Merchant vessels and ports are extraordinarily vulnerable to increasingly sophisticated cyberattacks against OT systems. It is estimated that 90% to 95% of all shipped goods at some stage travel by sea. This makes the global maritime industry the largest and most important supply chain. Successful cyberattacks against the maritime supply chain would have the potential to damage individual companies, national finances, and even the global economy.
The maritime sector includes the ports and the vessels that use them. The vessels range from small freight carriers to oil supertankers, cargo carriers transporting more than 20,000 20-foot containers, and superyachts carrying high-value individuals. While the port authorities are already under threat and attack by ransomware gangs, less attention has been paid to the threat of attacks against the vessels.[1]
See: https://redskyalliance.org/xindustry/china-and-two-sets-of-technology-standards-in-the-supply-chain
The merchant maritime sector functions with vessels operational for anything from a few years to a few decades. The older vessels have added new technology to improve efficiency through digitization and automation. Updating this technology can be very expensive and will depend on various criteria: opportunity, cost/risk assessments, the economic strength of the company, and regulatory requirements. The result is that many ships in the merchant maritime sector are vulnerable to cyberattacks.
Superyachts tend to be new and packed with the latest gadgetry. They tend to be more secure, although successful compromise offers an attacker greater control over the vessel. For example, a successful attack could give remote control over the throttle and the rudder.
John Sheehy, SVP of research and strategy at IOActive, points to three primary paths for an attacker to gain access to a vessel. “There’s WIFI; some vessels have High Frequency (HF) radio; and commercial satellite communications (SATCOM) such as Inmarsat.” We should add the USB stick carrying insider and earlier compromises to the vessel’s supply chain.
Satellite communications often combine Inmarsat and GPS, and he considers this the primary threat vector, adding, “We know that a Russian APT group can remotely exploit the same types of SATCOM terminals used in maritime environments on vessels.”
Tom Van De Wiele, principal technology and threat researcher at F-Secure, adds, “Attacks aimed at communication links can be targeted at either the vessel communication links themselves using satellite communication or the port infrastructure on shore used to communicate with the vessels at sea. This is linked to the back-end systems of the shipping IT infrastructure for container and ship monitoring systems.”
There are no known serious examples of vessel compromise, but the potential effect can be seen in genuine maritime mishaps and in theoretical analyses. Genuine mishaps include the Torrey Canyon in 1967 and the Ever Given in 2021.
The supertanker SS Torrey Canyon ran aground on rocks off the southwest coast of the UK, spilling an estimated 100+ million liters of crude oil. The ensuing environmental catastrophe led to aircraft from the Royal Navy and the Royal Air Force bombing the wreck to ignite the spillage.
The Ever Given, a 400 meters long container ship that can carry more than 20,000 containers, ran aground in the Suez Canal in March 2021 and blocked it. The knock-on effect of this blockage was immense. Professor Kevin Jones, the executive dean of science and technology at Plymouth University (UK), comments. “Closing down one maritime supply route can cause a knock-on log jam that affects the world economy at the rate of billions of dollars daily.”
“There have been various estimates about the cost of the Suez closure, but some of them are as high as ten or eleven billion dollars a day, and those estimates were done before it was clear how long and how expensive it would be to clear the backlog that the blockage caused. Months later, ships were queuing up to get into Port of Los Angeles because the whole scheduling pattern had been broken.”
Jones is the lead for the Universities Maritime Cyber Threats Research Group. He runs a cyber risk laboratory at Plymouth – and was instrumental in developing the MaCRA (marine cyber risk assessment) technology. His team did a theoretical analysis on the potential effect of closing just four major UK ports, perhaps by causing a blockage like the Ever Given. It was a thought experiment, but no less valid for that. “If you look at oil reserves, fresh food reserves, and other critical things within the UK, we have some reserves but need to receive new shipments daily. The UK has about 11 significant ports, but most container shipments come through just four ports. If those ports were effectively jammed in the ways we’ve shown we can do for other ports, it would mean that the supply of goods coming into the UK would drop dramatically for the sake of discussion, very close to zero.”
Removing the blocking vessels would take weeks rather than days. “Assuming the attacker could pick the conditions, coordinate the attacks in the way they want to, which is difficult, but not impossible,” he continued, “you’ve cut off the supply of goods to the UK: we’re not getting fresh foodstuffs, and we’re not getting oil. Very quickly, we’ll reach the point where power stations can no longer run. Strategic reserves could be released, but there are consequences and logistic difficulties to doing that. So, you start losing power and freezer capacity, and frozen stores, both in homes and in bulk storage, go rotten within a week. You cascade all these effects, including loss of fuel for transport, and it is not long before you have a catastrophic failure of systems. It’s not the most likely scenario, but it is a scenario that is well within the bounds of possibility.”
The University of Illinois Urbana-Champaign did a similar exercise in the US. “They looked at closing just one port in Florida,” said Jones, “and they got to the point in their thought experiment where people on the east coast were shooting each other quite quickly. The general principle is that we depend highly on real-time resupply via shipping. Cut that out for a while, and you’ve got a real problem.”
Motivations for attacking the maritime sector are fundamentally no different to those for any other industry sector. They include ethical/political (hacktivists), financial (cybercriminal gangs), and geopolitical (nation-states). Hacktivism may appear the least likely, but there is no technical reason to prevent an attack against a vessel by a determined and well-resourced hacktivist group.
The nation-state threat is perhaps the most concerning, which currently includes but goes beyond the Russia/Ukraine war. “For several years, it’s been known that in the northwest region around Russia, GPS satnav is unreliable,” comments Jones. “It’s unreliable because Russia has been broadcasting spoofed GPS signals. Ships’ captains have reportedly said, ‘I suddenly find myself in the middle of a playing field three miles inland, but when I look out the window, the ocean is still there.’”
See: https://redskyalliance.org/transportation/ru-gps-spoofing
In February 2022, the US Office of the Director of National Intelligence issued its annual threat assessment: "Russia is investing in electronic warfare and directed energy weapons to counter western on-orbit assets. These systems disrupt or disable adversary C4ISR [command, control, communications, computers, intelligence, surveillance, and reconnaissance] capabilities and disrupt GPS, tactical and satellite communications, and radars.”
And on 17 March 17, 2022, CISA issued an alert warning about “possible threats to US and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.”
“There is evidence that nation-states, particularly Russia, have been experimenting with things like compromising GPS,” continued Jones. “If you go back to previous generations of warfare where things like the Atlantic convoys were a vital lifeline to keep the country going, the attack method was submarines. Today it might well be misdirection to run aground on a sandbank and be delayed until the next spring tide can float you off or crash into breakwaters and lose cargo in that way. You can imagine it as a cyber/physical extension of the cyber softening attacks seen in several recent geopolitical campaigns.”
Casey Bisson, head of product and developer relations at BluBracket, comments, “The maritime industry, like all industries, is increasingly dependent on industrial IoT and connected devices. Common IoT risks like weak default credentials, undocumented backdoors, and vulnerabilities that allow unauthorized remote access and control are especially concerning on vessels. Vessels at sea and port are vulnerable to disruption and could be used as weapons in larger state conflicts.”
IOActive’s Sheehy has similar concerns. “The War in Ukraine has caused part of the Black Sea and the Sea of Azov to become impassable, which limits exports and imports to Russian and Ukrainian Black Sea ports. Odessa, Ukraine, the largest commercial port on the Black Sea, is of particular concern. The Russians could choose to use deniable cyber operations as a step up the escalation ladder to impose a cost on those countries who have imposed sanctions on them. Moreover, judicious operations could produce global effects as we saw with the blocking of the Suez Canal by the Ever Given, which resulted from pilot error.”
An extension to the spoofed GPS signals that might confuse a ship’s captain is interference with the ship’s Automatic Identification System (AIS). This could be an approach cybercriminal gangs take as part of a piracy scenario. These systems broadcast identification and location information so that other ships and shore-based authorities know exactly what ship is where. A compromised AIS could transmit either wrong information (making the ship appear elsewhere) or no information (making it an invisible ghost ship).
Jones described an example of a theoretical attack against a superyacht (although the basic principles could be harnessed against any vessel). “Being able to get access to the systems on board the yacht,” he explained, “and to know what the plan is (that is, the charted route), and maybe even to monitor comms to know who’s on board, and then to use a hack on the charting system, you could misdirect the yacht so it thinks it is staying nicely clear in international waters, but you bring it within fast boat range of the Somali coast. At the same time, alter the AIS transponder system so that the vessel is reporting itself as being somewhere, let’s say north, of where it is supposed to be while it has gone way south. Fast gunboats can come out and take the crew hostage. The yacht may have broadcast an emergency alert, and an interdiction ship may have been dispatched, but it will go to where the AIS is reporting the location. So, there’s a mismatch between actual and reported location, which reduces the risk for kidnappers.”
The maritime sector is already in the crosshairs of the ransomware gangs. “We have certainly seen ransomware affect maritime shipping,” John Bambenek, principal threat hunter at Netenrich. “IT systems support the entire ecosystem. When they are compromised, ships may have to wait in port for it to be sorted out, or goods cannot be shipped outbound to their customers. The net effects will look much like supply chain disruptions we have seen over the last year.”
Jasmine Henry, field security director at JupiterOne, agrees that the port is a vulnerable part of the maritime ecosphere. “The reason is simple,” she said. “The majority have limited visibility into ICS systems even to understand which devices exist, let alone apply proper updates or configurations. Merchant vessels and ports are extraordinarily vulnerable to increasingly sophisticated ransomware attacks against unmanaged OT systems, DDoS attacks, command injection, side loaded malware, and exploited misconfigurations.”
So far, we have seen little evidence of criminal attacks against vessels. “We’ve seen examples of shipping companies being attacked by ransomware,” adds Jones. “They’re not yet the catastrophic attacks with cyber/physical threats that we’ll run your ship aground, play with the ballast and capsize it, or dump its cargo of oil…” But that is surely the logical extension of what is happening and what could be done in the future.
“One of the weird things about my job,” said Professor Jones, “is that I get to look at all the horrible things you can do by taking control of a ship. But I try not to be too melodramatic because cybersecurity has too many overhyped horror stories. While I don’t want small freight companies to go out of business because they cannot afford hundreds of thousands of pounds to update their ships, there is certainly the possibility of criminal extortion and nation-state geopolitical activity using vessels. With some vessels, it would be very hard to mitigate against an attack sometimes; the crew will have less than a minute to respond, so an attacker with sufficient skill and determination has a high probability of success.”
What is missing from the maritime sector is the ability to do genuine and regular risk assessments. The risk is different for each vessel and varies depending on the route, cargo, and external threat conditions. To try and solve this problem, Jones and Plymouth University developed the MaCRA maritime cyber risk assessment software. It can provide a continuous risk assessment for individual vessels depending on the state of their onboard technology, their location and the route they are taking, and the cargo they are carrying.
The bottom line today is that the global economy’s single biggest supply chain is vulnerable to cyberattacks.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/vulnerable-maritime-supply-chain-threat-global-economy/
Comments