The recent cyberattack against Marinette Marine Shipyard should serve as a wake-up call for the U.S. defense industrial base. The ransomware attack, which temporarily disabled operations and delayed production, highlights crippling cyber vulnerabilities within the manufacturing phase of a naval vessel’s life cycle.
The ransomware attack, reported on April 12, 2023, compromised data which feed instructions into the shipyard’s computer numerical control (CNC) manufacturing machines. These machines are responsible for facilitating automated manufacturing. As of last week, repair and construction capabilities were put back online while email and some other network functions remain inaccessible.
The Marinette Marine Shipyard would fall under the U.S. Department of Homeland Security Cyber and Infrastructure Security Agency’s critical infrastructure classification “Defense Industrial Base Sector” because it builds the U.S. Navy’s Constellation-class guided-missile frigates, in addition to Freedom-class Littoral Combat Ships and a variety of vessels for the U.S. Coast Guard.
The cyberattack’s impacts continued throughout the recent Senate Armed Services Committee hearing where U.S. Navy leadership highlighted the importance of accelerating production in shipbuilding. Yet the U.S. Navy’s vision cannot be realized if shipyard infrastructure is vulnerable to cyber-attacks and, by consequence, manufacturing delays.
As of April 2023, the attacker remains unknown. The 2023 U.S. National Cyber Security Strategy highlights threats from malicious actors, such as Russia, Iran, and North Korea, and criminal syndicates in conducting “damaging attacks against critical infrastructure” and ransomware attacks. There is good reason to be concerned about any unauthorized entity accessing shipbuilding instructions for the U.S. Navy’s future fleet, whether an affiliate of an adversarial government seeking intelligence about U.S. military equipment or a criminal group willing to leak sensitive data to the highest bidder.
Marinette Marine Shipyard is not a lone victim of ransomware attacks. Within America, the U.S. National Cybersecurity Strategy highlights, “Total economic losses from ransomware attacks continue to climb, reaching billions of U.S. dollars annually” and squeeze myriad industries. And the phenomena is a “borderless challenge,” as the strategy phrases it. The same week that the Marinette Marine Shipyard incident occurred, a separate cyberattack halted the operations of German shipbuilder Lürssen, another naval vessel manufacturer.
Beyond the shipbuilding industry, all 16 categories of U.S. critical infrastructure remain vulnerable. Public and private sectors alike cannot forget the 2021 Colonial Pipeline ransomware attack which forced the company to shut down one of the nation’s largest pipeline systems responsible for 45% of the East Coast’s fuel supplies, including gasoline and jet fuel. Such a hack is intentionally designed to stun American critical infrastructure, and a host of critical infrastructure sectors ranging from chemicals to emergency services to dams remain susceptible to attacks. Not even the American heartland is safe from attacks.
The U.S. cannot afford to treat these as one-off attacks. Last year alone, the Cybersecurity and Infrastructure Security Agency reported ransomware attacks in nearly 90% of U.S. critical infrastructure sectors. We should expect not only a steady stream of cyberattacks against critical infrastructure but an uptick. 2022 data from cybersecurity research firm Sophos finds that ransomware attacks, specifically, are increasing in occurrence, complexity, and impact across industries.
The U.S. needs a whole-of government response to cyberattacks against critical infrastructure plus increased coordination with the private sector to improve incident prevention, incident mitigation, and incident response. The U.S. Navy must continue to regularly assess the cybersecurity risks of partnering with the private sector and explore opportunities with these partners to improve their cybersecurity. As an example, perhaps it is time to consider updating CISA’s Defense Industrial Base Sector-Specific Plan – which has not been updated since 2010 even though the cybersecurity threat environment has certainly ballooned since then – to better partner with over 100,000 Defense Industrial Base companies towards improving their cybersecurity.
The Marinette Marine Shipyard has been undergoing upgrades worth $300 million dollars, but this shipyard – and critical infrastructure sites more broadly – should consider how future budgets can be intentionally crafted towards bolstering cybersecurity, to address known threats on the horizon. As Secretary of the Navy Carlos Del Toro recently expressed interest that a second shipyard could begin producing Constellation-class vessels, cybersecurity of U.S. critical infrastructure sectors must be a part of the conversation about building and securing the U.S. Navy’s future fleet.
Thea Dunlevie is a Senior Analyst at the Center for Maritime Strategy focusing on transatlantic affairs.
Your investment in the Center for Maritime Strategy supports the U.S. Sea Services by empowering policy-driven maritime security research, advocacy, and education.
Center for Maritime Strategy
By Thea Dunlevie
The recent cyberattack against Marinette Marine Shipyard should serve as a wake-up call for the U.S. defense industrial base. The ransomware attack, which temporarily disabled operations and delayed production, highlights crippling cyber vulnerabilities within the manufacturing phase of a naval vessel’s life cycle.
The ransomware attack, reported on April 12, 2023, compromised data which feed instructions into the shipyard’s computer numerical control (CNC) manufacturing machines. These machines are responsible for facilitating automated manufacturing. As of last week, repair and construction capabilities were put back online while email and some other network functions remain inaccessible.
The Marinette Marine Shipyard would fall under the U.S. Department of Homeland Security Cyber and Infrastructure Security Agency’s critical infrastructure classification “Defense Industrial Base Sector” because it builds the U.S. Navy’s Constellation-class guided-missile frigates, in addition to Freedom-class Littoral Combat Ships and a variety of vessels for the U.S. Coast Guard.
The cyberattack’s impacts continued throughout the recent Senate Armed Services Committee hearing where U.S. Navy leadership highlighted the importance of accelerating production in shipbuilding. Yet the U.S. Navy’s vision cannot be realized if shipyard infrastructure is vulnerable to cyber-attacks and, by consequence, manufacturing delays.
As of April 2023, the attacker remains unknown. The 2023 U.S. National Cyber Security Strategy highlights threats from malicious actors, such as Russia, Iran, and North Korea, and criminal syndicates in conducting “damaging attacks against critical infrastructure” and ransomware attacks. There is good reason to be concerned about any unauthorized entity accessing shipbuilding instructions for the U.S. Navy’s future fleet, whether an affiliate of an adversarial government seeking intelligence about U.S. military equipment or a criminal group willing to leak sensitive data to the highest bidder.
Marinette Marine Shipyard is not a lone victim of ransomware attacks. Within America, the U.S. National Cybersecurity Strategy highlights, “Total economic losses from ransomware attacks continue to climb, reaching billions of U.S. dollars annually” and squeeze myriad industries. And the phenomena is a “borderless challenge,” as the strategy phrases it. The same week that the Marinette Marine Shipyard incident occurred, a separate cyberattack halted the operations of German shipbuilder Lürssen, another naval vessel manufacturer.
Beyond the shipbuilding industry, all 16 categories of U.S. critical infrastructure remain vulnerable. Public and private sectors alike cannot forget the 2021 Colonial Pipeline ransomware attack which forced the company to shut down one of the nation’s largest pipeline systems responsible for 45% of the East Coast’s fuel supplies, including gasoline and jet fuel. Such a hack is intentionally designed to stun American critical infrastructure, and a host of critical infrastructure sectors ranging from chemicals to emergency services to dams remain susceptible to attacks. Not even the American heartland is safe from attacks.
The U.S. cannot afford to treat these as one-off attacks. Last year alone, the Cybersecurity and Infrastructure Security Agency reported ransomware attacks in nearly 90% of U.S. critical infrastructure sectors. We should expect not only a steady stream of cyberattacks against critical infrastructure but an uptick. 2022 data from cybersecurity research firm Sophos finds that ransomware attacks, specifically, are increasing in occurrence, complexity, and impact across industries.
The U.S. needs a whole-of government response to cyberattacks against critical infrastructure plus increased coordination with the private sector to improve incident prevention, incident mitigation, and incident response. The U.S. Navy must continue to regularly assess the cybersecurity risks of partnering with the private sector and explore opportunities with these partners to improve their cybersecurity. As an example, perhaps it is time to consider updating CISA’s Defense Industrial Base Sector-Specific Plan – which has not been updated since 2010 even though the cybersecurity threat environment has certainly ballooned since then – to better partner with over 100,000 Defense Industrial Base companies towards improving their cybersecurity.
The Marinette Marine Shipyard has been undergoing upgrades worth $300 million dollars, but this shipyard – and critical infrastructure sites more broadly – should consider how future budgets can be intentionally crafted towards bolstering cybersecurity, to address known threats on the horizon. As Secretary of the Navy Carlos Del Toro recently expressed interest that a second shipyard could begin producing Constellation-class vessels, cybersecurity of U.S. critical infrastructure sectors must be a part of the conversation about building and securing the U.S. Navy’s future fleet.
Thea Dunlevie is a Senior Analyst at the Center for Maritime Strategy focusing on transatlantic affairs.