Large and modern ships are easy to hack

In 2018, in full agreement with system manufacturers and ship owners, an Israeli cyber engineering team hacked into live, in-operation systems used to control a ships’ navigation, radar, engines, pumps and machinery.

They were able to shift the vessel’s reported position, mislead the radar display, and finally disabled machinery, signals to fuel and ballast pumps being over-ridden and steering gear controls manipulated.

The penetration test on the ship’s Electronic Chart Display and Information System (ECDIS) was achieved simply by sending an email to the captain’s computer. This type of attack can easily penetrate the antivirus and firewalls typically used in the maritime sector. The captain’s computer is regularly connected to the internet through a satellite link, which is used for chart updates and for general logistic updates. The attack file was transferred to the ECDIS in the chart update. Once the officer had updated the ECDIS, it immediately installed itself on to the system.

Then, the ship’s radar was hit. The radar is supposed to be an impregnable, isolated system, but it is connected to the ECDIS via a local Ethernet Switch Interface. That is how it was hacked.

Finally, an attack was performed on the Machinery Control System (MCS), using an infected USB stick placed in an inlet/socket. The testers could take control of the ballast system and could have misled all the auxiliary systems such as air-conditioning, generators, and fuel systems.

What happened to the Ever Given in the Suez Canal in 2021?

There is little public information about what caused the Ever Given to run aground in the Suez Canal. Officially, the incident was due to wind, but the Suez Canal Authority stated that “there may have been technical or human errors”. All ships are obligated to use Egyptian pilots to help them navigate the Suez Canal. None of the vessels behind or ahead of the Ever Given had run into similar troubles.

By allowing or committing such an event, various countries could have reaped economic and political benefits by having this event occur. Many of those countries have the cyber capabilities for perpetrating this kind of cyberattack.

The Ever Given is one of the largest ships in the world. It is operated by container transportation and shipping company Evergreen Marine, headquartered in Taiwan. It was built in Japan and launched in 2018. On its last voyage culminating in attempting to cross the Suez Canal, the Ever Given was in Yantian, China for more than a day. Because of its modern vintage, it had multiple backup power sources and was equipped with state-of-the-art remotely accessible instrumentation, control systems, and communication systems.

There have been numerous cases of hacking Global Positioning Systems (GPS) affecting ships by Russia, China, Iran, and others. The ECDIS are supposed to be updated at each port call. Compromising the ECDIS could move a vessel’s apparent location by up to 300m, giving false readings to the ship’s crew and other traffic. Minor changes to navigation systems could cause collisions in busy shipping routes or cause ships to run aground.

Commercial ships tend to have unsegmented networks without firewalls or other cyber security measures in place between onboard systems. Default passwords are commonplace not just on firewalls, but also programmable logic controllers (PLCs) and satellite communication equipment. That could make the PLCs that control the rudders remotely accessible. We saw previously how navigation communication systems can be surreptitiously accessed in ways that enable access to propulsion or steering controls for example. There has also been industry experience with maliciously installed hardware backdoors in large equipment such as electric transformers.

The Ever Given was seen crossing the Suez Canal in a winding, not straight manner. The ship’s speed varied, speeding up and slowing down. Before the ship turned and became lodged, it lost all power even though there were back-up systems to maintain steerage. There are processes for these sorts of failures in the ship’s Safety Management System and the anchors should have been dropped, but they weren’t.. There are also safety instrumented switches on the bridge to actuate in such an emergency.

The two most logical explanations for the ship’s erratic behaviour were either bad fuel or a cyberattack. Bad fuel should have led to numerous alarms and not affected rudder control whereas a cyberattack could suppress any or all the alarms and potentially compromise rudder control.

Concluding that the Ever Given was the victim of a cyber-attack remains speculative, however. Because of their complexity and opacity, cyber threats provide the ultimate deniability in modern warfare. Cyberattacks that could have caused the Ever Given incident have already occurred. As such, the ability to stop navigation in a shipping channel using a civilian ship could be a new approach to compromising economic and military capabilities.

Covid-19 made things worse

There has been a massive increase in attempted hacks since February 2020 coinciding with a period when the maritime industry, like many others, turned to working from home due to the Covid-19 pandemic.

Social restrictions and border closures have forced onboard original equipment manufacturers (OEMs), technicians, and vendors to connect standalone systems to the internet to service them. OEM technicians are unable to fly out to ships and rigs to upgrade and service critical OT systems, resulting in operators circumventing established security protocols, leaving them open to attack.

As budgets were cut and in the absence of service engineers, ship and offshore rig staff connected their OT systems to shoreside networks for brief periods of time to carry out diagnostics and upload software updates and patches themselves. Therefore, IT and OT systems are no longer segregated. Legacy systems which have no security update patches are even more susceptible to cyber-attack. The increase in OEM personnel working remotely on home networks and personal PCs, which are not well protected, adds to the problem.

Containers, bananas, hacking and cocaine

Workers at the “Fruit terminal” in Antwerp began to wonder why entire containers, containing cargo like bananas, were disappearing from the port. Police in the Netherlands and Belgium seized two tons of cocaine and heroin, a machine gun, a suitcase stuffed with $1.7 million, and hard drive cases turned into hacking devices.

The plot, which began in 2011 and went unnoticed for two years, involved a mix of international drug gangs and digital henchmen: drug traffickers recruited hackers to penetrate computers that tracked and controlled the movement and location of shipping containers arriving at Antwerp’s port. The simple software and hardware hacks, using USB keyloggers and more sophisticated purpose-built devices, allowed traffickers to send in drivers and gunmen to steal particular containers before the legitimate owner arrived.

Computers at the Port of Antwerp were hacked with simple social engineering: a phishing attack through emails that tricked employees into installing malware. The container companies discovered the initial breach and installed a firewall to prevent further attacks. But the hackers managed to get onto the physical premises to install key-logging devices directly onto the computers, allowing them to gain access to keystrokes typed by staff as well as screen grabs from their monitors.

Simpler computer exploits of shipping systems were also discovered. An investigation by Australian authorities revealed that drug gangs were able to use public databases to track which shipping containers in port were under inspection by police, allowing them to abandon those shipments.

Shipping containers are integral to drug smuggling operations. Introduced in the 1950s as a way of standardizing how goods are transported, containerization rose in parallel with computers. Containerization is the way by which ninety percent of our stuff moves around the world. That scale—some 420 million containers are shipped annually—means that customs inspect only two percent of those shipments per year.

Containerization provides trafficking with the same cost- and time-saving transport mechanisms that have allowed the world’s multinational companies to deliver their products quickly and cheaply, penetrate new markets and expand their global customer base. The problem is one of the greatest security challenges of the 21st century.

The human factor

Looking back at the hacks and simulated hacks on vessels and ports, some specific characteristics of maritime cyber security can be highlighted:

• the abundance of Operational Technology (OT) to control ships, cranes and containers, which include many legacy systems with low levels of protection;
• an insufficient segregation between OT and IT and unsafe behaviour from OT maintenance staff;
• a low level of cyber security awareness among staff compared to other industries; on board ships, that level can be inexistant as there is no IT staff – that responsibility would fall on the Electrical Engineer when there is one;
• a significant level of corruptibility among port employees by drug cartels, making control systems vulnerable to physical access;
• a significant potential of instability on board ships in the current context of international tensions, considering that China, Russia, and Ukraine are among the five largest supply countries for seafarers.

In the maritime industry more than others, the human factor is the most critical aspect of cybersecurity. Because there are little or no first-line cyber-responders when a problem occurs, the best way to enhance vessels and ports cybersecurity is prevention, to reduce the likelihood of an attack happening, and to contain its impact when it happens.

Preventive cybersecurity can be deployed in the maritime industry like any other:

• Scan IT and OT devices and allocate a risk ranking to each of them; apply low-cost, high-impact fixes first; repeat scans regularly;
• Do regular background checks on on-board and on-shore staff, including OEM maintenance staff;
• Enhance the level of cyber security awareness through permanent education and phishing simulation;
• Include Global Threat Intelligence in vessels and ports operations;
• Apply modern IT security best practices;
• Transfer the residual risk to a cyber insurance by proving that the cyber risk is quantified and controlled.

Considering the cost of the damage caused by a cyber-incident, investing in cyber-prevention is minimal and provides a high return.

The maritime industry must remember Benjamin Franklin's wiseness

The maritime industry is highly exposed to cyber threats due to its strategic nature and relatively high vulnerability. The geopolitical instability deriving from the invasion of Ukraine by Russia and the tensions between China and Taiwan are adding strategic threats to the existing smuggling and ransom-motivated criminal attacks. 

On the technical side, the industry is highly dependent on Operational Technology, on board ships and on shore at ports. OT devices are relatively difficult to protect, but relatively easy to hack, especially by social engineering, as the overall cybersecurity awareness is low. 

Referring to the city of Philadelphia’s fire-prevention methods, Benjamin Franklin wrote in 1733 that “an ounce of prevention is worth a pound of cure”. Given the dramatic consequences of a cyber-attack on a port or a ship, combined with an increased likelihood of occurrence, the maritime industry must urgently step up to a preventive and strategic management of its cyber security.