The maritime shipping industry is the main conduit for global trade, with more than 80 percent by volume transported from region to region by ships, and 10.3 billion tons in total moving between seaports around the world globally in 2016. Despite this, incident after incident has demonstrated just how much the trillion dollar industry is open to cyber attack.

Security researchers have for years been warning the maritime industry that it is low hanging fruit as incredibly high-value cargo is transported on ships with legacy systems, combined with poor processes and awareness, while the seaports they dock in often suffer from the same problems.

Image: Flickr Creative Commons/Bernard Spragg. NZ
Image: Flickr Creative Commons/Bernard Spragg. NZ

In 2015, Kaspersky Labs went as far as to claim shipping was "easy meat" for hackers. The Russian cybersecurity vendor reported on a wave of significant hacks: these ranged from a drilling rig that was hacked and tilted from its site in South Korea towards South America – in 2010. And in 2012 a criminal gang hacked into the systems of the Australian Customers and Border Protection Service agency, so they could be one step ahead of authorities that placed containers under suspicion.

Maritime security company CyberKeel warned that ships were switching off their navigation systems when travelling through waters where armed pirates are known to operate – sometimes faking the data to make the ships appear they were elsewhere.

A daring scheme in the Belgian port town of Antwerp meanwhile saw criminals gain access to systems that controlled the movement of containers to smuggle cocaine, heroin and guns.

"It's a very sophisticated attack and they got away with it for a while before they got caught," says cybersecurity firm NCC Group's Andy Davis, who specialises in transport security. "These people look at the most effective approach that they can take to streamline whatever it is that they intend to do.

"They'll take advantage of the skillsets that are available to them. Although, yes, there have been demonstrations of things like spoofing GPS, spoofing automatic identification system (AIS) data, and taking ships off course – there are things like that you can do but they're technically much harder.

"If your goal is to steal cargo there are easier ways of approaching piracy than some of the more sophisticated headlines that have been demonstrated by security researchers."

In 2017, a cargo ship travelling from Cyprus to Djibouti lost control of its navigation system for 10 hours – preventing a captain from manoeuvring and with the intention of steering it into territory where it could be easily boarded by pirates and robbed.

That's according to maritime industry magazine Safety At Sea, which heard from a source that the "IT system of the vessel was completely hacked". 

More recently Ken Munro at PenTestPartners demonstrated just how vulnerable these ships are. In October 2017, Munro drew a comparison with industrial control systems – noting that although the network protocols and security systems were virtually nonexistent when they were created, this didn't matter so much as long as the endpoint and communications security was robust.

But ships, he writes, are "complex industrial controls, but floating".

"Traditionally isolated, now always-on, connected through VSAT, GSM/LTE and even Wi-Fi. Crew internet access, mashed up with electronic navigation systems, ECDIS, propulsion, load management and numerous other complex, custom systems. A recipe for disaster. Yet there still seems to be an attitude of 'it won't happen to me'."

The article is an illuminating read (and Munro offers some practical guidance for basic security measures here). The short version is that it's remarkably simple for a researcher to find open satellite communications channels – Munro used IoT search tool Shodan to locate access controls with one login openly advertising a 'show users' link. From here, he located the ship, and the captain plus the network configurations.

Over on Bloomberg there is a long read about the hijacking of a $100 million supertanker, the events surrounding the 'Brillante Virtuoso' – a strange string of events still unresolved encompassing insurance and murder. In this case the IT element was the alleged email hacking of the lawyers on the case. 

Most cargo ships will include a terminal on the bridge that allows the captain to communicate with the internet, while bigger vessels might have a few of them. These will be used to send and receive emails or to download vital data like navigation system chart updates, software firmware, or radar updates.

The way this data is usually transferred between systems is by USB.

"The number of reports we've seen around malware being transferred via USB sticks onto operational systems is quite large," says Davis. "The crew will use the same USB stick for sharing movies and images and documents with each other, and then when they need to, they'll also put the chart update on that – so there's a breakdown in procedures coupled with the lack of security awareness with crew members.

"They haven't had the appropriate training around the fact this kind of stuff could happen, and the dangers of sharing USB sticks to do work and non-work related tasks means that there's this inadvertent malware infection on these critical navigation systems, and other operational systems, on board the ships."

NCC Group is part of an organisation called CIRM, which is a body that represents the marine electronics industry, encompassing businesses that build and develop things like the electronic chart systems and all the devices found on a ship's bridge.

Davis says there's a "definite trend" where a ship will file a support request as it comes into port about their chart system having stopped working – these are typically Windows-based or Windows-embedded operating systems – and the malware will have been traced back to an errant USB stick.

"Although there are a number of anecdotal incidents around targeted attacks against systems onboard ships, by far the greater concern at the moment is around this accidental malware infection as a result of bad practice," according to Davis.

There are incoming regulations with a 2020 deadline around fuel – the maritime sector is already responsible for dangerously high toxic sulphur emissions and an industry body warns that any delay to these new regulations could cause an extra 200,000 premature deaths.

This means that ship owners can either invest money in a scrubber device, similar to a catalytic convert on a car, or replace their engines to use more efficient fuel. Both scenarios are at high cost to the owner.

"The conversations I've had with ship owners, yes they are aware of cyber security and know they should start thinking more about it but they also have some other very pressing things they need to deal with and spend money on," says Davis. "The biggest issue they've got at the moment is regulations around fuel scrubbers."

 "With regards to cybersecurity, unless they see it happening, and see real-world attacks happening to other people in that industry, they don't consider it high enough impact to do something about."

So cybersecurity controls are taking a back seat. The situation can be compared to industrial systems infrastructure. For years, the security community warned of the potential for disastrous attacks as more of these systems were getting increasingly connected. Then the sophisticated nation-state Stuxnet attack wrecked Iran's nuclear centrifuges – and this demonstrated that computer code can have a devastating impact on complex physical systems.

"Another example that's not quite as sophisticated but show the level of impact that can happen was the cyber attack against a German blast furnace," Davis says, referring to an incident that emerged in 2014 where hackers gained access to a steel mill's login and then tampered with its control systems – leading to an explosion that caused "massive damage".

"These are the kinds of flags I raise to people when I say you need to start considering this stuff. If you look at big ships carrying perishable cargo there's an awful lot of industrial control systems on board that if attacked could not only result in safety impacts but also a massive loss of money.

"If you're transporting your perishable goods across the world, and then in the middle of the ocean your control system gets turned off so it doesn't maintain that temperature, all that cargo is lost. There's a financial and safety impact."

The consumer-facing side of the maritime industry – so passenger and cruise ships – tends to be ahead on these issues, particularly as they handle a lot of personal and financial customer data. Davis describes cruiseliners as hotels and casinos that happen to be on ships, which often depend on ecommerce systems that will be similar to those on land.

It is industrial control systems, embedded systems, control systems and navigation systems where there is catching up to do.

"The types of cyber security concerns we have seen across the maritime industry are still generally around the kind of concerns that the enterprise world was looking at 10 to 15 years ago," Davis says. "Things like awareness around what's good and bad practice with regards to using IT systems."

The naturally transient nature of the maritime industry, with its constantly moving ships and changing crews, adds further complexity to building in cyber awareness defence.

Davis thinks that one way forward could be simple online awareness training courses during downtime when crew members are actually on board the ship.

"Trying to get people to do classroom-based training is unrealistic in this industry so they need to be able to do the training when they've got the time to do it and wherever they are," he says. "It might be a smartphone app, for example, that provides them regular small chunks of useful information to increase their awareness."

In an industry that's synonymous with facing the brunt of armed attacks and lost cargo, there is increased discussion on the need to tighten up the security of traditional vessels. Classifications agency Bureau Veritas just recently introduced cyber notations that could go some way to helping.

But with nearly half of 6,000 active seafarers claiming to have been subject to cyber attack according to a recent survey by Futurenautics, there seems to be a long way yet to go.