Seatrade Maritime is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cyber-security and why shipping needs to be worried

Cyber-security and why shipping needs to be worried
Cyber-security is fast becoming a hot-button issue in shipping, perhaps because it is one on the agenda everywhere.

On 1 April US president Barack Obama signed an executive order authorising sanctions against malicious overseas hackers as well as companies that knowingly benefit from cyber-espionage. "Cyber-threats pose one of the most serious economic and national security challenges to the United States,” he warned.

Part of the problem is the lingering characterisation of hacking as the preserve of hobbyists and basement-daredevils, rather than the industrial-scale organised criminal operation it is becoming. In the words of Bimco head Angus Frew, speaking at the roundtable with ICS, Intercargo and Intertanko recently, shipping needs to “take cyber-security seriously”. In a world so densely connected by technology, experts warn that everyone is at risk of cyber-attacks, and we would be extremely foolish to assume the industry handling 90% of world trade is any exception.

Indeed when it comes to the encroaching digitisation of everyday operations – the so called “internet of things” whereby machines talk to each other over IP – shipping certainly is not an exception. “Ships are increasingly computerised – they’re getting integrated control systems and systems are developed from electro-mechanical type of controls into computer servo controls,” says Lars Robert Pedersen, deputy secretary general and coo at Bimco. “That can affect the manoeuvrability of the ship - the actual ability to control the equipment on board.

“But also there are ENCs and ECDIS, which are becoming mandatory. These need to be updated on a regular basis – and of course the integrity of the chart system is one area of concern. We need to make sure that these systems are protected adequately – that we don’t end up with a situation where the navigator on the bridge may see things on his chart which are not really there.”

Peter Jackson, ceo at the Singapore arm of insurer Lockton Companies, tells Seatrade Global: “A ship could be run aground or diverted to a location that favours pirates. For theft, disabling a ship to enable piracy could conceivably happen as could diversion of cargo. Systems that control the ship’s speed, the ability to shut down engines that would leave a ship stranded.

“Imagine a scenario where a cruise ship is left marooned and pirates systematically rob the passengers and crew, a latter day highway robbery. What would that do for sales of cruise holidays?”

But as Pedersen is eager to emphasise, any talk of what a cyber-criminal might do with a ship at sea is currently entirely speculative. Any known cyber-attacks on merchant ships so far were sponsored by the industry itself – such as the case of the cyber-security firm hacking ships’ AIS to prove they could make entire ships disappear from tracking systems, make non-existent vessels appear, spell out insults in ship course information and generally wreak mayhem.

This is one of the main arguments against an unmanned ship, whereupon there is no navigator on the bridge to see, with his own eyes, that he is not in fact headed into the path of a super-typhoon and there is no 100,000 ton aircraft carrier about to collide with the starboard bow. But even with crew aboard, could hijackers really take control of a vessel remotely, Hollywood-thriller-style? “It’s theoretically possible in the same way that conceivably a hijacker could take control of an aeroplane,” says Jackson. “Whilst this might seem far-fetched, what is widely acknowledged is the technology of hacking is outstripping the technology of prevention.”

In fact, Cyber-security watchdog CyberKeel recently indicated that 90% of the top 20 container lines would be vulnerable to cyber-attack, whether land or ship-based. “We need to distinguish between an attack on shore-based company infrastructure and an attack on a ship,” Pedersen argues. “An attack within a shipping company’s offices would be directed at their business infrastructure, applications, and continuity. That can have severe commercial implications, but that that is not really what [Bimco] is addressing - we are looking at the issues which might arise from cyber-attacks on a ship.”

Attacks on land-side operations, though, are already happening. A 2012 attack on national Arabian oil company Saudi Aramco by a self-replicating virus erased data on 30,000 computers, replacing it with an image of a burning US flag. More recently in 2013, hackers intercepted drug shipments at the Port of Antwerp, disappearing containers from its systems. “If cyber criminals can rob banks, moving physical goods is also possible. Theft would look to reroute cargo, but if they can take control of facilities and divert cargo then this might also support money laundering or extortion,” says Jackson.

Earlier this month, Clearsky Cyber Security revealed that a shipping company from New Zealand had experienced so called “click-jacking”, wherein criminals posted a fake website containing a copy of their own genuine website in the hope of obtaining login information and bank details. Indeed, an unpalatable truth is that the biggest cyber-threats to shipping operations may come from within. Jackson explains: “One scenario which has perhaps not been widely discussed is the potential of competitor attacks.

“The purpose may be to steal information rather than cause physical harm or disruption. Contract and pricing details, negotiation positions, client details - basically anything you wouldn't want another party to have. It is even possible competing ports and organisations could stage attacks to disrupt services. Shipowners and port operators need to consider scenarios where their systems are hacked and both how do they prevent this happening and how would they respond to such a crisis.”

With cyber-attackers theoretically able to bring down an entire organisation in one fell swoop, cyber-security is one area in which companies cannot afford to wait for the horse to bolt before locking its doors.