Navigating a Safe Course Through Maritime Cyberattacks

The open seas have long attracted those who yearned for adventure. The risk of pitting oneself against a vast and unforgiving sea has tested sailors’ mettle for millennia. It’s not surprising that the maritime industry is one that thrives on facing – and overcoming – risks. But, as technology increasingly dominates it, growing risks exist that the industry dare not ignore.

Its growing effort to increase efficiencies through digitization and automation has made it an inviting target for 21st century pirates whose weapons are not cutlasses, but computers. Vulnerabilities in maritime systems and security practices threaten to inflict huge losses on the industry as digitization increases.

This article looks at the current state of digitization in the maritime industry and emerging industry trends. In addition, it assesses current vulnerabilities, how they are being exploited and how maritime firms can combat them.

Increase in digitization

Ships are increasingly digitizing their operations. Digitization already has reduced the number of crewmen and the time is fast approaching when ships will be autonomous, requiring only a small, land-based operations center to handle unusual situations.

Unmanned utility vessels

The Hrönn, an unmanned utility vessel designed to service offshore oil rigs, deliver cargo to remote locations and launch and retrieve unmanned submersible crafts, is expected to be fully functional sometime in 2018.

The technology for such vessels is well ahead of maritime regulations. The main issues delaying widespread use of such vessels are more regulatory than technological. Many ports require a licensed captain to pilot any vessels within them, and regulators fear that unmanned vessels would be prone to breakdowns that could clog shipping lanes.

Unmanned cargo ships

At least one autonomous container ship may be on the seas by 2020, although with a route limited between three Norwegian ports. The YARA Birkeland hopes to be the first autonomous and electric container ship on the seas by that date.

It will be a 120 TEU (Twenty-foot Equivalent Units) open-top unmanned container carrier. Loading and unloading, too, will use automated electric cranes. Berthing and unberthing will not require human intervention, either. Three control centers will handle monitoring and exception processing of ship operations, as well as any emergency or safety issues.

The limited route is due to current international shipping regulations, which do not allow unmanned ships to cross oceans. The UN’s International Maritime Organization is expected to approve this soon, though, because it promises to provide cheaper shipping options, fewer accidents and fewer delays.

In anticipation of such a decision, Japanese shipping companies plan a fleet of 250 autonomous ships by 2025. Rolls Royce, meanwhile, pursues a target date of 2020 for its first remote-controlled, unmanned ships. Such ships would use AI to plot the fastest, most direct and most fuel-efficient routes, while also monitoring to avoid collisions and to diagnose and prevent equipment breakdowns before they happen.

Early versions of these ships are expected to carry a small crew to oversee operations. Eventually, though, they will be completely autonomous, with a land-based “captain” monitoring ships at sea and stepping in only where critical decisions are required.

The future of autonomous ships

McKinsey sees digitization of the shipping industry completely transforming it, with autonomous ships becoming the norm. This would increase the volume of container trade as much as fivefold.

They envision that, over the next 50 years, digitization will make the shipping process far more integrated, forced by the need to roll out technological advancements across entire value chains to achieve optimal results. Logistics will shift from being a fragmented system, with many players involved in moving shipments from one carrier to another. It will instead become an end-to-end system, with a fully integrated process using digitization to control logistics.

Increase in vulnerabilities

Such developments, however, are likely to increase current vulnerabilities exponentially if maritime organization do not deal with them. Michael Mullen – U.S. Navy Admiral and Chairman of the Joint Chiefs of Staff – warns, “We are vulnerable in the military and in our governments, but I think we’re most vulnerable to cyberattacks commercially. This challenge is going to significantly increase. It’s not going to go away.”

Vulnerabilities in critical shipboard systems

Three critical systems are especially vulnerable. They are the Global Navigation Satellite System (GNSS) – such as GPS, GLONASS, Galileo or BeiDou; Electronic Chart Display & Information System (ECDIS) and Automatic Identification System (AIS). The GNSS identifies the vessel’s exact location, the ECDIS provides digital charts of ocean routes and the AIS monitors surrounding traffic and continuously broadcasts its location and avoid collisions.

GNSS can be spoofed, to trick the crew into changing course. ECDIS, a mandatory system for all vessels engaged in international voyages, can be fed inaccurate data to, again, trick the crew into changing course, or it can be compromised to enable attackers to set it on a new course, sometimes while feeding false data to the crew to make them think they remain on their original one. Ongoing AIS transmissions can be intercepted and modified so that other ships or monitoring stations receive inaccurate information about the ship’s location, movements, identity or other details.

Someone with physical access to these systems can feed inaccurate data into them via a USB data port, or download malware or ransomware into them. With many vessels not having systems properly segmented, that can lead to infection of other systems, such as propulsion or power, as well.

The transmission of sensitive information for the use of mainland stakeholders also creates unintended problems and stands to create even greater vulnerabilities as vessels become more autonomous. Marine vessel tracking websites publish vessel location information on the internet. This makes it easily available not just to legitimate stakeholders, but also to those with malicious intent.

Transmission over radio frequencies enables nearby parties who have an RF receiver to listen to the messages. These messages contain no authentication or integrity checks. This vulnerability offers a wide variety of ways to compromise either ship-to-shore data or to send fake data to the ship. In addition, pirates have been known to use transmissions to help them determine the locations of the most profitable cargoes.

Satellite communications offer vulnerabilities, too. Considering how expensive satellite time is, and the growing demand for internet connectivity at sea, multiple solutions have emerged to compress data and reduce the amount of satellite time used by vessels. Unfortunately, some of these solutions – especially older, outdated ones that are no longer supported by the companies that developed them – contain vulnerabilities that can allow an unauthorized user to compromise ship systems.

Numerous incidents of compromise in these critical systems have occurred. Such incidents, however, have not instigated widespread security improvements. Most have been left unpatched.

Many vessels look chiefly to the expertise of their crews to counteract possible system compromises. Traditional, manual methods of checking physical charts are still used in addition to digital systems. Security audits of systems are performed and contingency plans are in place. But many of these positive safety practices rely on human presence. As vessels increasingly move toward autonomous operation, those current safeguards will decrease. Thus, further work must be done to close digital vulnerabilities.

Vulnerabilities in other shipboard systems

These critical systems are not the only onboard systems that are vulnerable, either. Others include:

• Cargo management systems – These digital systems often have components that allow onshore tracking via the internet. Such interfaces put cargo management and ship manifest data at risk of being compromised.
• Bridge systems – The increased use of digital navigation systems that interface with shoreside facilities create vulnerabilities. Even standalone digital navigation systems are at risk. They can be compromised through malware loaded – intentionally or unknowingly – through the USB ports used to update navigation data. Compromise of these systems can lead to outside manipulation of these systems, or complete failure of all navigation control.
• Propulsion and machinery management and power control systems – Digitization of these systems to allow remote monitoring and control can similarly facilitate the introduction of false data into the system, or outright seizure of it. When integrated with bridge systems, it can also be used as an avenue by which hackers could compromise those systems, as well.
• Communication systems – As mentioned earlier, satellite and internet communications are vulnerable and need to be secured to a greater degree than most provider-supplied security features offer.
• Access control systems – Digital systems that control surveillance, security alarms and electronic “person-on-board” systems can also be used for cyberattacks and should be segmented apart from critical systems.
• All other internet-connected interfaces – Basically, anything that provides internet service for crew or passengers should be considered an unsecured system and should be segmented apart from critical systems.

Vulnerabilities in shipboard security practices

Common security practices also provide reason for concern. Security within networks is often ignored, based on the false assumption that all that needs to be protected is the system perimeter. Once inside a network, though, intruders are usually free to map and exploit it without detection.

The maritime industry is particularly prone to penetration through known vulnerabilities, such as the SATCOM vulnerabilities mentioned previously. Because of the widespread nature of the industry’s computer assets, sailing in remote locations with crew that is trained more for other skills, patching known vulnerabilities is often ignored. As a result, 99% of incursions into maritime systems are through unpatched known vulnerabilities.

Another problem is the tendency to operate with default passwords, giving the entire crew unlimited access to all digital systems, rather than limiting users to no more access than their job requires. A compromised account that does not have admin privileges compromises only that account. A compromised account with admin privileges compromises the entire system.

As current technologies have developed, maritime companies have tended to network information technology (IT) and operations technology (OT) systems onboard ships and connect them to the internet for easier access by stakeholders. This, however, increases vulnerability and makes vessels a more inviting target for attackers.

The reality of maritime cyberattacks

Maritime companies often downplay their threat of cyberattacks. They rationalize that cybercriminals are more interested in the cash assets of banks or other financial targets instead of cargoes that are both difficult to convert into ready cash and situated in remote locations. That rationalization, though, ignores the huge concentration of value in shipping and the large sums of money exchanged between shipping lines and bunker suppliers or shipyards, not to mention the sums being paid the shipping companies for their services.

Adding to the attractiveness of the shipping industry to attackers are the facts that vessels are isolated from potential sources of help and that cybersecurity in the maritime industry is more immature than in the financial industry. The target thus drawn on the industry should move its major players to action. Not only are financial risks high, but maritime cyberattacks could put lives and the environment at risk, too.

Motivations for maritime cyberattacks

The shipping industry is highly competitive with significant value to each company’s private information. Criminals may want to steal or ransom sensitive information a vessel carries. They may want to take control of ship operations and demand ransom in return for releasing control back to the company. Criminals may want to falsify shipping information to enable them to covertly use vessels to ship their own, illegal goods into other countries. Or they may be gathering intelligence to help them commit some complex criminal scheme.

Add to that threats that have nothing to do with financial gain. They can come from disgruntled employees or activists motivated by the desire to damage the reputation of the organization or industry, or disrupt operations. Depending on the flag under which a ship sails, it may also be the target of hostile nations or terrorist groups seeking political gain, or disruption of economic trade. The shipping industry has no lack of people motivated to attack it.

Examples of maritime cyberattacks

In August 2011, Iranian Shipping Line (IRISL) experienced a devastating cyberattack on their data that left them unable to determine which containers were onboard vessels and which weren’t, or where they were supposed to go. In addition, their internal communication network was inoperative, resulting in weeks of chaos and severe financial loss.

Another massive cyberattack was the NotPetya ransomware that paralyzed A.P. Moeller-Maersk, the largest shipping firm in the world, for weeks in mid-2017. The company estimates their loss at more than $200 million.

Organized crime organizations have moved into cyberattacks against shipping companies, too. They hacked into cargo systems in Netherlands and Australia, to name just two such attacks, to keep track of containers in which they were smuggling illicit goods. Their access to shipping information enabled them to pick up the containers without interference from law enforcement.

Fraud offers another route to cybercriminals to obtain financial gain. The World Fuel Services (WFS) was victimized by cybercriminals who forged a fake fuel supply tender that claimed to be from the U.S. Defense Logistics Agency. WFS delivered 17 metric tons of marine gas oil to a tanker off the Ivory Coast of Africa. When WFS presented their invoice to the U.S. agency, they discovered that the agency had never placed the order. WFS was out the $18 million dollars they paid for the fuel. Losses by fraudulent schemes like this run into hundreds of millions of dollars across the shipping industry.

Another commonly used scheme involves cybercriminals inserting themselves into communications between two companies. Once they accomplish this, they can easily redirect funds exchanged between the companies into the criminals’ accounts.

Shipping companies also are vulnerable to attacks geared more toward industrial espionage than direct financial gain. Malware such as Zombie Zero installed on hardware scanners used in shipping infected the financial, customer and planning systems of at least nine shipping companies in 2014. Similarly, Icefog malware targeted Japanese and South Korean shipping companies in 2013 to gather sensitive data in a hit-and-run attack. Such malware makes it possible for attackers not only to see sensitive data, but also to modify it so they could make packages appear and disappear at the attacker’s will.

Maritime cyberattacks have been directed at offshore facilities, too. Cyberattacks on oil rigs moved or tilted them, requiring that they be shut down until control was restored. Such attacks have taken up to 19 days and cost millions of dollars to overcome.

Reducing vulnerabilities

The first step in improving maritime cybersecurity is to apply the same principles to shipboard systems as are recommended for other cyber-physical systems. This involves applying both defense in depth and defense in breadth to both IT and OT systems.

Defense-in-depth refers to segmenting the most critical systems, so they are protected by multiple, independent, redundant security layers. Unlike the practice often followed on vessels today, this segmentation ensures that no single layer of the security architecture is relied upon solely. The more critical a system is, the more levels of security protect it.

Thus, notoriously insecure functions such as crew internet connectivity would be protected, but reside in the least protected level. Navigation and other systems that are not essential to onboard safety, but nonetheless important to ship functioning would reside at a deeper level, making it necessary for attackers to penetrate two levels to compromise it. The systems that most affect safety, power, propulsion and automation, would be protected by a third level, making them the most difficult to breach.

Defense-in-breadth, on the other hand, incorporates multiple security defenses within each level. That means not only having strong firewalls, but also providing protection measures at each point of integration between systems. This protects against attackers using one system to circumvent protections in place on other systems.

Doing both provides a good start on closing vulnerabilities. The following are also recommended:

• Replace obsolete operating systems no longer supported by their developer. Unsupported systems do not receive patches when new vulnerabilities are discovered.
• Replace outdated antivirus software.
• Make sure antivirus software also protects from malware.
• Identify the amount of access each person who will use a system needs and assign them only that much, instead of assigning everyone admin privileges.
• Upgrade boundary protections for networks.
• Segment systems for defense-in-depth.
• Identify which systems, equipment and cargo possess potential attack vectors, and ensure that each one is adequately protected from incursions (defense-in-breadth).
• Avoid leaving shoreside remote access of critical systems always connected. Such functions should be active only when needed.
• Determine appropriate access control for third parties (contractors, service providers).

In addition to these, make sure that decision-making about security rests high enough in the organization to adequately balance risk and reward. Often, when security decisions are made at an IT department level or an individual ship level, initiatives that come from higher up in the organization get prioritized higher, and security shifts to the back burner. That is less likely to happen when security is addressed at a higher organizational level. Only then is security adequately addressed instead of becoming a task that competes for time and resources with other management goals.

Facing a digital future

Digitization will continue to grow in the maritime industry and, with it, the threat of cyberattacks and cyber-kinetic attacks. The industry’s historic willingness to accept the risks that the open seas offer and meet them head-on when they occur should not also be its approach to cybersecurity.

The stakes are high, with attackers employing increasingly ingenious strategies to achieve massive paydays from the vessels – and their companies – that leave unneeded vulnerabilities open to them. And not only are massive amounts of money at stake, but also people’s lives and well-being. As digitization of the maritime industry grows, attention to cybersecurity must grow with it.