How the shipping industry could be the next target for a cyber attack
L-3 TRL Technology looks at how the increasing reliance on integrated IT and OT puts the maritime industry at risk of a cyber attack, and suggests how these threats and vulnerabilities can be mitigated.
Responsible for the safe passage of many tons of heavy shipping around the world each and every day, the global shipping industry is one of the most networked components of our interconnected world.
The industry relies on a highly sophisticated supply chain to enable it to operate effectively, including finance, inventories, land-based containers, integrated port management and many other components.
Increasingly, it has relied upon networked information technology (IT) and operational technology (OT). While this interconnection is essential to the smooth running and efficiency of the industry’s automated processes, it makes it a highly vulnerable target for a cyber attack.
Shipping under the spotlight
Until now, many have assumed that the maritime industry was comparatively low risk when it comes to the global threat scenario, but increasing security improvements in the financial sector have brought shipping into focus.
Compared with other transport sectors, the industry has been slow to migrate towards an integrated IT and OT system, but wholesale adoptions of e-navigation electronic chart display and information systems (ECDIS), integrated automatic identification systems (AIS), and network applications to support business have changed that… And recent evidence shows that the threat is increasing.
Let’s look at some of the threats and vulnerabilities the international shipping industry is currently open to, and ways in which these can be mitigated.
There are six cyber threat actors that could target the international shipping industry:
= State actors
= Criminal groups
= Insider threat
= Outsider threat
We’ll look at each of these in turn. State actors primarily operate within one country or geographical area, though there is a class of state-sponsored actor whose activities have far greater potential for large-scale disruption.
The terrorist threat – particularly port side – is very real, though the scenario of terrorists disabling a ship then using it as a weapon of destruction in a major waterway is a Hollywood story. It’s also worth mentioning that terrorist groups tend not to have well-developed cyber capabilities. In the past year, maritime authorities on both sides of the Atlantic have improved cyber security measures within the port environment.
Inevitably after money, criminal groups, focus on port operations and shipping company networks, while the hacktivist – who is primarily motivated by social or political ideology – poses a threat across the entire industry.
Insider threat is the risk of a disgruntled employee causing damage from inside an organisation, and finally, the transient nature of the shipping industry puts it at risk of outsider threat – a crew member or passenger boarding a vessel with the intent of initiating an attack.
The Shipping News
The shipping industry has been the focus of a number of criminally motivated events over the past few years. Between 2011 and 2013 drug criminals used hackers to infiltrate the port of Antwerp and the shipping company networks as part of a multi-million-pound smuggling operation. The hackers targeted the operational network, enabling the criminals to manipulate sensitive operational data and move containers so that drug smuggling could take place.
In March 2016, global communications provider, Verizon, identified a more directed form of cyber activity in its Data Breach Investigations Report (DBIR). Armed pirates had been strategically attacking ships off the coast of a major landmass. They would storm a ship, locate specific containers by barcode, and steal the high value contents. Verizon concluded that the criminals had accessed the company’s content management system server to identify which cargo to target on which vessel.
A taste of things to come…
In both of the examples above, the cyber attack was initiated by gaining access to land-based networks and the sensitive data they contain. The increasing use of IT based technologies on board ships means it can only be a matter of time before a vessel is either subject to an attack, or used as an entry point into the shipping company or its supply chain network.
The significant increase in maritime threat levels isn’t helped by the fact that the data used in automatic identification systems (AIS) – a global ‘always on’ system, widely used by the shipping industry to transmit the position, speed and heading of a vessel – can be remotely manipulated.
Trend Micro has already identified major security breaches in AIS, while vulnerabilities within ECDIS (electronic chart displays and information systems) – which are often integrated with AIS – put engine management systems at risk.
It is the points at which these systems are integrated – where information is passed from IT to OT – that leave them vulnerable to attack. Just a simple command from a malicious actor could disable a critical function, to cause widespread disruption or harm.
Ships rely on satellite communications to maintain contact across the globe. Unless protected, these network links are the most vulnerable points in the system when the vessel leaves port.
Groups such as Poseidon – a commercial cyber espionage attack group that uses extortion as its modus operandi – have targeted and exfiltrated the command and control systems that service shipping satellite systems, though there is no evidence that they have made any demands on shipping organisations.
A recent study highlighted some disturbing facts that suggest cruise ships are particularly vulnerable to cyber attack.
Floating cities need connectivity
Wealthy travellers on cruise ships require access to a ‘city style’ infrastructure. Passengers are on holiday and thus more vulnerable – they have inherent trust of the vessel and its on-board services, including the internet, which is delivered as a paid service. As providing a reliable internet service generates a high level of income for the shipping companies, their priority is often availability rather than security. Passengers expect a seamless transition from their home or work environment to the vessel, and have a similar IT demand.
The study identified particular vulnerabilities on newer cruise vessels, which have shared core network systems, and services are only separated by VLANS (virtual local area networks). The failure to separate platform management systems, AIS and ECDIS, customer internet and point of sale systems increases the likelihood of an advanced persistent threat jumping across networks. These systems should be physically separated and individually protected, to minimise the risk to cruise ships in the future.
Each vulnerability enables access to critical data or critical control points. The Rotterdam case demonstrates that access to network and cargo data can be highly profitable, while the Verizon report illustrates the risk to shipping if manifest data is accessed. As long as personal, financial and identity information remains easy to access via the on-board internet, modern luxury cruise liners will remain target-rich areas for criminal activity.
While cyber criminals are unable to access platform management systems, and the critical control points may not yet be targets, events on offshore oil and gas platforms have shown that the potential for attack exists… and the reputational and financial cost of a cruise liner or a large container ship being disabled port side would be significant.
Simple steps to reduce the threat level in the maritime industry
But it’s not all bad news. The maritime industry is now talking about cyber resilience and threats, and mitigations are being put in place. General guidance, such as BIMCO’s Cyber Security Onboard Ships Guidelines, but a lack of regulation means guidelines and best practice from other transportation sectors need to be taken seriously to make a difference to the level of risk in the sector.
In the meantime, a number of simple yet effective technological solutions can mitigate risk. The transmission of critical sensitive data can be protected by the implementation of a government-grade hardware-based encryption solution.
Traditional software-based solutions have inherent weaknesses that allow advanced persistent threats (APTs) to infiltrate networks. Modern hardware-based platforms have no attack surfaces for APTs to advance.
Cost effective data guards can be installed to protect critical OT networks, by allowing only known protocols through.
Today’s shipping reports play down the cyber threat, and it is undoubtedly better if this continues to be the case. Yet as fleets and ship systems are modernised – and IT and OT systems integrated – the threat continues to grow.
Unless action is taken, the next item on the shipping news will be a major cyber event.
Owners and operators must reduce and mitigate threats by adopting technical measures that support the industry’s policies and procedures. Combining government standard encryption solutions to secure IT networks and data guards to lock down OT networks will significantly reduce the cyber threat.
About L-3 TRL
With 30 years of experience at the forefront of technological development, L-3 TRL is an official supplier to Her Majesty’s Government. Our cutting-edge, best-of-British technology is accredited and approved by CESG, and we have achieved two Queen’s Awards for innovation.
For more information, visit www.l-3com.com/trl