Tue | May 21, 2024 | 12:28 PM PDT

On March 26, 2024, we saw a catastrophic failure of a critical infrastructure asset. The Francis Scott Key Bridge in Baltimore collapsed when it was hit by the MV Dali, a Singapore-flagged Neo-Panamax container ship as it was passing through Baltimore Harbor.

The ship had lost power, and after briefly regaining power, a second loss of power left the ship's system's "blinded and lame," losing control and unable to navigate a course to maintain distance from the bridge's structural support. Not having regained power in time to avert an allision (not a collision as the bridge was stationary, only the ship was in motion), it ran into one of the pylons supporting the main span of the FSK Bridge, resulting in not only loss of a key transportation medium and financial loss but also a sad loss of lives of the workers on the bridge who could not get away and secure themselves from the impending crash.

At first glance, it appears to be a tragic accident stemming from a loss of power to the ship's systems. In our exceedingly big, supersize world that is increasingly digital, there would be no way to manually steer a huge ship the size of the Dali if it loses power.

So, we are more and more dependent on the security and resilience of the systems running critical infrastructure—maritime in this case.

A preliminary National Transportation Safety Board (NTSB) report noted issues with the ship's electrical system prior to the accident, which seemed to have resolved when the ship continued on its course. However, it is not clear if that is related to the impact further down the timeline of this incident.

Subsequently, there has been a call to investigate whether this could have been the outcome of a cybersecurity incident.

[RELATED: Congress Demands Cyber Forensics on Ship After Deadly Bridge Strike]

So let's review some background.

In light of an evolving array of cybersecurity threats, there has been effort since 1997, per GAO (Government Accountability Office) reports, to enhance cybersecurity of the critical infrastructure in the United States of America.

This critical infrastructure consists of "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on national security, economic security, national public health or safety, or any combination of these matters."

Following the 2013 Executive Order 13636: Improving Critical Infrastructure Cybersecurity that was aimed at enhancing the security and resilience of the nation's critical infrastructure and the Cybersecurity Enhancement Act of 2014, NIST developed the Framework for Improving Critical Infrastructure Cybersecurity that proposes a risk-based approach to managing cybersecurity risk.

Sixteen critical infrastructure sectors were identified, one of them being Transportation system, described as "Enables movement of people and assets that are vital to our economy, mobility, and security with the use of aviation, ships, rail, pipelines, highways, trucks, buses, and mass transit." A Sector Specific Agency (SSA) was identified for each critical sector, with the Department of Homeland Security (Transportation Security Administration and U.S. Coast Guard) and the Department of Transportation responsible for the Transportation system.

DHS established the Critical Infrastructure Cyber Community (C3) Voluntary Program for voluntary adoption of the Framework developed by NIST by helping SSAs develop guidance for framework implementation in their respective sectors.

[RELATED: White House Sets New Strategy for Securing U.S. Critical Infrastructure]

We have a Maritime Transportation System that consists of about 95,000 miles of coastline, 361 ports, more than 25,000 miles of waterways, and intermodal landside connections that allow the various modes of transportation to move people and goods to, from, and on the water.  

While anything is possible when it comes to determined cyber attackers to cause malfunctions or take over systems, and several theories have been floated, there has not been such a finding in this case, to date.

However, was it a cyber incident?

Common Cyber Threat Sources could be:

  • Adversarial:
    • Hackers or hacktivists
    • Malicious insiders
    • Nation-states
    • Criminal groups
    • Terrorists
    • Unknown malicious outsiders
  • Non-adversarial / non-malicious:
    • Failure in information technology equipment – hardware failure
    • Failure in environmental controls – power supply failure leading to failure in HVAC
    • Failure in software – failure such as operating systems, application failure
    • Unintentional user error – switching off power by mistake, for example
    • Natural or man-made disaster – fire, flood, hurricane, earthquake etc.
    • Infrastructure failure or outage – telecommunication or electrical power

While it is always good to be vigilant and prepared to secure the confidentiality, integrity, and availability of data in systems for them to operate as they should, the unfortunate incident with the Dali seems to fall more within the Resilience pillar of the goal of the Executive Order.

Maintaining good cyber hygiene is a given on any day. However, until we find out that there was an adversarial threat, we need to focus on the resilience factor in the meantime:

  • Was there a critical part such as a circuit breaker that failed?
  • Were there enough redundancies built in for the power system?
  • How often are the systems tested?
  • How current and adequate is training of the operators?
  • Are there any alternative modes of operation that can be developed for responding to a scenario such as the Dali's loss of power?
  • Are there business continuity, technical disaster recovery, and emergency and crisis management plans to prepare for disruptions?
  • Are these plans regularly tested?
  • Are the plans tested with third parties involved in a critical process? For example, with the port, individuals called pilots who board the ships at the fairway buoy for the ships to be steered in and out of port in U.S. waters.
  • Was the quality of fuel the ship took on shortly before it entered Baltimore port waters tested for meeting standards if fuel quality was the reason for the blackout?
  • Could our physical structure such as bridges be fortified and strengthened to face very high impacts? Could fenders to ward off a glancing blow from a big ship have helped here?
  • Is there another architectural/engineering solution that would protect other sections of the bridge from collapsing if one section is impacted?

So many questions! What is the feasible course of action to protect our maritime system?

At this point, it looks like this was due to a power/generator failure.

There is hardly an exposure to external cyber adversaries, as for example, the GPS interacting with the charting system (IT) is separate from the steering system (OT). The airgap should protect it from a cyberattack. Considering the potential for malware introduced by an operator physically into a system, there has been no such finding to indicate insider threat/error.

However, a root cause analysis is still under way.

Ships undergo independent annual surveys. Port State Control (PSC) inspections based on regulations contained in the Conventions from the IMO (International Maritime Organization) and ILO (International Labor Organization) of the United Nations are conducted on foreign-registered ships and cataloged in a database. Alert for any failure found is advertised to the next port of arrival for remediation in some cases. In other cases, deficiencies are remediated prior to departure or the ship is detained.

The International Ship and Port Facility Security Code (ISPS Code) requires most ships and port facilities engaged in international trade to establish and maintain strict security procedures as specified in ship and port specific Ship Security Plans and Port Facility Security Plans. Ship inspections are done for seaworthiness, crew qualification, maintenance, etc. on a three- to five-year rotational basis, and dry dock at least every five years.

All of these controls should help identify and prevent major issues.

So, can we think of ideas to improve the physical security of our critical infrastructure?

In addition to reinforcing bridge pylons with fenders, it may be worthwhile ensuring that big ships over a certain size do not enter narrow waters with bridges or any other structures that may be vulnerable to impact.

It may be worth investigating building ports along the continental shelf and having big ships deliver at such ports instead of having to enter narrow waters in ports that do not allow much room for very large ships. Generally, only dredging is done to deepen the shallow water, but there is no recourse with the width of the channel. Remember the ship Ever Given getting stuck in the Suez Canal, wedged across the canal and obstructing traffic?

Tugboats should be tethered to the ship until it is safely beyond the port so that in case of power failure, they can take the ship safely past any obstacles or hazards. Perhaps this requires Regulatory rule making and enforcement.

Ultimately, all of these ideas need to undergo a cost-benefit analysis, and a feasible action would be one that balances the risk/reward equation.

Potentially, the DOT and DHS will take serious note of this incident and strengthen the cybersecurity and resilience of the Maritime sector with their oversight.

Hopefully, there are lessons learned from both the Dali and Ever Given incidents to strengthen our critical infrastructure and improve the security and resilience of the Maritime sector.