Cybersecurity in shipping is a hot topic. But at the same time, there is also a lot of inaction on the part of industry insiders, in spite of repeated warnings.
In June, a team of ethical breakers at Pen Test Partners (PTP) held a mock attack on a vessel, and found three different ways to intercept and modify serial data – which controls steering, engine control and more – on a ship’s network. The team proved that dedicated hackers could compromise security to such a degree that they could change the direction the ship was travelling in.
Although this was a mock run, the dangers are more than theoretical.
It’s been just over a year since the NotPetya attack destroyed Danish container firm Maersk’s computer network, hitting their container shipping, tug boat and oil tanker operations and creating a hole of up to $300m in the company’s profits.
Shortly after the attack, Maersk chairman Jim Hagemann Snabe admitted to a panel at the World Economic Forum that Maersk “were only average when it comes to cybersecurity”.
“For the time being, we are speaking about simple attacks,” Snabe said. “The bad guys are very economically savvy. So fundamentally, if there is a real opportunity for them, they will use technology to hold attacks.”
In July, China Ocean Shipping Company (COSCO) was also affected. Although the company refrained from framing its issue as a cyberattack, instead simply calling it a “network problem”, the general agreement across the industry was that COSCO was indeed the victim of a cyberattack, which impacted its branches in the US, Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay.
“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale,” the company said in a statement at the time.
Although the issues didn’t lead to an economic loss for COSCO, there is an overriding feeling that the industry remains wholly unprepared for a serious cybersecurity incident.
‘Highly exposed’ to cyberattacks
“Looking at some of the research that took place over the past 12 months or so, and the attacks done either by researchers or by real nefarious actors, we’re making exploits based on things that we would’ve seen perhaps as vulnerable ten years ago in the normal internet world, in banking, or even in the automotive sector,” says Adam Brown, manager of security solutions at cybersecurity firm Synopsys. “And those things have mostly been re-mediated, however that is not the case in shipping.”
A new paper from non-profit research institute Future Directions International (FDI) warned that, with around 50,000 ships at sea or in port at any one time, the maritime transport industry is highly exposed to cyberattacks. In light of the 17 million attacks that occur each week, FDI concluded: “the maritime industry appears still to be ill-equipped to deal with such future challenges as the cybersecurity of fully autonomous vessels.”
“There’s a bunch of issues related to cellular devices on ships and how they’re configured together on the network, and a lack of network segregation,” Brown says. “So when you have a vulnerable device on an open network on a ship, or a vulnerable device is put on the internet on a ship, then that vulnerable device is wide open to any attacker in the world.”
The threats range from ransomware attacks, in the case of Maersk, where attackers have a financial incentive, to security breaches that can even endanger a ship’s crew or passengers.
“If we just take a cruise ship for example, it will have on it at least one, if not two or four satellite communications terminals,” Brown explains. “There is a lot of radio frequency power going through that satellite dish. Now, it turns out that those dishes can be controlled by third party actors, so an attacker can control where the dish is pointing. On a ship, there are some no-go zones where the dishes are not allowed to point, for example at a deck where there might be passengers. And that’s done for safety reasons, because you don’t really want to start roasting your passengers with your radio-frequency energy that’s coming out of this dish.
“However if an attacker can control that and override the no-go zones, they could point it down at the passengers and expose them to excessive radio frequency energy, which wouldn’t result in a burn per se, but there’s been some medical research done that showed it can lead to microwave radiation. And if you point it at an electrical device, it can cause malfunction.”
Although Brown admits that this is “off-the-wall vulnerability”, he insists that such potential actions should not be taken lightly going forwards.
How is the industry responding?
Last year, the International Maritime Organization (IMO) recognised the real dangers posed by an industry that is less than cyber-savvy, and in response published a set of Guidelines for maritime cyber risk management. The document was aimed at all shipping organisations, regardless of their size or level of complexity.
“It’s a very good guideline of things that cybersecurity practitioners in shipping organisations should start to consider and put in place,” Brown says, “not just on ships, but also in the port terminal, also in any support systems and data centres.”
Nevertheless, Ken Munro, security entrepreneur at PTP, said that ship security is in its infancy, with the industry exposed to risks that were eliminated years ago in mainstream IT systems.
And, when it comes to IMO’s guide, shippers should by no means treat it as a checklist, Brown warns. “Checklist security simply does not work. Attacks are constantly evolving; the attacker is constantly looking for a way in. What is much better is to have a deliberate security initiative. So that might be starting with having a policy and some processes, so things like keeping the software up to date, training the staff on security issues, just so that it’s constantly something on the mind of the people.
“Shipping needs to do more,” he adds. “We can see it starting, and it will be interesting to start to see some cybersecurity measurements appearing to see how they will compare against other industries.”