Maritime Cyber Risk
Blog: William Crews, SeaFocus Advisory Board - Maritime Security
Published 7.1.2016

It is difficult today to find anyone who has not heard of the cyber-attacks that have taken place against companies such as Sony, Target, Home Depot or the U.S. government where recently the identities of millions of current and former employees has been exposed to hackers.  However, something missing from the headlines is how the maritime industry has been effected by cyber criminals.  This article examines how this threat is growing, where the vulnerabilities are, what kinds of attacks have taken place in the recent past and finally why the awareness of these threats must be elevated to the appropriate levels to work towards mitigating these risks.
 
The maritime industry is lagging, in comparison to other industries, to adopt the use of Information and Communications Technology (ICT).  Ports are continuing to migrate from “paper and faxes” to extensive use of ICT.  As part of the migration, the ports are now recognized as key infrastructures and a link in international trade and logistics.  Any disruption to operations  have a huge impact on the global “just in time” economy.  Ports are only a piece in the global logistics supply chain.  Vessels also play a most significant role.  ICT is becoming  prevalent on the open seas.  Besides communications and navigation, ICT has allowed vessel owners the ability to place sensors on key “systems” to look for cost effective ways to operate ships at sea.  By monitoring fuel usage, speed, and other factors through industrial control systems (ICS) on a ship, greater efficiency in operating can be easily realized.

 

Figure 1 ICT Offshore (Courtesy of Moxa, Inc.)

Offshore platforms in the oil & gas industry have been quick to adopter ICT. Global Positioning Systems play a big role in keeping floating platforms in place while exploration and production activities take place. Extensive sensor networks monitor highly complex piping and distribution networks on the subsea floor. Any disruptions to these various ICT systems can cripple the ability of these platforms to discover and produce the much needed oil & gas resources. Figure 1 below, demonstrates the inter-dependence on ICT in today’s current exploration and production of oil and gas reserves. In some cases, what makes these platforms, as well as vessels, vulnerable is the use of radio frequency devises to transmit data back and forth. By not using a closed system, such as fiber optic cable or point to point microwave, RF signals can be jammed, or overtaken by more powerful transmitters. 

The maritime industry is very reliant on the Global Navigation Satellite System (GNSS) especially when used with eCharts (real-time plotting of vessel position) and combined with Automatic Information System (AIS) transponders.    Attacks on GPS systems threaten a vessel with being in the dangerous position of not knowing their precise location on the highseas or maneuvering in a port.  Some attacks  have in fact,  been perpetrated on the GNSS systems around the world.  One of the higher profile incidents took place on the Korean peninsula where GPS system signals were jammed by state-sponsored actors in the North.   Over 1000 aircraft and 250 ships were affected by this act.  The heavy reliance on GNSS navigation has  maritime professionals so concerned that some of the institutions that teach maritime students the subject of navigation are returning to teaching celestial navigation as a back-up measure for mariners at sea.

 

The maritime industry is becoming more of a data driven environment than ever before. This is evident when examining the typical IT infrastructure on a modern cargo vessel as depicted in Figure 2.

 

Figure 2 Modern Typical Shipboard IT System Configuration (Courtesy Joint Hull Committee & Stephenson Harwood)

 

International shipping carriers, logistic companies, freight forwarders as well as product manufacturers and product users  always look for efficiencies that can be gained in the global supply chain.  If those efficiencies can be realized through the monitoring of vessel performance to better analysis of navigation routes the use of data becomes even more important.  However,  tying all of these different data collection and distribution systems together on a vessel can come at a cost.  The parts that are most vulnerable to attack are connected to the ship wide network. The crew network is one weak point where malicious software can easily be introduced unwittingly by plugging in an unprotected thumb drive into the email computer.  As previously discussed, other IT based systems such as eCharts, GPS navigation and AIS, are also vulnerable to cyber attackers.  The true number of successful attacks on  vessel based systems are difficult to quantify.  The companies that own the ships, very much like shore based corporations,  want to avoid the publicity that often accompanies a cyber incident.  The fear of reputation damage overcomes the desire to share any details of the attack.

Ports are also well onto the path of integrating ICT in all manners of activities within their realm.  Things such as autonomous gantry cranes, GPS tracking of containers, processing of shipping documents, tracking of port equipment assets, and work flow analytics are things that are boosting efficiencies at ports.  With this growing dependence on networked data ports must also be keenly aware of their cyber security posture.  The vulnerabilities and risks that exist across corporate enterprises also reach into ports.  The same things that can give a port a competitive advantage, such as proprietary data about shippers & carriers, commodity types and consignees, can be the crown jewels exposed to attack without the proper protections.  It is not difficult to imagine the calamity of gantry crane computers being fed with spoofed data causing them to drop containers and otherwise put port workers at great risk of injury or death.

Figure 3 – Typical port IT infrastructure (courtesy of PT. Primus Indonesia)

To gain a better sense of the issues being faced in the maritime industry with cyber security, some examples of incidents are described below:

  • Iranian shipping line, IRISL, attacked in 2011; attackers deleted data on cargo status and tracking programs; damaged the company’s network

  • Port of Antwerp, 2013; persistent cyber-attack since 2011; attackers allowed remote access to port networks which exposed data on containers so that they could be falsely released to the cyber criminals own truck drivers, this action allowed for the smuggling of guns and up to 1 ton of cocaine

  • Drilling rig attack in 2010; rig being transported from Korea to South America; critical control systems on the rig became infected with malware (malicious software) which forced a shutdown of 19 days just to fix the software issues

  • Danish Maritime Authorities, 2014; discovered they had been attacked in 2012. The attack was carried out through the transmission of a PDF (portable document format by Adobe) document with an embedded virus. The virus spread throughout the maritime authority’s networks and into other Danish government institutions.

With the discussion focusing on the how and where, let’s now discuss how to manage this risk before it manages you.  In a maritime industry magazine, Maritime Reporter & Engineering News March 2015, a recent article spoke of the global cost of cyber-crime reaching $400 billion.  This size of risk demands attention at the highest level of maritime industry companies and organizations.  Recognition of the risk is the most important first step.  Cybersecurity has been a technical matter largely delegated to an IT manager or sometimes a Chief Information Officer (CIO) if there is one.  The rest of the C-suite typically not materially involved.  This is a huge mistake.  The depth of financial resources needed to recover from a breach and then deal with the reputation risk brings cyber-attacks into the same category of risks corporations look at every day.  This unawareness in the leadership ranks, and  the belief that cyber threats are chiefly theoretical in nature is a dangerous mindset. .
 
Once the company or organization acknowledges the risk the next step is to raise the level of awareness across the employee population.  Cyber security awareness training is a necessary investment and an important step to mitigating the risk.  Everyone that touches the network through a personal computer, an industrial control system or another IT networked based system on a vessel, in a port or at the corporate offices needs to understand the threats and adopt behaviors that can reduce the risk.  Maritime businesses, vessels, ports and off-shore platforms must buy into business resilience so that the entity can rapidly remediate and reconstitute business operations in case of a breach.
 
Now is the time to take a proactive stance towards awareness and risk management, which is far less expensive an endeavor that having to rebuild the corporate network.
 

 

SOURCES
“The implications and threats of cyber security for ports" by Norbert Kouwenhoven, Martin Borett, Milind Wakankar www.porttechnology.org 12 edition 61: February 2014
 
“Threats to Global Navigation Satellite Systems” by Cpt. David B. Moskoff & William G. Kaag  Maritime Reporter & Engineering News May 2015
 
“Maritime Cyber Security” by Luke Ritter & John Baskam  Maritime Reporter & Engineering News March 2015
 
“Big Data: Big Value? Big Risk? Both?" By Jim Rhodes & Frandk Soccoli www.marinelink.com July 21, 2015
 
“Maritime Cyber Risks" by Cyber Keel whitepaper www.cyberkeel.com

​​​​​​​​