The great seaborne cybersecurity threat
The logistics of the global trade industry is driven by some 50,000 cargo ships around the world— thousands of which cross our oceans each month, battling adverse conditions and strict schedules to deliver billions of dollars’ worth of goods.
If the risks from piracy, gale-force winds and, of course, geopolitical tensions, weren’t enough, like every other industry going digital, merchant ship fleets— arguably the backbone of modern economies— are now faced with growing cybersecurity risks.
Unlike enterprises or fixed-location systems, maritime vessels face unique challenges due to rotating crews and remote positions. This makes them highly susceptible to digitally-led hijackings or even ransomware.
Not only can attacks throw a sizeable spanner in logistics, but the impact can also be life-threatening to those on board.
A report entitled Guidelines on Cyber Security Onboard Ships, published by shipping conglomerates, warned that compromised IT systems caused “a ship with an integrated navigation bridge suffered a failure of nearly all navigation systems at sea, in a high traffic area and reduced visibility.”
Meanwhile, simple alterations to cargo loading pattern .csv files could lead to weight discrepancies in a vessel’s hull, with potentially disastrous consequences to the crew (and cargo) on board, as well as wreaking environmental damage.
Beyond that, the blow dealt to a company’s reputation may take years to recover from, resulting in a significant loss of revenue and consumer confidence.
To date, while the issue is improving, the shipping industry has largely turned a blind eye the havoc cyberattacks could cause. A lack of maritime cybersecurity practices has robbed the industry of hundreds of millions of dollars.
One of the industry’s highest-profile cyber attacks was against container shipping giant, Maersk in 2017. The company was hit by NotPetya, a ransomware attack that prevented people from accessing their data unless they paid just US$300 in bitcoin.
The ransomware took advantage of certain security vulnerabilities in Windows systems, and as a consequence, the companies business volumes were negatively affected. In the days after Maersk was hit, the company estimated that its losses might run up to a staggering US$300 million.
A similar ransomware attack was recently experienced by shipping giant COSCO. Fortunately, unlike Maersk, the damage was limited to the business’s operations in the Americas. This is because unlike Maersk, COSCO apparently operated with regional IT networks rather than one global system, limiting the overall damage.
Today’s market has no lack of quality cybersecurity software, but when it comes to the maritime industry and its unique set of challenges, most of the existing solutions do not fit.
Legacy solutions lack viability. No cybersecurity software accounts for protecting a floating mini-city forced into radio silence.
Crewed by computer non-savvy deckhands, cargo ships, cruise liners, and offshore rigs face greater cybersecurity challenges than the International Space Station. With such a massive area and so few people, there is no room for an IT expert, and there is no IT support at sea.
Both crews and cargo transport all manner of devices, which could all provide a gateway for hackers.
Modern maritime vessels rely on unstable, low-bandwidth, and choppy communication. At the same time, these ships are managed on outdated systems, running Windows XP without a means to encrypt information. If a compromised ship has been given new coordinates, the onboard system has no cloud to rely on and no IT department to ask.
Even if a ship’s captain were to determine that a security breach has occurred, meanwhile, they would have no way to address it. Without regulated protocols to secure all connected devices from ship to port, the frequency of cyber-attacks will surely continue climbing.
As of yet, neither the International Maritime Organization (IMO) or national authorities have issued formal regulations regarding cybersecurity in the maritime sector. However, as of January 1, 2021, requirements will be formalized as regulations for the safe operation of ships, to be addressed by all players in the shipping industry.
A lack of formal regulations and mounting concerns over the growing maritime cybersecurity risks hasn’t stopped organizations acting on the matter. The IMO’s Maritime Safety Committee agreed on guidelines for cyber risk management, which became the basis for high-level recommendations.
These place members of the shipping industry to adopt a risk management approach tackling minimizing the danger to crew, risks to environmental safety, and to the financial consequences of a full or partial loss of sensitive data.
Solutions are also emerging at the enterprise level. Israel based Elron, for example, has developed Naval Dome— a maritime cybersecurity system for critical onboard systems that offers remote secure access, OTA updates, and anomaly analysis which, it says, ‘acts as an onboard IT team’ and protects navigational and operational systems.
“An immobile ship loses money and a compromised ship ruins reputation. With our global economy becoming increasingly accessible, we expect to see a rise in global shipping and cruising. A secure maritime industry is a secure global economy,” said Zohar Rozenburg, VP of cyber investments at Elron, and a retired Naval colonel to TechHQ.
“To make this a reality, the ecosystem must develop and implement maritime-specific solutions. Rapid and autonomous response cybersecurity solutions are the only option. Patchworking legacy solutions are ineffective and risk the whole ecosystem.”
In the next few decades to come, shipping networks will continue to provide an irreplaceable backbone for global supply-chains. But as the systems running and navigating them become more connected— with autonomous shipping technology just over the horizon— the threat posed by cyberattacks will continue to mount.
More choppy waters are inevitable in the years to come. Those with interests in the shipping industry, and cybersecurity firms themselves must continue to address the significance and potential scale of the great sea-borne cybersecurity threat.
30 March 2023
30 March 2023