by Captain Pankaj Kapoor, Master Mariner
Many feel that majority of ocean-going vessels due their use of Industrial Control Systems (ICS) are unlikely targets to cyber-attacks. Barely do they realise that with the increased use of internet and satellites in Maritime Transport, shipping is a ripe playground for hackers.
IMO comments that “Maritime cyber risk refers to a measure of the extent to which a technology asset could be threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.
Cyber risk management means the process of identifying, analysing, assessing and communicating a cyber-related risk and accepting, avoiding, transferring or mitigating it to an acceptable level, considering costs and benefits of actions taken to stakeholders
The overall goal is to support safe and secure shipping, which is operationally resilient to cyber risks.”
International Shipping is one of the oldest and recognised as world’s FIRST TRULY GLOBAL industry. It is also the lifeblood of the global economy, accounting for the carriage of nearly 90% of world trade.
The Maritime Transportation System (MTS) – is susceptible to cyber risks as any other industry. What the general public does not realise is that any disruption in shipping activities directly affects the global supply chain, as shipping contributes to a major chunk of international movement of goods. IMO has gone to extent of commenting that “any disruption in world shipping would result in half the world dying of hunger and the other half of cold”.
Public in general is unaware of the complexity of the MTS, and the impact that MTS disruptions pose to national security and economic stability. For most, ships are beautiful hotels, traveling to exotic destinations and full of excitement. No one ever imagines the phenomenal role they play in our daily lives. But, on sane level, when considering potential threats to the global transportation system, maritime risks are sadly often invisible till a marine disaster awakens the public from their slumber. Recent examples of that are Wakashio, New Diamond and Exon Valdez.
UNCTAD in its recent report mentioned that “Global maritime trade will plunge by 4.1% in 2020 due to the unprecedented disruption caused by COVID-19, UNCTAD estimates in its Review of Maritime Transport 2020, released on 12 November.” Current pandemic has compelled the industry to conduct even more operations digitally thus exposing it to greater cyber threats.
Above is scary revelation of what impact can disruptions in shipping cause to global economy and one of the unseen threats which can cause such severe disruptions is cyber-attack. Such a probable incident should not be treated with kids gloves.
In a BIMCO sponsored Maritime Cyber Security survey in 2020, some respondents went so far as to describe their company policy to OT cyber risk as “careless.”
Impact of cyber-attack on the World’s Shipping Giant Maersk is not forgotten from human memory, where A.P. Møller-Maersk, fell prey to Not Petya on June 27, 2017. Attackers spread the malware after seizing control of the software update mechanism of M.E. Doc, a standard accountancy package for firms doing business in Ukraine, as part of a carefully planned operation.
The impact was immediate and the recovery was slow. Company’s network was crippled within few minutes of the attack. Severe damage was done within an hour of attack. It took nine days and close to 300 million dollars to restore the systems. Maersk was appreciated worldwide for sharing this incident with public and not giving in to the ransom demands of the hackers.
As recent as April 2020 Swiss-based global shipping giant Mediterranean Shipping Company (MSC) confirmed that an outage of its websites was caused by a malware attack affecting its headquarters in Geneva.
MSC informed its customers that its website, msc.com, and its myMSC customer and vendor portal had become unavailable due to a network outage at one of the company’s data centres. Company however did declare that it did not entirely rule out the possibility that the incident was caused by a piece of malware. Once the incident was resolved, company declared that “After a thorough investigation, we confirm that it was confined to a limited number of physical computer systems in Geneva only and we have determined that it was a malware attack based on an engineered targeted vulnerability. We have shared as per industry standards the malware with our technology partners so that mitigations could be made available not only to us”.
Such incidents are not isolated ones as even IMO experienced a shutdown of much of the it’s IT systems for nearly 48-hour period.
“The interruption of web-based services was caused by a sophisticated cyber-attack against the organization’s IT systems that overcame robust security measures in place,” the IMO said in a statement regarding this first cyber-attack.
Another incident was when the French container line CMA CGM a high-profile name in shipping was hit by hackers. It took the Marseille-based company nearly two weeks to get out of the ransomware attack.
In yet another incident an oil tanker arrived in Singapore in June 2020 and reported her position to VTIS East. But, the VTIS failed to locate the ship on AIS. They served a notice to Master not to sail without the AIS repair. Owners immediately arranged a technician who boarded the vessel at anchorage. He checked and confirmed with the VTIS that all are in order. However, the AIS failure re-occurred after two days during departure and company had to take flag state dispensation.
A new AIS was installed on arrival at next call Singapore. The technician verified with VTIS, and AIS was found satisfactory. However again after few days, the berthing Pilot reported the same issue and the vessel’s sailing was postponed to facilitate service engineer’s boarding at anchorage.
Company again arranged service engineers to check the AIS. This time the attending technicians found that three other vessels were using vessel’s MMSI number. This caused interference and intermittent failure of AIS transmission from the vessel.
Owners informed the MPA Singapore, once they identified the actual problem. An investigation in the matter was launched and it was discovered that vessel’s
identity was being used by other vessels involved in possible illegal bunkering or sanction trade. This incident highlights, how easy it is to hack into ships systems.
Even GPS signal is a relatively weak signal and can be easily jammed, spoofed or resent with delay There have been incidents where Masters have reported incorrect GPS signals showing vessel’s position on land! AIS information is transferred using VHF radio with no encryption allowing valuable information to be easily obtained and it can be also altered or jammed.
Cyber threats though invisible are present and need to be tackled seriously Knee-jerk reactions would not be sufficient to overcome them. IMO’s Maritime Safety Committee, at its 98th session in June 2017, also adopted Resolution MSC.428(98) – Maritime Cyber Risk Management in Safety Management Systems. The resolution encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance after 1 January 2021. Taking cue from IMO’s recommendations, most of the companies have now made it an integral part of their ISM manuals.
What exposes a vessel to probable cyber-attacks is the integration of Industrial Control Systems (ICS) to internet and satellite systems. So, what is ICS? Many parameters on a ship need to be controlled or monitored for example temperatures, pressure, level, viscosity, flow control, position of vessel, speed, torque control, voltage, current, machinery status (on/ off), and equipment status (open/ closed). With more advanced systems, ships are becoming exceedingly technology dependent with reduced manpower thus introducing increased automation. These advances have resulted in more and more vessels having Unmanned Machinery Spaces (UMS) class where ships engines can be controlled with automation without manual interference.
A number of operations on a vessel are now fully automated and integrated like propulsion plant operation, power management operation of the auxiliary engines, auxiliary machinery operation, cargo loading/unloading operation, navigation etc.
Earlier ICS were stand-alone systems, with sometimes propriety technologies. Whereas presently ICS use Commercial Off the shelf (COTS) technologies which are then connected to other systems. Most of these COTS systems depend on network presence and use OS such as Windows, UNIX, Linnux thus making them vulnerable to cyber-attacks. Additionally, devices like Bring Your Own Devices (BYOD) for navigation, use of third-party USB’s, introduce vulnerabilities if not properly configured.
Present day ICS are connected to various company operated systems which rely on Internet accessibility for instance vessels email system or automatic updates of ECDIS received through emails. These features give asset owners and operators immediate benefits by extending connectivity and interoperability with other IT infrastructures. But at the same time, they lure hackers to attack the vessels systems with relative ease.
Ethical Hackers have successfully proved that, an attack can be initiated to alter the ships position thus giving false information to the duty officer and compelling him to take incorrect actions. An Israeli cyber security company after conducting an Ethical Hacking exercise managed to hack into vessel’s navigation system by just sending a simple mail. They commented that “We designed the attack to alter the vessel’s position at a critical point during an intended voyage – during night-time passage through a narrow canal. During the attack, the system’s display looked normal, but it was deceiving the Officer of the Watch.”
“The actual situation was completely different to the one on screen. If the vessel had been operational, it would have almost certainly run aground.”
“The vessel’s crucial parameters – position, heading, depth and speed – were manipulated in a way that the navigation picture made sense and did not arouse suspicion.”
“This type of attack can easily penetrate the antivirus and firewalls typically used in the maritime sector.”
IMO and various other organisations have warned that maritime cyber risk is ever present and with increased automation, this may result in shipping-related operational, safety, or security failures as a consequence of information or systems being corrupted, lost or compromised.
Even those ships which still leverage legacy technologies using a blend of Information technology (IT) and Operational Technology (OT) are exposed to cyber risks due to use of these systems both by internal ships crew and third-party vendors and can be compromised by hackers or even insider threats.
In conclusion, with more and more automation coming into the ship operations, it is advisable that the ships staff are adequately trained and made aware of the ever-present cyber threat. With growing use of different systems having inbuilt software, cyber security should now become a prominent feature in the training of ships staff. Cyber security training is essential not just for data protection but also reliable and smooth operations. All that is required for a disaster, is for one person, in a moment of weakness, becomes willing to compromise by opening an unwanted attachment. 97% of attacks actually consist in tricking a user by using social engineering techniques. Phishing and social engineering, unintentional downloads of malware, etc., are common issues.
Author Bio: Capt. Pankaj Kapoor, Master Mriner, B.Sc(Naut Science), PG Maritime Law, LL.B, AFNI, is a Maritime lawyer and a Sr. Partner in India Law Offices LLP (amongst the top 100 law firms of India) heading the firms Maritime Law division. He is an ex member NITI Aayog committee for drafting “National Maritime Policy”. Besides Maritime Law practice he is also adjunct Professor at various National law colleges and universities.