Managing the Cyber risk to the global shipping industry Part I

The global shipping industry is the enabler of globalization itself. Without it, it would not have been possible for you to read this post (the smartphone or tablet you are reading this on was likely made in China and shipped to your location onboard a container ship), eat Sushi for lunch (frozen Salmon shipped from the North Sea) or enjoy any other imaginable cheap commodity. Since this industry is critical to the well-being of economies worldwide, many efforts have been made to increase the safe and efficient flow of goods from country to country onboard merchant ships. The paradox is that the increased use of computerized systems for everything from navigation to container inspection has on one hand enhanced the safety and security of vessels at sea and the rapid unloading and distribution of goods at ports, but, on the other hand, has made possible a new kind of threat – the cyber threat. Recent concerns raised by the IMO (international maritime organization) and US GAO regarding appalling cybersecurity preparedness throughout the industry only emphasize the growing severity of the situation.

Cyber threats for this industry can be divided to three types:

  • Threats to ships and safe navigation
  • Threats to ports
  • Threats to cargo handling systems and terminal operation systems (TOS)

Since this industry is so complex we will address each of these separately and then discuss how can cyber threats to the entire industry be assessed and managed.

Threats to ships and safe navigation

The increased use of computers onboard ships has brought with it a massive rise in the threat levels. For instance, researchers at the Trend Micro security firm reported they had identified major security breaches in the Automatic Identification System (AIS). The AIS is a global system that identifies and tracks vessels in real time. The system periodically transmits the position, speed and heading of a vessel, among other information. It was mandated by the International Maritime Organization (IMO) in all passenger and commercial vessels over 300 metric tons. During an experiment, the researchers managed to break into the system and alter data in real time.

This security breach allows hostile entities to alter the real-time data of vessels sailing the seas, with the potential to cause economic damage, in addition to the serious safety risks to vessels or sabotaging the activities of marine enforcement agencies (police, coastguard etc.). The security gap is particularly worrisome because it does not require expensive equipment or impressive hacking capabilities to utilize it. The threat is that terrorist organizations could exploit this vulnerability, which could lead to serious physical consequences and even the paralysis of maritime traffic in a particular area.

This publication reinforces previous reports on the vulnerability of vessel navigation systems. In July 2013, it was reported that a team of researchers from the University of Texas used GPS equipment that cost only US$3,000 to take control of the navigation system of a large ship in the Mediterranean.

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/dependencies-of-maritime-transport-to-icts/cyber-security-aspects-in-the-maritime-sector-1

An additional vulnerability was detected by NCC GROUP pertaining to Electronic Chart Display systems (ECDIS) which can lead to sever disturbances in the ships’ navigation.

https://www.nccgroup.com/media/481230/2014-03-03_-_ncc_group_-_whitepaper_-_cyber_battle_ship_v1-0.pdf

The security company IOActive found that malicious actors could abuse all SATCOM devices by numerous vendors. The vulnerabilities included what would appear to be backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms. In addition to design flaws, IOActive also uncovered a number of features in the devices that clearly pose security risks. The findings of IOActive’s research should serve as an initial wake-up call for both the vendors and users of the current generation of SATCOM technology.

It has also been reported that a hacker caused a floating oil-platform located off the coast of Africa to tilt to one side, thus forcing it to temporarily shut down, demonstrating the threat to all floating platform and not just moving ships.

Threats to Ports

While there have been only few reported incidents of attacks against ports (UK teen DDoSed the port of Houston on 2003, and Port of long beach reporting several large scale DDoS attacks in 2013), it is obvious that ports are a lucrative targets to terrorists and hacktivists. Both the U.S. GAO and Coastguard have recently called for improved awareness and security measures at US ports.

US DHS and other stakeholders have taken steps to address cybersecurity in the maritime port environment. GAO examined relevant laws and regulations; analyzed federal cybersecurity-related policies and plans; observed operations at three U.S. ports selected based on being a high-risk port and a leader in calls by vessel type, e.g. container; and interviewed federal and nonfederal officials.

The results showed that although FEMA and DHS (along with USCG) have started implementing measures to cater for improved cyber security, there’s still much work to be done.  However, until a comprehensive risk assessment that includes cyber-based threats, vulnerabilities, and consequences of an incident is completed and used to inform the development of guidance and plans, the maritime port sector remains at risk of not adequately considering cyber-based risks in its mitigation efforts.

The United States Coast Guard fielded similar questions from maritime security experts and officials Jan. 15 during a Maritime Cybersecurity Standards Public Meeting held at the U.S. Department of Transportation Headquarters in Washington, D.C.

Cybersecurity is a safety issue…Every ship built has software that manages its engines; and that software is updated while the vessel is underway from the beach, and the Master doesn’t even know that the software is being updated.” – Rear Admiral Paul Thomas, U.S. Coast Guard.

To be continued at part II