Merchant vessels and ports are extraordinarily vulnerable to increasingly sophisticated cyberattacks against OT systems
Around 90% to 95% of all shipped goods at some stage travel by sea. This makes the global maritime industry the world’s single largest and most important supply chain. Successful cyberattacks against the maritime supply chain would have the potential to damage individual companies, national finances and even the global economy.
The maritime sector includes the ports and the vessels that use them. The vessels range from small freight carriers to oil supertankers, super cargo carriers transporting in excess of 20,000 20-feet containers, and superyachts carrying high value individuals. While the port authorities are already under threat and attack by ransomware gangs, less attention has been paid to the threat of attacks against the vessels.
The merchant maritime sector functions with vessels that have been operational for anything from a few years to a few decades. The older vessels have had new technology added to improve efficiency through digitization and automation. Updating this technology can be very expensive and will depend on various criteria: opportunity, cost/risk assessments, economic strength of the company, and regulatory requirements. The result is that many ships in the merchant maritime sector are vulnerable to cyberattack.
Superyachts tend to be new and packed with the very latest gadgetry. They tend to be more secure, although successful compromise offers an attacker greater control over the vessel. For example, a successful attack could give remote control over both throttle and rudder.
John Sheehy, SVP of research and strategy at IOActive, points to three primary paths for an attacker to gain access to a vessel. “There’s WIFI; some vessels have High Frequency (HF) radio; and commercial satellite communications (SATCOM) such as Inmarsat,” he told SecurityWeek. To these we should add the USB stick -carrying insider, and earlier compromises to the vessel’s own supply chain.
The satellite communications often combine Inmarsat and GPS, and he considers this to be the primary threat vector – adding, “We know that a Russian APT group has the capability to remotely exploit the same types of SATCOM terminals used in maritime environments on vessels.”
Tom Van De Wiele, principal technology and threat researcher at F-Secure, adds, “Attacks aimed at communication links can be targeted at either the vessel communication links themselves using satellite communication or the port infrastructure on shore used to communicate with the vessels at sea. This is linked to the back-end systems of the shipping IT infrastructure for container and ship monitoring systems.”
Practical and theoretical effects of maritime supply chain damage
There are no known serious examples of vessel compromise, but the potential effect can be seen in genuine maritime mishaps and in theoretical analyses. Genuine mishaps would include the Torrey Canyon in 1967, and the Ever Given in 2021.
The supertanker SS Torrey Canyon ran aground on rocks off the south-west coast of the UK, spilling an estimated 100+ million liters of crude oil. The ensuing environmental catastrophe led to aircraft from the Royal Navy and the Royal Air Force bombing the wreck to ignite the spillage.
The Ever Given, a 400 meters long container ship that can carry more than 20,000 containers, ran aground in the Suez Canal in March 2021, and blocked it. The knock-on effect of this blockage was immense. Professor Kevin Jones, the executive dean of science and technology at Plymouth university (UK), comments. “Closing down one maritime supply route can cause a knock-on log jam that affects the world economy at the rate of billions of dollars every day,” he told SecurityWeek.
“There have been various estimates about the cost of the Suez closure, but some of them are as high as ten or eleven billion dollars a day, and those estimates were done before it was clear how long and how expensive it would be to clear the backlog that the blockage caused. Months later, there were still ships queuing up to get into Port of Los Angeles because the whole scheduling pattern had been broken.”
Jones is the lead for the Universities Maritime Cyber Threats Research Group. He runs a cyber risk laboratory at Plymouth – and was instrumental in developing the MaCRA (marine cyber risk assessment) technology. His team did a theoretical analysis on the potential effect of closing just four major UK ports, perhaps by causing a blockage like the Ever Given. It was a thought experiment, but no less valid for that.
“If you look at things like oil reserves, fresh food reserves, and other critical things within the UK, we have some reserves but need to receive new shipments daily. The UK has about 11 significant ports, but most container shipments come through just four ports. If those ports were effectively jammed in the ways we’ve shown we can do for other ports, it would mean that the supply of goods coming into the UK would drop dramatically – for the sake of discussion, very close to zero.”
Removing the blocking vessels would take weeks rather than days. “Assuming the attacker could pick the conditions, coordinate the attacks in the way they want to – which is difficult, but not impossible,” he continued, “you’ve basically cut off the supply of goods to the UK: we’re not getting fresh foodstuffs and we’re not getting oil. Very quickly we’ll arrive at the point where power stations no longer have the capacity to run. There are strategic reserves that could be released, but there are consequences and logistic difficulties to doing that. So, you start losing power, you start losing freezer capacity – and frozen stores, both in homes and in bulk storage, go rotten within a week. You cascade all these effects – including loss of fuel for transport– and it is not long before you have a catastrophic failure of systems. It’s not the most likely scenario, but it is a scenario that is well within the bounds of possibility.”
A similar exercise was done in the US by University of Illinois Urbana-Champaign. “They looked at closing just one port in Florida,” said Jones, “and they got to the point in their thought experiment where people on the east coast were shooting each other quite quickly. The general principle is that we are highly dependent on pretty much real-time resupply via shipping. Cut that out for a while, and you’ve got a real problem.”
Attacker motivations, means and threat scenarios
Motivations for attacking the maritime sector are fundamentally no different to those for any other industry sector. They include ethical/political (hacktivists), financial (cybercriminal gangs), and geopolitical (nation states). Hacktivism may appear the least likely, but there is no technical reason to prevent an attack against a vessel by a determined and well-resourced hacktivist group.
The nation-state threat is perhaps the most concerning, which currently includes but goes beyond the Russia/Ukraine war. “For a number of years, it’s been known that in the northwest region around Russia GPS satnav is unreliable,” comments Jones. “It’s unreliable because Russia has been broadcasting spoofed GPS signals. Ships’ captains have reportedly said, ‘I suddenly find myself in the middle of a playing field three miles inland, but when I look out the window, the ocean is still there.'”
In February 2022, the US Office of the Director of National Intelligence issued its annual threat assessment, saying, “Russia is investing in electronic warfare and directed energy weapons to counter western on-orbit assets. These systems work by disrupting or disabling adversary C4ISR [command, control, communications, computers, intelligence, surveillance, and reconnaissance] capabilities and by disrupting GPS, tactical and satellite communications, and radars.”
And on March 17, 2022, CISA issued an alert warning about “possible threats to US and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.”
“There is evidence that nation states, and Russia in particular, have been experimenting with things like compromising GPS,” continued Jones. “If you go back to previous generations of warfare where things like the Atlantic convoys were a vital lifeline to keep the country going, the attack method was submarines. Today it might well be misdirection to run aground on a sandbank and be delayed until the next spring tide can float you off, or crashing into breakwaters and losing cargo in that way. You can imagine it as a cyber/physical extension of the kind of cyber softening attacks that have been seen in several recent geopolitical campaigns.”
Casey Bisson, head of product and developer relations at BluBracket, comments, “The maritime industry, like all industries, is becoming increasingly dependent on industrial IoT and connected devices. Common IoT risks like weak default credentials, undocumented backdoors, and vulnerabilities that allow unauthorized remote access and control are especially concerning on vessels. Vessels at sea and in port are both vulnerable to disruption and could potentially be used as weapons in larger state conflicts.”
IOActive’s Sheehy has similar concerns. “The War in Ukraine has caused part of the Black Sea and the Sea of Azov to become impassable, which necessarily limits exports and imports to both Russian and Ukrainian Black Sea ports. Of particular concern is Odessa, Ukraine, which is the largest commercial port on the Black Sea. The Russians could choose to use deniable cyber operations as a step up the escalation ladder to impose a cost on those countries who have imposed sanctions on them. Moreover, judicious operations could produce global effects as we saw with the blocking of the Suez Canal by the Ever Given, which was a result of pilot error.”
An extension to the spoofed GPS signals that might confuse a ship’s captain is interference to the ship’s Automatic Identification System (AIS). This could be an approach taken by cybercriminal gangs as part of a piracy scenario. These systems broadcast identification and location information so that both other ships and shore-based authorities know exactly what ship is where. A compromised AIS could transmit either wrong information (making the ship appear to elsewhere) or no information (making it effectively an invisible ghost ship).
Jones described an example of a theoretical attack against a superyacht (although the basic principles could be harnessed against any vessel).
“Being able to get access to the systems on board the yacht,” he explained, “and to know what the plan is (that is, the charted route), and maybe even to monitor comms to know who’s on board; and then to use a hack on the charting system, you could misdirect the yacht so it thinks it is staying nicely clear in international waters, but you bring it within fast boat range of the Somali coast. At the same time, alter the AIS transponder system so that the vessel is reporting itself as being somewhere, let’s say north, of where it is supposed to be while it has gone way south. Fast gunboats can come out and take the crew hostage. The yacht may have broadcast an emergency alert, and an interdiction ship may have been dispatched – but it will go to where the AIS is reporting the location. So, there’s a mismatch between actual and reported location, which reduces the risk for kidnappers.”
The maritime sector is already in the crosshairs of the ransomware gangs. “We have certainly seen ransomware affect maritime shipping,” John Bambenek, principal threat hunter at Netenrich, told SecurityWeek. “The entire ecosystem is supported by IT systems. When they are compromised, ships may have to wait in port for it to be sorted out, or goods cannot be shipped outbound to their customers. The net effects will look much like supply chain disruptions we have seen over the last year.”
Jasmine Henry, field security director at JupiterOne, agrees that the port itself is a vulnerable part of the maritime ecosphere. “The reason is simple,” she said. “The majority have limited visibility into ICS systems to even understand which devices exist, let alone apply proper updates or configurations. Merchant vessels and ports are extraordinarily vulnerable to increasingly sophisticated ransomware attacks against unmanaged OT systems, as well as DDoS attacks, command injection, sideloaded malware, and exploited misconfigurations.”
So far, we have seen little evidence of criminal attacks against vessels. “We’ve seen examples of shipping companies being attacked by ransomware,” adds Jones. “They’re not yet the catastrophic attacks with cyber/physical threats that we’ll run your ship aground, play with the ballast and capsize it, or dump its cargo of oil…” But that is surely the logical extension of what is already happening, and what could be done in the future.
The cyber reality
“One of the weird things about my job,” said Professor Jones, “is that I get to look at all the truly horrible things you can do by taking control of a ship. But I try not to be too melodramatic, because there are too many over-hyped horror stories in cybersecurity. While I don’t want small freight companies to go out of business because they cannot afford hundreds of thousands of pounds to update their ships, there is certainly the possibility of both criminal extortion and nation state geopolitical activity using vessels. With some vessels, it would be very hard to mitigate against an attack – sometimes, the crew will have less than a minute to respond – so an attacker with sufficient skill and determination has a high probability of success.”
What is missing from the maritime sector is the ability to do genuine and regular risk assessments. The risk is different for each vessel, and varies depending on the route, cargo, and external threat conditions. To try and solve this problem, Jones and Plymouth university developed the MaCRA maritime cyber risk assessment software. It can provide a continuous risk assessment for individual vessels depending on the state of their onboard technology, their location and the route they are taking, and the cargo they are carrying.
The bottom line today, however, is that the global economy’s single biggest supply chain is vulnerable to cyberattack.