As the shipping industry continues to mature, it is turning to technology to handle the large amounts of information, data, and goods flowing through its supply chains. However, these tools have been implemented without proper concern for the vulnerabilities they open the industry up to.
Despite the potential of a looming trade war and the resurgence of protectionist policies, international trade remains an integral aspect of the world’s economic and food security. Of this global, integrated network, roughly 90% of global international goods trade is transported by sea. Maritime shipping continues to be a cornerstone of the Canadian economy, directly contributing around $3 billion to our gross domestic product annually. It is worrying then that a report by Transport Canada, Understanding Cyber Risk: Best Practices for Canada’s Maritime Sector, found that awareness of cyber security threats, strategies and regulatory responsibilities were “inconsistent” and “uneven.”
Due to the way digital systems have grown within the industry, shipping vessels and ports have become particularly susceptible to cyber attacks. The complex web of companies, port authorities, and contractors, along with the division between business and operation processes, means that technology has been adopted without clear oversight or security plans in place. A culture of poor cyber security hygiene has developed; legacy systems and off-the-shelf technologies are used, software is not updated or patched, and extremely poor access controls are in place. These lax cyber security practices have made port and ship systems a low-hanging fruit for hackers. Compounding the issue is the fact that many cyber incidents go unreported, as the shipping industry is highly competitive and companies are worried about tarnishing their reputations. This lack of vulnerability sharing means other companies cannot proactively protect themselves. As similar software is used across the globe, it gives hackers the chance to reuse attack methods on different companies.
So far, the exploitation of cyber vulnerabilities in shipping has been mostly limited to criminal groups seeking economic gain. The shipping industry is an attractive target as it handles large amounts of financial transactions and sensitive, saleable data. For example, data on a ship’s inventory or loading-bills, once acquired by hackers, can be sold for sizeable sums on the dark web. Criminal groups or pirates can then use this information to specifically target a ship or container that will net them the best profit. Tracking systems can also be hacked to facilitate the shipment of illicit goods, as was the case in 2013 in Antwerp. Over the last decade there has been a steady increase in sophisticated attacks by criminals infecting port control systems with malware, jamming wireless networks, or initiating phishing and DDoS attacks for financial purposes or to cause commercial damage.
To fully understand just how dependent, and therefore vulnerable, maritime shipping has become on digital technology, we have to delve into the technical side of the issue. There are three types of technologies that pervade almost all processes in maritime shipping.
The first one is comprised of the corporate IT systems. These systems deal with information management both in ports and on vessels. Yard management systems which track container movements and inspections, worker authorization systems, financial systems for record keeping and invoicing, human resource systems that have personal employee information, video monitoring security equipment, and electronic logbooks are just some of the critical systems in this category.
Second are the communication networks that are utilized in shipping. These are the networks that transmit information within and between organizations. These networks include Wi-Fi, VoIP telephony, satellite telephones, and Navigational Telex (Navtex), a direct printing service that delivers navigational, meteorological, and urgent maritime safety information. A lot of this technology is always on in the background, sending and receiving data, meaning it is a backdoor always open for hacking.
Most integral is the Supervisory Control and Data Acquisition (SCADA) control architecture. This is a mix of hardware and software that controls the industrial processes occurring in ports and offshore. It digitally monitors, gathers, and processes real-time data from the controlled equipment do this. Ships are heavily reliant on their SCADA architecture, with key components including; GPS and Long Range Identification and Tracking (LRIT), aid to navigation systems, fuel tank monitoring, engine room monitoring and alarm systems, and voyage data records. These days, crews learn to mostly monitor ship health based off their terminals broadcasting SCADA data as opposed to physically checking what is happening.
This list is far from exhaustive and highlights only a handful of the critical and sensitive systems and applications that could be hacked. Without these systems the vessels are not much more than floating storage lockers. However, while the systems allow for more efficient management, larger scales, and fewer employees to pay for, they also represent points of ingress for exploitation. The networks are interconnected and one weak link can lead to the spread of malicious software to more valuable or critical areas. These risks are exacerbated as crews aboard ships or rigs do not often include IT professionals who can handle severe technological breaches.
It is this mix of dependency and lack of cyber awareness that is so dangerous. While the corporate IT systems and communication networks have often been hacked for espionage or financial gains, it is the SCADA architecture that could be conceivably taken over by larger threat actors to create mayhem. Pen Test Partners recently published results from penetration tests where they managed to take over ships’ satellite communications and terminals. They were able to gain control of the GPS and Global Navigation Satellite Systems (GNSS), as well as a ship’s Electronic Chart Systems for Navigations (ECDIS), which controls navigation and the autopilot. These systems are absolutely critical to the tracking and navigation of modern ships and are often blindly followed by the crew. Once taken over, the ship can be tricked into changing shipping lanes, colliding with other vessels, blocking channels, or made to crash into ports. It was noted that most of the hacks could have been prevented through system updates or better passwords. Most of the security flaws were easily fixable and are no longer an issue in other industry IT systems.
It has been established that the majority of cyber security vulnerabilities are due to lax practices and that this could be potentially catastrophic. So what can be done to standardize this important sector? Marine Transportation Security Regulations (MTSRs) have given the Minister of Transport the authority to create policies and rules to protect Canada’s maritime transportation. Current regulations require that malicious cyber incidents on Canadian commercial vessels be reported to Transport Canada, but more still needs to be done regarding everyday cyber security practices. Holistic cyber security assessments and implementation plans, with proper training at their core, need to become a mainstay in the industry. This is one area where Canada can learn from the United States. A year ago Congress passed the Intelligence Authorization Act for Fiscal Year 2017 which, while covering other intelligence and cyber security activities, also requires the Department of Homeland Security to report on cyber security threats to entities conducting operations in U.S. seaports. The fact that this is included in legislation focused on counterterrorism and combatting other existential threats shows how important the American intelligence community feels it is. The United States has also looked at passing bills that would provide regulating standards for Internet of Things (IoTs) purchased by federal agencies and to strengthen cyber security information sharing and coordination in ports. These are both strong strategies as they tackle potential vulnerabilities in networks while increasing the awareness of threats. Critically, there is also the International Maritime Organization (IMO), a United Nations specialized agency that is the gold standard for guidelines on the safety and security of shipping. It has released its own guidelines on maritime cyber risk management, some of which will require mandatory compliance by 2021. In a first for the industry, ship owners and managers will have to build cyber security into their International Safety Management (ISM) Code or risk having their ships detained. As malware attacks continue to steadily increase, this sort of strong-arming has become necessary. It is heartening that inter-governmental organizations have seen the importance of layered cyber security in the maritime industry, but surely the nations that economically rely on its networks must be starting to realize to.
While Canada’s new National Cyber Security Strategy and National Strategy for Critical Infrastructure both passively mention the importance of strong cyber security in maritime shipping, little has been done to incentivize the industry. Larger shipping companies are starting to realize the need to revamp their cyber security protocols, but many smaller organizations still balk at the time and capital investment needed to so. It is therefore up to governments to ensure that measures are put in place to secure these networks that they rely on. Otherwise the commercial maritime shipping community will continue to play a dangerous game of lagging behind other industries in cyber security while simultaneously becoming more automated.
Photo: Ship During Sunset, by Martin Damboldt via Pexels. Licensed under CC0
Disclaimer: Any views or opinions expressed in articles are solely those of the authors
and do not necessarily represent the views of the NATO Association of Canada.