by Steven Rymell, Head of Technology at Airbus CyberSecurity
Of all the ways cyber threats might damage the physical world of people, companies and economies, it’s hard to imagine a more disruptive one than attacks on global shipping.
The industry got a reminder of the unpleasant possibilities earlier this summer when the US Coast Guard (USCG) published an alert about an incident in February 2019 when an unnamed vessel had contacted the Port of New York and New Jersey to report that it was in the throes of a major malware incident affecting its on board network (1). While a USCG cyber team was able to determine the vessel’s control systems remained functional, many other systems, including access to electronic charts, the management of cargo data, and communication with the shore, had been put at risk. It later emerged the crew knew the shipboard network was a security weakness.
“It is unknown whether this vessel is representative of the current state of cybersecurity aboard deep draft (large) vessels,” noted the USCG report.
The incident wasn’t exactly unexpected. In May, the USCG had issued a separate warning (2) that cybercriminals were targeting shipping by way of a phishing campaign designed to look like an alert from the US Port State Control (PSC) authority and intended to “disrupt shipboard computer systems.” There have been onshore incidents too such as the 2018 ransomware attack on COSCO (China Ocean Shipping Company), one of the world’s largest shipping companies, thankfully contained within its phone and email system.
In centuries past, the fear was attacks by pirates on undefended ships, far from port. In the last decade, it’s as if the pirates have returned wielding a new set of weapons which like their predecessors can strike anywhere, at any time, but with even more unpredictable results.
Vulnerable supply chains
Today’s shipping sector depends on an array of technology to run on board computers, navigation, and global positioning, all of which must integrate with systems coordinating shoreside supply chains. A lot of this is based on vulnerable commodity hardware, although more specialised equipment can also be undermined with enough know-how. There is a lot to aim at in an industry where things can go wrong very quickly in real time. Cybercriminals, of course, know all of this.
An often cited example of how easy it is to disrupt shipping supply chains is 2017’s WannaCry and NotPetya, the latter which caused big problems for shipping container company Maersk. A more typical example might be the epidemic of ransomware attacks in the last two years targeting public sector organisations in the US, including whole cities and state infrastructure.
This modus operandi has now reached the high seas. Whether attacking maritime supply chains or ships, the calculation is simple: the cost of paying the ransom is always considerably less – politically as well as economically – than rooting out the malware by hand or reinstating backups. Indeed, for shipping at sea, such conventional IT responses might not even be possible.
Getting lost – navigation attacks
A second alarming threat is satellite navigation spoofing. Depending on their origin, ships use one of a variety of these systems – the US GPS system but also China’s Beidou, Russia’s GLONASS, and Europe’s Galileo – to accurately locate their position in sea lanes. It’s hugely convenient but also critical part of operational safety. A ship that misunderstands where it is even by a few kilometres could quickly turn into a major hazard for other vessels or itself.
In 2019, the Centre for Advanced Defence (C4ADS) conducted research (3) into spoofing attacks using data gathered from the International Space Station (ISS), finding evidence of a worrying 9,883 suspected spoofing incidents across 10 global locations, all said to be near Russian military bases in the Crimea, Syria, and the Russian Federation.
Regardless of who is behind these attacks, it’s clear they have the potential to cause major disruption at the press of a button. It’s not overly pessimistic to believe that in time the technology used in these attacks could spread in a way that might gift cybercriminals another business model.
On board resilience
What can the maritime industry do to head off these threats? Firstly, by recognising that while ships are only one part of the maritime supply chain, they are currently the easiest element to target. Some of this is logistical – a shipping company might have anything from dozens to hundreds of vessels on the go at once, many a long way from home and help. If data communications are disrupted, on board expertise is likely to be limited.
But such vulnerability can also be self-inflicted. Ships have their own computer systems, too many of which were never designed or updated to be resilient to cyberattack, with most large ships operating with two networks. An “operational” network linked to the control and navigation and a “recreational” network which is for the crew and passengers. The difference being the recreational network will go direct to the internet, while the operational network is tunnelled back to the owner’s office network, before going out to the internet from there.
The best defence here is much the same as is for any computer infrastructure – segment networks, limit the use of external media such as USB sticks, restrict the privileges of on board staff, manage their credentials and patch all vulnerabilities. Despite the obviousness of some of this, it’s not even clear whether some vessels employ basic anti-malware security let alone train staff to respond to attacks on their own.
Regulators have now asked the maritime sector to implement mandatory cybersecurity defences set out in chapter IX of the International Convention for the Safety of Life at Sea, SOLAS, Regulations 1-6, which come into effect on 1 January 2021 (4). This imposes new technical controls, arguably the most important of which is simply that operators will be required to assess shipping cybersecurity as part of health and safety policy.
Safety is a sensible and long overdue framing for maritime cybersecurity even though simply overhauling rules won’t fix things on its own. The decisive influence might turn out to be the toll of attacks themselves, which are rising exponentially. What nobody doubts is that with cybercriminals finding ways into weakly-defended ship networks on a regular basis, there is plenty of hard work ahead.
(1) United States Coast Guard – U.S. Department of Homeland Security – July 8, 2019 – Marine Safety Alert – Inspections and Compliance Directorate – “Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels” – Washington, D.C. – https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/CG-5PC/INV/Alerts/0619.pdf
(2) United States Coast Guard – May 24, 2019 – Marine Safety Information Bulletin – “Cyber Adversaries Targeting Commercial Vessels” – Washington, D.C. – https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_004_19.pdf
(3) C4ADS innovation for peace – 2019 – “Above Us Only Stars – Exposing GPS Spoofing in Russia and Syria” – https://www.c4reports.org/aboveusonlystars
(4) SecureState Cyber – Jan Karlsson – April 15, 2019 – “The future of maritime cybersecurity” – https://securestatecyber.com/cyberbloggen-en/the-future-of-maritime-cybersecurity/