The maritime industry often has high value cargo in fitted to ships with legacy systems, bad awareness, poor processes, and seaports suffering from the same problems, making it an industry “ripe for hacking”, according to Tamlin Magee, writing last month in TechWorld.
Although more than 80% of global trade by volume is transported from region to region by ships, and 10.3bn tons in total moving between seaports around the world globally in 2016, incident after incident has demonstrated how much the industry is vulnerable to cyber-attack, said Magee.
In 2015 Kaspersky Labs called shipping “easy meat” for hackers, and reported on a sequence of significant hacks, ranging from a drilling rig that was hacked and tilted from its site in South Korea towards South America – as long ago as 2010, to a 2012 incident when a criminal gang hacked into the systems of the Australian Customers and Border Protection Service agency, permitting them to be one step ahead of authorities when they placed containers under suspicion.
Maritime security company CyberKeel had noted that ships were switching off their navigation systems when travelling through waters where armed pirates are known to operate – sometimes faking the data to make the ships appear they were elsewhere. A scheme in the Belgian port town of Antwerp saw criminals gain access to systems that controlled the movement of containers to smuggle cocaine, heroin and guns.
In 2017, a cargo ship travelling from Cyprus to Djibouti lost control of its navigation system for 10 hours – preventing a captain from manoeuvring and with the intention of steering it into territory where it could be easily boarded by pirates and robbed, said Safety At Sea, which heard from a source that the “IT system of the vessel was completely hacked”.
In October last year Ken Munro at PenTestPartners demonstrated drew a comparison with industrial control systems – noting that, although the network protocols and security systems were virtually non-existent when they were created, this didn’t matter so much as long as the endpoint and communications security was robust. He called ships “complex industrial controls, but floating”.