Late last year it emerged that major shipping group AP Moeller-Maersk and shipping services giant Clarksons had both been the subject of damaging cyber-attacks.
The Danish-based group, which includes container carrier Maersk Line, says: “Performance was challenged from the June cyber-attack of which the financial impact is in the range of US$250-300 million.”
The group also says that “contingency initiatives related to recovery after the cyber-attack resulted in a negative development in Maersk Line volumes of 2.5% and increase in unit cost of 3.9% at fixed bunker prices”.
Clarksons also had to admit it had been the victim of a cyber security hack and warned that the person or persons behind the attack could release some data.
“As soon as it was discovered, Clarksons took immediate steps to respond to and manage the incident,” the company said. It added: “Our initial investigations have shown the unauthorised access was gained via a single and isolated user account which has now been disabled.”
In both cases we are talking serious damage being done, financially and potentially reputationally.
Now so far there have been no reports of bunker sector specific cyber-attacks but, as ship operators, bunkering companies are just as vulnerable as the rest of the wider shipping industry.
A recent series of simulated cyber-attacks on vessels have highlighted that shipping might be an easy target to those who wish to cause mayhem. Israeli-based cyber security specialist Naval Dome says it has demonstrated the maritime industry’s nightmare security scenario with a series of cyber penetration tests on systems in common use aboard tankers, container ships, super yachts and cruise ships.
It says the results “revealed with startling simplicity the ease with which hackers can access and over-ride ship critical systems”.
With the permission and under the supervision of system manufacturers and owners, Naval Dome’s cyber engineering team hacked into live, in-operation systems used to control a ship’s navigation, radar, engines, pumps and machinery.
While the test ships and their systems were not in any danger, Naval Dome was able to shift the vessel’s reported position and mislead the radar display. Another attack resulted in machinery being disabled, signals to fuel and ballast pumps being over-ridden and steering gear controls manipulated.
Commenting on the first wave of penetration tests, on the ship’s Electronic Chart Display and Information System (ECDIS), Asaf Shefi, Naval Dome’s CTO, the former Head of the Israeli Naval C4I and Cyber Defense Unit, said: “We succeed in penetrating the system simply by sending an email to the captain’s computer. We designed the attack to alter the vessel’s position at a critical point during an intended voyage – during night-time passage through a narrow canal. During the attack, the system’s display looked normal, but it was deceiving the officer of the watch (OOW). The actual situation was completely different to the one on screen. If the vessel had been operational, it would have almost certainly run aground.”
Well, a traditionally trained deck officer might say, it wouldn’t have done if the OOW was doing his job properly and using all available information to maintain his situational awareness by manually plotting positions, observing seamarks, using transits and taking compass bearings. Nevertheless Naval Dome’s scenario is absolutely plausible.
Apparently the Naval Dome hack was able to alter draught/water depth details in line with the spurious position data displayed
“The vessel’s crucial parameters – position, heading, depth and speed – were manipulated in a way that the navigation picture made sense and did not arouse suspicion,” he said. “This type of attack can easily penetrate the antivirus and firewalls typically used in the
Commenting on the ease with which Naval Dome was able to by-pass existing cyber security measures, Shefi explained: “The Captain’s computer is regularly connected to the internet through a satellite link, which is used for chart updates and for general logistic updates. Our attacking file was transferred to the ECDIS in the first chart update. The penetration route was not too complicated: the attacking file identified the Disk-On-Key use for update and installed itself. So once the officer had updated the ECDIS, our attack file immediately installed itself on to the system.”
In a second attack, the test ship’s radar was hit. While the radar is widely considered an impregnable, stand-alone system, Naval Dome’s team used the local Ethernet Switch Interface – which connects the radar to the ECDIS, Bridge Alert System and Voyage Data Recorder – to hack the system.
“The impact of this controlled attack was quite frightening,” said Shefi. “We succeeded in eliminating radar targets, simply deleting them from the screen. At the same time, the system display showed that the radar was working perfectly, including detection thresholds, which were presented on the radar as perfectly normal.”
A third controlled attack was performed on the Machinery Control System (MCS). In this case, Naval Dome’s team chose to penetrate the system using an infected USB stick placed in an inlet/socket.
“Once we connected to the vessel’s MCS, the virus file ran itself and started to change the functionality of auxiliary systems. The first target was the ballast system and the effects were startling. The display was presented as perfectly normal, while the valves and pumps were disrupted and stopped working. We could have misled all the auxiliary systems controlled by the MCS, including air-conditioning, generators, fuel systems and more.”
That is indeed a scary picture that has been painted. Of course Naval Dome and other specialists in the field will sell you ways of
One such specialist, Pen Test Partners, which specialises in security testing of maritime, automotive and utility control systems. has again warned ship owners and operators to ensure their satcom boxes
Pen Test’s senior partner Ken Munro says he was able to use a new real time ship-mapping feature on internet search engine Shodan to geo-locate vulnerable vessels through their satcom boxes.
He says that, by combining this with AIS data, a hacker has everything they need to select a suitable ship to attack. They can choose a vessel en route to a nearby port, ready for load theft. Or perhaps cripple a ship in a particular area, ready for piracy.
“Although it was possible before to find a specific vessel’s location, it required a lot of work to analyse and present it on a map. The new mapping feature makes it trivially easy for hackers and criminals alike,” he warns. He says ship operators should secure their satcom boxes by changing default passwords and applying all updates received from their satellite communication providers immediately.
Meanwhile cyber security issue are part of the reason BIMCO and the international association for the marine electronics industry, CIRM (Comité International Radio-Maritime), have sent the industry’s first proposal for an industry-wide standard for software maintenance to the International Maritime Organization (IMO) for consideration. Without an industry-standard, BIMCO says it sees an increasing risk of severe incidents on ships, delays and costs to shipowners and cyber security problems.
“We hope the entire industry will adopt these standards, to make ships safer, to prevent cyber security problems and to save money,” says Angus Frew, Secretary General and CEO at BIMCO. “The industry has been living in a world of hardware. But software has been integrated into most physical equipment on the vessels, and the systems and procedures to manage the software has not kept up with technical developments, and it creates problems.”
The goal of the Standard on Software Maintenance of Shipboard Equipment is to make sure software updates happen in a secure and systematic way. It should increase the visibility of the software installed on board, ensure the effective planning of maintenance and ensure effective communication between the different parties involved in maintaining the software. Crucially keeping software up to date is also necessary to minimise hacking and malware problems.
BIMCO and CIRM would like to see the standard become an ISO-standard, to make it more robust. ISO has provisionally accepted the proposal. BIMCO expects a work group to complete the standard
Meanwhile attention is starting to be paid to the pressing need to make seafarers more aware of the need for effective cyber
The Liberian Registry has launched a Cyber and Ship Security Computer-Based Training (CBT) programme that provides a comprehensive overview of cyber-security issues, including concepts such as malware, network security, identity theft, risk management, and other common threats to maritime security.
Jorgen Palmbak, Director of Maritime Security for the Liberian International Ship & Corporate Registry (LISCR), the US-based manager of the Liberian Registry, says: “Cyber-attacks have been identified as among the most serious emerging threats to the security of today’s shipping industry. Over 40% of crew members have reportedly sailed on a vessel that has become infected with a virus or malware – and only 1 in 8 crew members have received
He adds: “In recent years, it has become apparent that maritime companies, ships, and ports are not adequately protected against what is clearly a rapidly evolving threat. Furthermore, IMO has issued a resolution giving shipowners and managers until 2021 to incorporate cyber-risk management into their ship safety plans. The Liberian Registry believes that there is an immediate need for both crew and shore-based staff to receive cyber security training as part of an overall security skill-set update and has accordingly taken a proactive approach to the issue.”
Palmbak says that the CBT program also provides a comprehensive overview of common maritime security threats, including the risk of criminal activity, threats to ship security, port-based drug-trafficking risks, security roles and responsibilities on board, and an introduction to the ISPS code. It also covers issues relating to stowaways, about 2,000 of whom are discovered each year hiding on ships, and piracy attacks, of which there have been an average of more than 300 per year since 2009.
Distance learning specialist KVH Videotel has also launched a cyber security training programme, produced in association with global shipping association BIMCO, to address the threat of ransomware and other computer system breaches that could severely affect the safety of ships’ crew, systems, and operations.
The company notes that the maritime industry is now focusing on cyber security issues and that IMO recently announced that it will soon be mandatory for companies to ensure that cyber security procedures are properly addressed in their ship’s Safety Management System (SMS). To create the training programme, KVH Videotel partnered with BIMCO, which has been active in recent years in researching maritime cyber security; BIMCO published guidelines in 2016 that have become an industry reference on the subject, and released an updated version in July last year.
All in all there is now a lot going on in the cyber security area and no excuse for not taking the risks of cyber-attack seriously.
Contact one of the World Bunkering team.