Foreign Policy Blogs

Could the Shipping Industry Be Susceptible to Cyber-Attacks?

As sectors of the domestic and world economy become more dependent on the internet and the cloud, their vulnerability to new forms of attack and disruption increases. Cybersecurity is not just a national defense issue, but must also become a cost of doing business.

It is clear that the shipping industry is susceptible to cyber-attacks. These attacks can be as harmful as the damage caused by storms. In many ways, they might be more harmful, because they can come out of nowhere.

Maersk and NotPetya

In June 2017, Maersk was subject to a cyber-attack centered in Ukraine. The malware, called NotPetya, is a variation on the ransomware called Petya, but NotPetya does not appear to be supported by a desire to get rich, just a willingness to cause mayhem.

Unlike Petya, which did act as ransomware, NotPetya scrambles the target computer’s file system — everything is lost. No possibility of paying in Bitcoin exists.

The NotPetya attack knocked out Maersk’s network for several days, and Maersk expects the total loss from the attack to be in the neighborhood of $200-$300 million. While operations resumed quickly, the attack led to the complete shutdown of Maersk’s operations worldwide.

Vulnerabilities

The industry relies on computers to function, and GPS equipment is connected to worldwide networks. Engines are run using computers.

The number of vulnerability points, both on-shore, and at-sea, is large and growing. If the construction of self-driving ships becomes a widespread reality, more vulnerabilities will appear.

Email systems are vulnerable to hacking. Cyberkeel, for example, discovered hacking activity in a shipping firm’s systems. A virus planted in the system monitored emails originating in or destined for the finance department. The virus changed the text of the message to change the bank account number to that of the hackers.

It cost the company several million dollars before they noticed.

Cyberkeel was founded three years ago and established to provide cyber security. One of their programs was to provide penetration testing of shipping firms’ systems. At first, they met with little success, because firms were complacent with their systems. Perhaps the greatest vulnerability is complacency.

Many shipping systems are not encrypted. The lack of encryption makes the shipping line and its vessels vulnerable to cyber attacks. Regardless of encryption, many ships’ crews are not trained in cyber security. One survey indicated that in 2015, 43% of crew members were aware of their company’s cyber security policies, while only 12% had received training.

Piracy

One shipping firm was hacked by pirates — sophisticated pirates.

Instead of seizing a vessel and holding the crew hostage pending ransom payment, these pirates gained access to sensitive information regarding ships, cargos, containers and contents. They boarded the vessel, opened the specific containers containing the valuables and left with the loot.

Unlike what happens in many hijackings, the pirates released the crew and never asked for a ransom.

The company eventually became suspicious, determined the pirates had hacked the computerized manifest, and they took steps to prevent further unauthorized access.

Propellers and Charts

Another vulnerability is in the systems which control a ship’s operation. One container ship in an Asian port was shut down when a switchboard which managed the power supply to the propeller, and other mechanical components were shut down by ransomware.

Electronic Chart Displays are rarely protected by anti-virus software. Charts are, of course, crucial to navigation, especially in restricted and coastal waters. The chart display of one tanker in Asia was infected by crew carelessness.

A crew member brought a USB flash drive on board to print paperwork. The flash drive was infected with the malware, which only activated when another crew member tried to update the charts before departure, also using USB. The problem was detected while still in port, and it was fixed. Had the problem occurred at sea, however, the situation could have become dangerous.

Taking Control

Independent cyber security firms and analysts are confident that hackers could cause catastrophic results. It is possible to take control of the systems from afar and cause a collision. They have performed tests on the systems and succeeded in penetrating them.

An attack could also change the coordinates displayed by GPS, although in coastal waters the crew would likely spot the difference and adjust for it. But at least one ship’s open satellite system had the username “admin”, which needed to use the password “1234” to access the system, which means that someone at the shipping company was careless.

It is likely hackers did not cause the recent collisions between USS Fitzgerald and John S. McCain and merchant vessels. The U.S. Navy aggressively encrypts its systems, which should deter hackers from invading their confidential information. Current indications are that crew and command errors led to the collisions. There’s no indication the merchant vessels were hacked, either, but both collisions are under investigation.

South Korea reported that 280 vessels had to return to port in April 2016 due to problems with their navigation and other systems. South Korea believes North Korea was responsible for these hacks.

In addition, jamming devices fitted to lighthouses have been tested and can affect GPS receivers up to 16 nautical miles. Some GPS devices died, while others provided false information. Jamming devices on ships can cause even more chaos.

Solutions

The industry has begun to recognize the risks it faces. Awareness that a problem exists is always the first step toward solving the problem.

Shipping lines — and the industry as a whole — should follow a set of guidelines for cyber security, and those guidelines should be strong and effective.

You must train your crews and alter their behavior. Make crews aware of the cyber risks and what they can and can’t do with the computer systems on board. While printed copies of bills of lading and other information remains important, ensuring computers and printers can’t be compromised by an infected flash drive should be a top priority.

The industry also needs to create standards to allow insurance companies to cover damage from cyber-attacks. You must identify the risk so insurance underwriters can evaluate what you identify.

Cyber security is as necessary as physical security. Companies expend significant resources ensuring their buildings remain safe. Companies should realize their electronic systems are just as vulnerable to attack, and extend the same level of resources ensuring the safety of their ships and crews — and business.

Cory Levins serves as the Director of Business Development for Air Sea Containers.  Cory oversees the development and implementation of ASC’s internal and external marketing program, driving revenue and profits from the Miami FL headquarters.