One of the key components of global trade is also one of the most vulnerable to cybersecurity threats – and if such an attack was successful, it would cause huge disruption with knock-on effects for people around the world.
According to the United Nations Conference on Trade and Development (UNCTAD), over 80% of the volume of international trade in goods is carried by sea and that percentage is even higher for developing countries.
The whole industry is reliant on a series of complex, ‘just in time’ supply chains. if just one element is disrupted, it can have massive repercussions.
One example: the disruption to supply chains around the globe in 2021 when Ever Given, one of the largest container ships in existence, was grounded in the Suez Canal, blocking one of the world’s busiest shipping channels and forcing many other ships to take much longer journeys around the Cape of Good Hope, severely delaying shipments of electronics, machinery, furniture, household goods, and more.
Ports and shipping are becoming increasingly connected to the internet and that’s making them a tempting target for hackers, especially when much of the sector is simultaneously reliant on legacy technology that can be decades old.
And the prospect of disruptive cyberattacks against shipping and ports isn’t just theoretical – they’re already happening.
In 2017, shipping giant Maersk had to deal with a backlog at ports when it was hit as part of the global NotPetya cyberattack. The company had to reinstall thousands of servers and tens of thousands of PCs to get back up and running again.
In 2021, a major cyberattack disrupted container operations at the South African port of Cape Town, restricting the movement of cargo until systems were restored. Both incidents, alongside the grounding of the Ever Given, demonstrate how disruption to shipping can have big consequences for the global supply chain, businesses and individuals.
Despite this, the maritime industry remains underprepared for cyberattacks.
“It’s a really big area measured in the trillions of dollars – but it’s also a bit sort of old guard in the sense of nothing happens, nothing changes very quickly,” says Kevin Jones, professor of computer science at the University of Plymouth and lead on the institution’s Maritime Cyber Threats Research Group.
“And there’s a mindset in the sector of ‘Once I leave port…nobody can touch me, I don’t need to worry about anything until I come back’. Those things were sort of true 30 or 40 years ago but they’re not true anymore.”
That sort of approach means that the industry has struggled to keep pace with cybersecurity threats, with legacy IT systems and a lack of visibility into networks making it a prime target for hackers – and that could have far-reaching consequences.
SEE: A winning strategy for cybersecurity (ZDNET special report)
In a project alongside the Bank of England designed to test how insurance companies would react to such an incident, Plymouth’s Maritime Cyber Threats Research Group developed a scenario where attackers secretly gain control of ship controls and use this to crash them into ports and cranes, damaging ships and infrastructure, and losing cargo.
In this fictional scenario, the attackers also threaten to cause further accidents, unless the five biggest shipping companies pay a ransom of $50 million each. In order to prevent further attacks, much of the world’s shipping stops for days, crippling the global supply chain.
It’s an imagined event, but one based on worst-case scenarios of what attackers could achieve by targeting an industry that is struggling to keep up with cybersecurity – at a time when US Coast Guard Cyber Command has warned of a 68% rise of reported cyber incidents against the sector during the last year alone.
Part of the problem is the unusual nature of the operating environment: managing the technology on a vast container ship is a very different situation to sorting out the PCs in an office. When a vessel can be on the oceans for weeks or months at a time, it’s not as if a full IT refresh can be made at short notice – and a lack of connectivity can make it difficult to download security patches and software updates, even critical ones.
“The current state of the maritime industry from a cybersecurity point of view is pretty poor and that’s not solely down to owners and operators in the industry, it’s because of the complexity,” says Tom Scriven, principal consultant at cybersecurity company Mandiant, who previously spent eight years in the navy.
There are the issues of legacy systems, he notes, but also of new ships coming online that have increased connectivity that brings new problems, such as a lack of segmentation across internal networks, an increased threat surface from third parties and suppliers, and customers connecting in and out, he says.
All of these factors help to make maritime a prime target for hackers, with many different motives ranging from cyber espionage to general profiteering from cyber crime.
Scriven points to a hacking group Mandiant, tracked as APT40, which is a cyber espionage operation linked to the Chinese state that targets the engineering, transportation, and defence industries, especially where the sectors overlap with maritime technologies. The group has conducted operations since at least 2013 in what researchers say are a means of supporting China’s efforts to modernise its navy by examining systems and stealing sensitive blueprints.
Mandiant has also detailed attacks against the Israeli shipping sector by cyber attackers. They are suspected to be the work of hackers operating out of Iran with the intention of conducting espionage and collecting intelligence in support of Iranian interests. The attacks include masquerading as legitimate cloud services to steal usernames and passwords, alongside attempts to trick victims into downloading malware.
Then there’s cyber criminals who are out for financial gain. These hackers want to make as much money as they can with as little effort as possible – and targeting the maritime industry could provide them with a big payday due to the combination of old, insecure networks and the fact that port infrastructure is vital to so many industries.
“If you were to find an operator or supplier similar in size in the European ecosystem – perhaps operated in Rotterdam, Antwerp or Felixstowe, and then you had the same success as an attacker – the ramifications of eight days of serious degraded container movement, the impact on an already stressed supply chain, would be horrific,” says Scriven.
But it’s not just ports that could be disrupted by cyberattacks against the maritime industry. There’s also the possibility that by targeting the right systems, cyber criminals could provide ships out in the open seas with bad information, tamper with their GPS tracking or provide false warnings that could move ships off course – either to cause disruption, or to direct them towards trouble, or even pirates who want to divert targets away from shipping lanes into less well-protected areas.
It might sound far-fetched, but this sort of disruption represents a very real threat, particularly in times of conflict.
“This has to be taken very, very seriously, because the implications of a major incident can be huge, especially in times of conflict,” says Captain Rahul Khanna, global head of marine consulting at Allianz and a veteran of 14 years at sea. “We’ve already seen that GPS spoofing has been done, it’s happening and we just hope there isn’t collateral damage in a conflict between countries. The industry overall needs to realise we need to learn from this.”
There are initiatives underway to help to improve cybersecurity across the sailing and shipping sectors, such as the International Maritime Organization’s maritime cyber-risk security program. It aims to provide guidelines that allow ship manufacturers, shipping companies and ports to identify, analyse and assess cyber risks and mitigate them to an acceptable level to support safe and secure shipping.
But for the most part, these are guidelines – and with ships, the systems that power them and even Internet of Things-connected devices inside modern vessels all being produced in different countries with differing levels of regulation, it isn’t anywhere near being joined up. That situation needs to change before things can improve.
“The industry overall needs to realize we must learn from this and it’s only a matter of time before somebody does come under attack, so what needs to be done is ensure the regulation requirements are implemented, especially in the critical parts of the industry that can have a lot more impact,” says Khanna.
Like any other industry, the basics can go a long way to helping improve security, such as applying security patches, using strong passwords and rolling out multi-factor authentication. The nature of shipping means it’s more challenging to find the time to provide this support around information security when rushing cargo around the globe, but taking care of security is more beneficial in the long run than leaving it aside.
It’s this sort of thing which the University of Plymouth’s Maritime Cyber Threats Research Group is discussing with vessel manufacturers as well as captains of ships as, ultimately, they’re the people responsible for the security of the infrastructure once they’re out on the high seas.
“Basic cyber awareness done in a context-specific way makes a huge difference, along with establishing proper protocols,” says Jones. “Some of it is knowing when to do things like patching and when to replace a lot of it is knowing what your risk exposure is.”
“Should you patch when en route? The answer is probably ‘yes’, if it’s a critical patch, if you know what you’re doing. But, should you patch when you’re sort of 20 minutes from New York? Probably not actually because, at that point, the risk sort of outweighs the reward,” he explains.
Jones and others hope that attempts to direct attention to cybersecurity issues in the maritime sector encourage action, improving the resilience of an industry that’s of great importance, particularly for global supply chains – and it’s better for everyone if attacks can be prevented before they happen rather than needing to be dealt with after they’ve occurred.
“Ultimately, if we don’t get this right, we all suffer,” says Jones.
MORE ON CYBERSECURITY