SINGAPORE – The next hacker playground: the open seas — and the oil tankers and container vessels that ship 90 percent of the goods moved around the planet.
In this Internet age, as more devices are hooked up online, so they become more vulnerable to attack. As industries like maritime and energy connect ships, containers and rigs to computer networks, they expose weaknesses that hackers can exploit.
Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make it seaworthy again; Somali pirates help choose their targets by viewing navigational data online, prompting ships to either turn off their navigational devices, or fake the data so they look like they are somewhere else; and hackers infiltrated computers connected to the Belgian port of Antwerp, located specific containers, made off with their smuggled drugs and deleted the records.
While data on the extent of the maritime industry’s exposure to cybercrime are hard to come by, a study of the related energy sector by insurance brokers Willis this month found that the industry “may be sitting on an uninsured time bomb.”
Globally, it estimated that cyberattacks against oil and gas infrastructure will cost energy companies close to $1.9 billion by 2018. The British government reckons cyberattacks already cost U.K. oil and gas companies around £400 million ($672 million) a year.
In the maritime industry, the number of known cases is low since attacks often remain invisible to the company, or businesses don’t want to report them for fear of alarming investors, regulators or insurers, security experts say.
But researchers say they have discovered significant holes in the three key technologies sailors use to navigate: GPS, marine Automatic Identification System (AIS), and a system for viewing digital nautical charts called Electronic Chart Display and Information System (ECDIS).
“Increasingly, the maritime domain and energy sector has turned to technology to improve production, cost and reduce delivery schedules,” a NATO-accredited think tank wrote in a recent report. “These technological changes have opened the door to emerging threats and vulnerabilities as equipment has become accessible to outside entities.”
As crews get smaller and ships get bigger, they increasingly rely on automation and remote monitoring, meaning key components, including navigational systems, can be hacked. A recent study by security company Rapid7 found more than 100,000 devices — from traffic signal equipment to oil and gas monitors — were connected to the Internet using serial ports with poor security.
“The lines get blurry, and all industries and all technologies need to focus more on security,” said Mark Schloesser, one of the authors of the study.
Mark Gazit, CEO of ThetaRay, an Internet security company, said an attacker managed to tilt a floating oil rig to one side off the coast of Africa, forcing it to shut down. It took a week to identify the cause and fix, he said.
Lars Jensen, founder of CyberKeel, a maritime cybersecurity firm, said ships often switch off their AIS systems when passing through waters where Somali pirates are known to operate, or fake the data to make it seem they are somewhere else.
Shipping companies mostly played down the potential threat.
A study last year by the Brookings Institution of six U.S. ports found that only one had conducted an assessment of how vulnerable it was to a cyberattack, and none had developed any plan to respond to any such attack. Of some $2.6 billion allocated to a federal program to beef up port security, less than 1 percent had been awarded for cybersecurity projects.
When CyberKeel probed the online defenses of the world’s 20 largest container carriers this year, it found 16 had serious security gaps.
“When you look at the maritime industry, there’s extremely limited evidence of systems having been breached” compared to other sectors, said CyberKeel’s Jensen. “That suggests to us that they’ve not yet been found out.”
Michael Van Gemert, a security consultant to the oil and gas industry, said that on visits to rigs and ships he has found computers and control systems riddled with viruses. In one case, he said it took 19 days to rid a drilling rig en route from South Korea to Brazil of malware that had brought the vessel’s systems to a standstill.
“The industry is massively in need of help, they have no idea what the risks are,” he said.
The main ship navigation systems — GPS, AIS and ECDIS — are standards supported by bodies such as the International Maritime Organization. Indeed, that body has made the latter two mandatory on larger commercial and passenger vessels.
Researchers from the University of Texas demonstrated last July that it is possible to change a ship’s direction by faking a GPS signal to dupe its onboard navigation system.
Marco Balduzzi and colleagues at antivirus vendor Trend Micro last month showed that an attacker with a $100 VHF radio could exploit weaknesses in AIS, which transmits data such as a vessel’s identity, type, position, heading and speed to shore stations and other ships, and tamper with the data, impersonate a port authority’s communications with a ship or effectively shut down communications between ships and with ports.
In January, a British cybersecurity research firm, NCC Group, found flaws in one vendor’s ECDIS software that would allow an attacker to access and modify files, including charts. “If exploited in a real scenario,” the company concluded, “these vulnerabilities could cause serious environmental and financial damage, and even loss of life.”
When the USS Guardian ran aground off the Philippines last year, the U.S. Navy in part blamed incorrect digital charts. A NATO-accredited think tank said the case illustrated “the dangers of exclusive reliance upon electronic systems, particularly if they are found vulnerable to cyberattack.”
Fixing this will take time, and a change in attitude.
“Security and attack scenarios against these technologies and protocols have been ignored for quite some time in the maritime industry,” said Rapid7’s Schloesser.
Researchers like Fotios Katsilieris have offered ways to measure whether AIS data are being faked, though he declined to be interviewed, saying it remains a sensitive area.
Indeed, AIS is abused within the industry itself. Windward, an Israeli firm that collects and analyzes AIS data, found 100 ships transmitting incorrect locations via AIS in one day — often for security or financial reasons, such as fishing boats operating outside assigned waters, or smuggling.
In a U.N. report issued earlier this year on alleged efforts by North Korea to procure nuclear weapons, investigators wrote that one ship carrying concealed cargo turned off its AIS signals to disguise and conceal its trip to Cuba.
It is not clear how seriously the standards bodies treat the threat. Trend Micro’s Balduzzi said he and his colleagues were working with standards organizations, which he said would meet next year to discuss his research into AIS vulnerabilities.
The core standard is maintained by the International Telecommunications Union in association with the International Maritime Organization. The union said no official body had contacted it about the vulnerabilities of AIS, but that it is studying the possibility of reallocating spectrum to reduce saturation of AIS applications.
Yevgen Dyryavyy, author of the NCC Group report on ECDIS, was skeptical that such bodies will solve the problems soon. First, he said, they have to understand the IT security of shipboard networks, onboard linked equipment and software, and then push out new guidelines and certification.
Until then, he said, “nothing will be done about it.”
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.