Shipping must confront onboard systems’ cyber vulnerabilities

Credit: Getty Images
Credit: Getty Images

A ship’s onboard systems can be hacked just as easily as IT systems on shore. This has been demonstrated by several incidents so far this year, including reports of suspected GPS spoofing in the Black Sea in June and ethical hackers revealing the ease with which onboard systems can be attacked by entering through satellite communication units.

A number of interests are now calling for shipping to take action to protect itself against savvy cyber criminals seeking to exploit these vulnerabilities.

To deal with this threat, the maritime industry needs to first understand the scale of the problem and should share information about experiences more readily.

Ken Munro, a researcher for UK-based ‘ethical hacking’ company Pen Test Partners, points to the utilities sector as a prime example for the maritime industry to follow. “It was an industry that did not share information on cyber attacks for fear of the damage it could have for reputation and shareholders, but it now privately shares information about attacks with other utility companies so it can be on guard and prepare for a known cyber threat,” he said.

Currently, it is not known how many vessels are being targeted by hackers, although more cases are coming to light, with 34% of respondents to the recent IHS Markit/BIMCO cyber-security survey stating that their organisation experienced a cyber attack this year.

In February, hackers reportedly took ‘full control’ of the navigation systems of a German-owned 8,250 teu container vessel en route from Cyprus to Djibouti for 10 hours. However, the news did not surface until an industry source, who did not wish to be identified, contacted IHS Markit’s sister title Safety at Sea (SAS) in November to report the attack. That source felt the incident should act as a “pre-warning” about the threats shipping will increasingly face in the future.

Emma Biggs, business director at security broker ASKET, who was contacted about the attack, told SAS that it was unclear how the hackers got into the ship’s systems but stressed there were vulnerabilities on all vessels. “People still talk about there being a difference between what happens on board and on shore, but there isn’t, particularly as now everything is connected and the telemetrics of ships are fed back to shore.”

Biggs pointed to activity by IOActive and ethical hacker Ken Munro that revealed hacking vulnerabilities in major maritime satellite communications, including Inmarsat, Telenor, and Cobham. On 13 October, a widely publicised blog post by Munro revealed that he was able to precisely pinpoint a named vessel, identify a staff member, and potentially attack the ship through coms boxes on board ships that were running outdated firmware and using default passwords.

There have also been suspected cases of mass-spoofing of AIS in the Black Sea in June, with more than 20 ships affected. According to a website posting by the US Department of Transportation’s Maritime Administration (MARAD) on 22 June, the unconfirmed attacks involved ‘GPS interference’. Reports from ships to the US Coast Guard Navigation Center detailed issues with GPS giving false locations, showing some as inland and some at airports.

“Control systems, electric, and power used to be isolated and hard to attack,” Munro told SAS, “but now ships are almost permanently connected to [the] internet with satcoms units, which means ships are now almost always open to a cyber attack.”

Once an entry point has been found, hackers can seek out industrial control systems to attack. Prof Helge Janicke, director of the Cyber Technology Institute at De Montfort University, Leicester, United Kingdom, recently demonstrated how easy it was to hack into a programmable logic controller (PLC), an ruggedised industrial computer used on ships to control anything from lifts and electrical infrastructure to automated docking.

Janicke revealed that all it took to hack a PLC was some widely available free software. “It is the easy part. In few commands a crew could lose rudder control of a ship if the control system was compromised.”

He explained there were “so many ways” of entering a ship’s systems, ranging from insider attacks undertaken by crew members to remote access, that could see an attacker manoeuvre another vessel close to a target vessel and interfere with a ships control at short range. He added that terrorism was also a risk. “An oil tanker travelling at full speed is a powerful weapon.”

For some types of attack, regaining control of a hacked PLC can be accomplished by plugging in a computer and restarting it, said Janicke. However, for other attacks, a redeployment of the control logic may be necessary. He warned that this would not prevent an attack from happening again. “If a hacker is attempting to gain control of a steering system and intending to cause a collision, it might be better to shut the system down and go adrift. But if the hacker wants the vessel to be adrift for ransom, then shutting down might make the attack easier for them.”

Munro believes hackers could manipulate the load planning for container ships. In recent investigations, he found it was possible to modify vessel stowage plans via messaging systems and instruct cranes to load heavier containers towards the top of stacks, causing significant trim and ballast issues, potentially causing ships to tip over and sink. There are also implications for mislabelling dangerous chemicals, defrosting reefers, and damaging odour-sensitive cargo. Similar techniques could be used for targeted load theft, using intercepted load plans to identify high-value cargo.

There are some simple steps an operator can take to assess cyber vulnerabilities, from looking at how the vessel is connected to the internet to checking software is up to date, and that passwords have all been changed from the default factory settings. For crew, it is about being vigilant, being careful of what they download on laptops and phones and what emails they open, and being sure to report suspected problems to management.

Karl Smith, head of cyber-security assurance services at BT Global Services, told SAS that crews must be prepared and have an incident response plan in place. This means knowing where all vital control equipment is located so they do not have to “dig out the specification of the ship to find which wall it sits behind” as they will need to “physically flush out malware”.

This sentiment was echoed by Norma Krayem, senior policy adviser and co-chair of the cyber-security and the privacy team at international law firm Holland & Knight. She said there should be back-up plans in case an attack takes out onboard systems, and that seafarers should be trained for such scenarios.

“Seafarers are the tip of the spear in dealing with cyber risk,” she added, stating that it was vital to create close partnerships with the shipowner and operator to understand what role each party had to play.

As shipowners become more aware of such risks, Biggs warned of cyber companies targeting the maritime sector and offering protection that may not be best suited to a fleet. ASKET has begun offering a brokerage service to shipowners, based on its model for private maritime security companies. It is currently building a ‘pool of organisations’, which will feature cyber companies that specialise in specific areas, such as cargo, telemetrics, and very-small-aperture terminals, in order to advise which protection is best suited to a fleet’s unique set-up.

“There is a fear factor involved with some companies trying to make money out of that fear,” said Biggs. “We need to control that and make sure they don’t jump all over shipping companies and rip them off. That is what we are going to try to do.”

“Failure is not an option in the maritime industry,” Krayem stressed. Shipping must act now to better understand and manage the risks of a cyber threat” that is not going to disappear.

You read read more cyber security-relatec content here