but also programmable logic controllers (PLCs) and satellite communication equipment as well. This is a potential safety issue as the PLCs that control the rudders can be remotely accessible. Additionally, there have been instances where navigation communication systems have been surreptitiously accessed in ways that would enable access to propulsion, steering controls, etc.
The warnings from cybersecurity experts like Weiss and the recently published credible evidence of Iran’s cybersecurity research into maritime vulnerabilities reinforce the necessity that shipowners and ship managers implement strong cybersecurity procedures for their personnel and equipment. Fortunately, some maritime industry groups, such as BIMCO, have published updated Guidelines on Cyber Security Onboard Ships that include best practices in the field of cyber risk management.
For American maritime assets, the U.S Coast Guard maintains the “Maritime Cyber Readiness Branch (MCRB),” which “supports the cybersecurity mission in the commercial maritime transportation community” and maintains “three teams of active duty Coast Guard cybersecurity professionals who are trained and certified in delivering the four core CPT services: Assess, Hunt, Clear and Harden.”
Ultimately, for any nation whose maritime operations might end up in the crosshairs of the Islamic Republic of Iran, it is now clear that an all-hazards approach to maritime security is a must.
Tommy Waller is Director of Infrastructure Security at the Center for Security Policy. Tommy comes to the Center with two decades of service as a U.S. Marine Infantry and Expeditionary Ground Reconnaissance Officer and deployments to Afghanistan, Iraq, Africa, and South America. His duties have ranged from commanding infantry and reconnaissance units in combat to assignments in staff planning, logistics, and professional instruction. His formal education includes numerous military schools and colleges, a degree in International Relations from Tulane University, and executive education from the Wharton School.