The global shipping industry is the enabler of globalization itself. Without it, it would not have been possible for you to read this post (the smartphone or tablet you are reading this on was likely made in China and shipped to your location onboard a container ship), eat Sushi for lunch (frozen Salmon shipped from the North Sea) or enjoy any other imaginable cheap commodity. Since this industry is critical to the well-being of economies worldwide, many efforts have been made to increase the safe and efficient flow of goods from country to country onboard merchant ships. The paradox is that the increased use of computerized systems for everything from navigation to container inspection has on one hand enhanced the safety and security of vessels at sea and the rapid unloading and distribution of goods at ports, but, on the other hand, has made possible a new kind of threat – the cyber threat. Recent concerns raised by the IMO (international maritime organization) and US GAO regarding appalling cybersecurity preparedness throughout the industry only emphasize the growing severity of the situation.
Cyber threats for this industry can be divided to three types:
- Threats to ships and safe navigation
- Threats to ports
- Threats to cargo handling systems and terminal operation systems (TOS)
Since this industry is so complex we will address each of these separately and then discuss how can cyber threats to the entire industry be assessed and managed.
Threats to ships and safe navigation
The increased use of computers onboard ships has brought with it a massive rise in the threat levels. For instance, researchers at the Trend Micro security firm reported they had identified major security breaches in the Automatic Identification System (AIS). The AIS is a global system that identifies and tracks vessels in real time. The system periodically transmits the position, speed and heading of a vessel, among other information. It was mandated by the International Maritime Organization (IMO) in all passenger and commercial vessels over 300 metric tons. During an experiment, the researchers managed to break into the system and alter data in real time.
This security breach allows hostile entities to alter the real-time data of vessels sailing the seas, with the potential to cause economic damage, in addition to the serious safety risks to vessels or sabotaging the activities of marine enforcement agencies (police, coastguard etc.). The security gap is particularly worrisome because it does not require expensive equipment or impressive hacking capabilities to utilize it. The threat is that terrorist organizations could exploit this vulnerability, which could lead to serious physical consequences and even the paralysis of maritime traffic in a particular area.
This publication reinforces previous reports on the vulnerability of vessel navigation systems. In July 2013, it was reported that a team of researchers from the University of Texas used GPS equipment that cost only US$3,000 to take control of the navigation system of a large ship in the Mediterranean.
An additional vulnerability was detected by NCC GROUP pertaining to Electronic Chart Display systems (ECDIS) which can lead to sever disturbances in the ships’ navigation.
The security company IOActive found that malicious actors could abuse all SATCOM devices by numerous vendors. The vulnerabilities included what would appear to be backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks. The findings of IOActive’s research should serve as an initial wake-up call for both the vendors and users of the current generation of SATCOM technology.
It has also been reported that a hacker caused a floating oil-platform located off the coast of Africa to tilt to one side, thus forcing it to temporarily shut down, demonstrating the threat to all floating platform and not just moving ships.
Threats to Ports
While there have been only few reported incidents of attacks against ports (UK teen DDoSed the port of Houston on 2003, and Port of long beach reporting several large scale DDoS attacks in 2013), it is obvious that ports are a lucrative targets to terrorists and hacktivists. Both the U.S. GAO and Coastguard have recently called for improved awareness and security measures at US ports.
US DHS and other stakeholders have taken steps to address cybersecurity in the maritime port environment. GAO examined relevant laws and regulations; analyzed federal cybersecurity-related policies and plans; observed operations at three U.S. ports selected based on being a high-risk port and a leader in calls by vessel type, e.g. container; and interviewed federal and nonfederal officials.
The results showed that although FEMA and DHS (along with USCG) have started implementing measures to cater for improved cyber security, there’s still much work to be done. However, until a comprehensive risk assessment that includes cyber-based threats, vulnerabilities, and consequences of an incident is completed and used to inform the development of guidance and plans, the maritime port sector remains at risk of not adequately considering cyber-based risks in its mitigation efforts.
The United States Coast Guard fielded similar questions from maritime security experts and officials Jan. 15 during a Maritime Cybersecurity Standards Public Meeting held at the U.S. Department of Transportation Headquarters in Washington, D.C.
“Cybersecurity is a safety issue…Every ship built has software that manages its engines; and that software is updated while the vessel is underway from the beach, and the Master doesn’t even know that the software is being updated.” – Rear Admiral Paul Thomas, U.S. Coast Guard.
Threats to cargo handling systems and terminal operation systems (TOS)
On October 16, 2013, Europol announced it had exposed a network of drug traffickers who recruited hackers to breach IT systems in the port of Antwerp, Belgium. The purpose of the breach was to allow hackers to access secure data giving them the location and security details of containers (that contained smuggled drugs worth billions of dollars), allowing the traffickers to send in truck drivers to steal the cargo before the legitimate owner arrived. The operation (which took place over a two-year period) went undetected by the port authorities and shipping companies involved.
It was apparently uncovered with the recent arrests of members of the “Silk Road” website who sold drugs on the DarkNet in the U.S. The investigation was carried out by a team from Europol that in a related series of raids managed to confiscate containers holding cocaine and heroin worth hundreds of millions of dollars. The breach of the port and shipping companies’ computer systems began with a spear-phishing attack, i.e. sending innocent-looking emails with malicious contents to employees of transportation companies working in the port of Antwerp. When the ring members saw that this channel had become blocked by enhanced IT security, they physically broke into the companies’ offices and installed KVM (keyboard, video and mouse) switches to enable remote access to the computer systems.
The KVM switches were assembled and prepared in a professional manner and included miniature PCs concealed inside electrical power strips, external hard drives, as well as keyloggers disguised as USB keyboard port converters. Although some of this equipment was designed simply to steal login credentials, the hackers appear to have used wireless cards to study and possibly control the logistics systems in real time. The group then sent its drivers to the port and provided them with all the necessary certificates and release codes to retrieve the containers. In July 2014 the security company TrapX exposed The Zombie Zero campaign: a supply-chain attack targeted at robotics manufacturers as well as shipping and logistics firms, compromising systems for more than a year. Weaponised malware was pre-installed on handheld scanners and software at a Chinese supplier’s factory, then sent to seven shipping and logistics firms and one manufacturing company, in order to infiltrate their corporate ERP servers and steal financial data. The “highly sophisticated” malware was embedded in the Windows XP operating system installed on the scanner and also on the Chinese manufacturer’s support website. TrapX said the handheld scanner in question is used by “many shipping and logistic companies around the world” to check items being loaded on and off vehicles such as ships, trucks or planes.
It is not difficult to understand that the global shipping industry faces an extremely complex cybersecurity challenges. So how can we go about managing this risk? Here are some pointers: Relaying on Regulation? Not a sound policy: The IMO’s Maritime Safety Committee (MSC) 94th session, held on November 2014, discussed the adoption of a proposal to develop voluntary guidelines on cyber security practices to protect and enhance the resiliency of cyber systems supporting the operations of ports, vessels, marine facilities and other elements of the maritime transportation system
In addition, The U.S. Coast Guard held a meeting in Washington, DC in January 2015 to receive comments on the development of cybersecurity assessment methods for vessels and facilities regulated by the Coast Guard. This meeting provided an opportunity for the public to comment on development of security assessment methods that assist vessel and facility owners and operators identify and address cybersecurity vulnerabilities that could cause or contribute to a Transportation Security Incident. The Coast Guard will consider these (public and all other public comments, made until April 2015) in developing relevant guidance, which may include standards, guidelines, and best practices to protect maritime critical infrastructure. (https://mariners.coastguard.dodlive.mil/2015/01/23/1232015-guidance-on-maritime-cyber-security-standards-part-3-cyber-command-remarks/)
However, as we’ve witnessed with other industries with regards to Cybersecurity, waiting for the regulator to release standards, or indeed- adhering to these standards provides very like assurance against cyber threats. For instance, the huge retailer “Target” was PCI DDS (credit card information security standard) compliant when hit by POS malware which managed to steal millions of credit card details). Self-reliance by adopting a holistic approach So what can a shipping company do to protect itself and manage this immense risk to business operations? First, it needs to adopt a holistic approach. It needs to ensure it define its assets, identify relevant threats, conduct proper risk assessment and build its security program accordingly. It then needs to constantly monitor its security controls (not an easy task, given that the “assets” are mobile and deployed around the globe and have a centralized risk management and operations center.
Only by doing so one can provide the slightest chance of mitigating (or at least) managing this threat.
Summary and a word of criticism
The shipping industry has always known how to factor risks into the daily business operation. In fact, it is this very industry that initiated the birth of the modern insurance corporates (born to offset some of the inherent risks of shipping). The industry has proven resilient to natural disasters, regulatory changes, piracy and technology changes. It is odd that this industry seems to look the other way when faced with this new type of risk. Sure, cybersecurity may not be the first item on the agenda of ship owners and shipping companies, but as the risks mount this industry needs to take a brave approach and tackle this threat head on, and prevail, like it always had.
Our modern way of living pretty much depends on it…
The Risk of Cyber Attack to the Maritime Sector
Until about 2010, the majority of cyber-attacks were driven by an attempt to obtain personal or financially sensitive data. Today, the nature of the threat is changing, and companies across all business sectors have begun to experience highly sophisticated and complex attacks that attempt to inflict damage to property and operations by seeking to take control of industrial control systems.
These systems use data received from remote stations to control processes either automatically or via an operator’s commands, and are designed to be closed to the outside world. Highly skilled hackers have demonstrated the ability to penetrate the systems used by the maritime industry, with potentially disastrous consequences. Vessel navigation and propulsion systems, cargo handling and container tracking systems at ports and on board ships, and shipyard inventories and automated processes, are all controlled using software that is fundamental to smooth-running operations. If, for example, a cyber-attack disabled a vessel transiting the Panama Canal resulting in blockage of the channel, it would have significant economic impact around the globe.
Cyber-attacks can also have criminal motivations (as seen in Antwerp between 2011 and 2013) to highjack, divert, or steal cargo. Events over the last four years suggest that these types of systems are growing increasingly vulnerable to attack.