In June 2017, the shipping giant Maersk was hit with a major cyber attack. Malicious software locked files on employee computers, completely halting Maersks port operations. Even with a supposedly quick response from Maersk, the attack shut down 76 port terminals and ended up costing the company $300 million.
Commercial shipping has made major strides in recent decades toward digitalization. Supply-chain concerns, green technology, and costs across the industry have led to a new push for automation. This promises greater efficiency, but it also creates a massive new target for cyber attacks. Where the internet once borrowed the term piracy from the maritime domain, we are rapidly reaching the point where it will be possibly to digitally hijack a container ship on the high seas.
To address this risk, the International Maritime Organization should issue specific guidance and standards for securing large autonomous networks, including listing uniquely vulnerable systems. Many have questioned the enforcement capabilities of the International Maritime Organization. But its guidance works, both in building consensus and in driving specific changes within the global shipping industry. Working with port authorities, shipping companies, and national governments will require major adaptations to the existing cyber security space. The threat environment will continue to evolve. The shipping industry should adapt to new cyber security challenges to stay afloat.
Existing Vulnerabilities
Commercial ships are already equipped with many systems that can be exploited by cyber attacks. Traditionally, system vulnerabilities are broken up into those that effect information technology and operational technology. Information systems deal with data and business information, whereas operational systems deal with a vessels onboard hardware and software. The Maersk attack was identified primarily as an information system attack, affecting ships only through business side delays and changes. When traversing maritime spaces, ship operations rely on limited business data and information systems. Thus, the primary concern with onboard cyber security surrounds operational systems. However, as interconnectivity becomes increasingly common and necessary, this distinction is quickly becoming outdated.
With billions of dollars worth of goods crossing the ocean every day, a close watch on what occurs on each ship and the proceedings of crews is a necessary part of the industry. All large commercial ships contain vital operational systems including global positioning systems, which track the position of each ship, automatic identification systems, which communicate with ports for ship identification purposes, and electronic chart display and information systems, which provide advanced navigation. Combined with a handful of other navigation and communication systems (including dynamic vessel positioning, NAVigational TEleX, and radar), these electronic networked systems constitute the conventional operational cyber attack surface area.
The most effective attack vector on traditionally networked ships is physical onboard intrusion. Intrusions onto ships and advanced at-sea piracy remain threats to physically based systems. Even docking at port can precede physical intrusion, as onboard systems can be infected with the injection of malicious software through careless use of USB-based storage devices. If chart display systems are tampered with, ships can be pushed off course, resulting in major delays at best and deliberate ship collisions at worst. Penetration testing of major chart manufacturer systems revealed multiple vulnerabilities that can be exploited relatively easily.
In addition to physical intrusion on individual ships, relevant operational subsystems are networked to each other with internationally standardized protocols, namely National Marine Electronics Association (NMEA) communication standards. The standardization of shipborne control networks under unified protocols means that an individual or group that can access one ship can likely already access an untold number of ships. The current industry standard, NMEA 0183, controls a variety of subsystems, including propulsion, steering, and global positioning systems. The shift from physical cable communication and intraship remote networking creates significant vulnerabilities. NMEA 0183 can be easily accessed through a variety of means, including physical computer-based attacks and, more recently, remote attacks. Remote network intrusion or phishing attacks can occur on modern vessels, but operational systems are traditionally best accessed through physical intrusion. This is why current cyber security guidance starts with the crew. These guidance principles are still upheld, but increasing connectivity has started to make them less relevant.
Risks of Autonomous Shipping
In recent years, new developments in autonomous ships have emphasized cost savings and logistical efficiency. First, autonomous ships offer major financial benefits, as crews account for 30 percent of current maritime shipping costs. Second, human error accounts for up to 96 percent of maritime accidents. This, coupled with improvements in energy efficiency and environmental concerns, makes autonomous ships an inevitable development in shipping. The International Maritime Organization has defined the development path of maritime autonomous surface ships in four degrees: automated processes, remote-controlled ships with onboard crews, remote-controlled ships with no onboard crews, and fully autonomous ships. The United Nations has already called for updated legal frameworks and rulemaking to accommodate the development of new ships and systems. But despite international attention and massive potential benefits, a future of fully autonomous ships creates even more security threats.
While the International Maritime Organization has been at the forefront of developments in autonomous ships and has been important in standardizing and guiding autonomous ships, it has lagged in understanding the cyber security risks. The future of autonomous shipping relies on interconnected networks, not only within ships, but also between ship and port. The development of remote-controlled systems means operational systems will be connected to information systems. This means the International Maritime Organization will have their work cut out for them, as regulation and guidance enforcement will be in the hands of port regulators and port authorities. Cyber security is already a large component of port security, but direct access to shipping operational systems will inevitably increase risk.
On the boats themselves, human-in-the-loop systems necessitate that a remote pilot have access not only to ship propulsion systems but also to external data collection and analysis systems. As an interim to full autonomy, semi-autonomous control with or without onboard crews revolves around the increased digitization and networking of almost all shipborne systems. More specifically, semi-autonomous ships rely not just on decision-making processing centers, but also on a robust sensor package that integrates information and operational systems. This includes voyage information, real-time navigation information, and object detection. The integration between situational awareness tools, voyage logistics systems, and ship propulsion systems has been traditionally provided by human pilots and onboard crew. Without a human pilot, however, these previously disconnected systems are routed through a decision-making processing unit, marrying information and operational. Integrating multiple systems through a central processing center increases the area in which an attack can occur. This highlights the importance of break once, break everywhere resistance.
Automation will significantly increase remote hijacking risk. International organizations will have to be aware of the massive amounts of information coming in and out from each ship and the risks associated with different port authorities and different boats. With crewless ships, the development of systems to ensure the safety of cargo and shipping assets will be paramount for effective maritime security. Furthermore, special care should be taken for different ships. The amount of information shared between larger ships with more complex systems will likely be greater than between smaller ships with fewer systems.
Connections between ship and control center are increasingly provided by the Long Range communication technique. Within the Long Range umbrella, Long Range Wide Area Network protocol has become the strongest candidate for novel ship networking. The Long Range Wide Area Network is a unique tool that allows for remote command and control, allowing for a center to track and evaluate ship movements from thousands of miles away with real-time connectivity. Additionally, the navigational challenges that rougher waters, like the Arctic, present are ones that Long Range Wide Area Network communication protocol is uniquely equipped to tackle.
Unfortunately, Long Range Wide Area Network communication is vulnerable to hijacking. Internet device communication through the network can be intercepted, decrypted, and spoofed. These methods are already known to attackers, giving malicious actors access to ship systems anywhere in the world. Moreover, internet devices are designed to augment and enhance existing systems. NMEA 0183 is currently being phased out for the more modern NMEA 2000 protocol. NMEA 2000-compatible and internet-enabled devices are increasingly common. However, NMEA 2000 appears no more secure than other existing ship communication protocols and exhibits the same issues as NMEA 0183. This means that not only can remote hijacking of communication packages occur but, in many cases, attackers also will be able to access operational systems like propulsion, steering, and ballasting. In the event that a ship is hijacked with no physical crew onboard, remote systems patching is the only possible way to deter or resolve potential cyber attacks.
Another emerging technology that could potentially replace Long Range techniques is SpaceXs Starlink system. Columbia Shipmanagement has begun to try out Starlink systems on vessels already, testing robust connections between information and operational systems through the internet. Because of the novelty of Starlink, cyber attack development is at a much earlier stage than it is with Long Range communication. However, Starlink has its own vulnerabilities. Satellite networks mean that global access would be theoretically possible given the right attack vector. With relatively simple and cheap off-the-shelf devices, researchers have already accessed Starlink-enabled devices, which in a maritime context could give attackers access to ship systems.
Impacts of Autonomous Cyber Security Risk
Systems that are interconnected will need to be protected differently than conventionally separated and relatively isolated systems. The capacity to defend the shipping industry from cyber threats no longer revolves around the crew alone, but also involves international standards, central planning, network vendors, and network administrators.
Current attack vectors on self-driving cars are a glimpse of possible effects on autonomous ships. The most visible threat is direct hijacking of ship propulsion and steering through access to operational systems. These threats are most apparent in second- and third-degree autonomous ships, where propulsion systems can be controlled remotely. Hijackers taking control of a ship and causing a major shipping delay through deliberate collisions or simply throwing ships off course would cost stakeholders billions of dollars. The blocking of Suez Canal traffic in 2021 cost $9.6 billion per day. A capable actor with malicious intent could feasibly do significantly more damage to even more trafficked areas like the English Channel. On ships with active crews, hijacking could lead to not only billions of dollars in financial loss, but loss of life as well.
Increasing the degree of autonomy on shipping shifts the threat environment. With fourth-degree autonomous ship routes, direct remote control of propulsion subsystems becomes more difficult. However, studies indicate that the more vulnerable subsystems in autonomous ships will be in their navigation systems. Intercepting and tampering with global positioning system communication or chart systems would not only give attackers access to up-to-date and specific information on ship whereabouts (increasing potential physical security risks) but would also give attackers the ability to replace input navigation data. Relative isolation between navigational systems and propulsion is impossible for fully autonomous systems. With fully autonomous ships relying on navigation data to move, faulty inputs or blocked data could lead to collisions or altered courses, resulting in the same hefty financial losses as direct hijacking.
New Guidance for New Threats
Increased cyber security vulnerabilities via autonomous ships are not an unknown development. Security frameworks are actively being developed by independent researchers, and many different actors are trying to do their part. To their credit, the International Association for Classification Societies, the Digital Container Shipping Association, and the International Chamber of Shipping have published their own studies and guidelines for autonomous cyber security. As recently as 2022, NATO published its own study on cyber security, including explicit analyses of information and operational systems, although it did not establish guidelines for autonomous ship development.
However, a major gap in guidance exists coming from the International Maritime Organization. As an organization under the United Nations, this body has a crucial responsibility to fulfill. The International Maritime Organization does publish cyber security guidance, giving a broad overview of potential issues in shipping. The most recent version of the organizations guidance contains two references to automation, both in the introduction. Updated International Maritime Organization standards between 2021 and 2022 do not include updated guidance for the automated shipping environment despite accelerating developments in autonomous ships occurring each year.
Staying ahead of the curve requires that the International Maritime Organization predict and adapt quicker than it historically has. The International Maritime Organizations 107th Maritime Safety Committee session convened in June 2023 and promised to discuss, among other things, issuing new cyber security risk guidelines for autonomous ships. New guidance has not been published yet, nor has the existing the information/operational distinction been reconsidered. Instead, the Maritime Safety Committee cyber risk management guidance doubles down on it. To combat cyber vulnerabilities, the International Maritime Organization should break away from the notion that information and operational will remain separate and mutually exclusive.
Understanding the convergence of information and operational technology will allow individual shipping companies and the industry writ large to better harden themselves against cyber attack. International Maritime Organization cyber guidance remains a series of recommendations. However, they can draw attention to the need for network encryption and the isolation of operation-critical instruments, thereby pushing the industry to improve its practices. The best case scenario would be for the International Maritime Organization Legal Committee to establish legal guidance with binding effects. At the very least, International Maritime Organization guidance can encourage more frequent risk assessment and emphasize the risks specifically associated with autonomous ships. If its cyber security guidance does not reflect an expansion in cyber attack vectors, the future of security in autonomous shipping is in dire straits.
Alex Li is a masters of international affairs student at the School of Global Policy and Strategy at the University of California, San Diego. His work and research have focused on conflict and national security, particularlythe intersection between industrial economies and war.
Image: U.S. Navy photo by Chief Mass Communication Specialist Roland Franklin
Continued here:
Digital Piracy Returns to Sea: Protecting Autonomous Ships from ... - War On The Rocks
- Google researchers have cracked a key internet security tool - Recode [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Letter: Internet security is in jeopardy - INFORUM [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- New internet security device launched to safeguard schools against child abuse - Phys.Org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster - Gizmodo [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Data from internet-connected teddy bears held ransom, security expert says - Fox News [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Emsisoft Internet Security 2017.2.0.7219 - TechCentral.ie [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- What you need to know about 'Cloudbleed,' the latest internet security bug - Globalnews.ca [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Google cracks longtime pillar of internet security - MarketWatch [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- BullGuard | Internet Security and Antivirus protection ... [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Internet Storm Center - SANS Internet Storm Center [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Internet-connected 'smart' devices are dunces about security - ABC News [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Derry internet security expert warns that advanced internet technology 'a risk to us all' - Derry Now [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Firewall Test, Web Tools and Free Internet Security Audit ... [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Internet security in the spotlight: How is the internet safer today than it was 20 years ago? - Mobile Business Insights (blog) [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Jim Mullen: Unsocial internet security | Columnists | auburnpub.com - Auburn Citizen [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Internet security company launches a perfume line to promote cybersecurity - Mashable [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Internet security - Wikipedia [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Are you undermining your web security by checking on it with the wrong tools? - The Register [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bruce Schneier on New Security Threats from the Internet of Things - Linux.com (blog) [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Carpe Diem: home internet security - KFOX El Paso [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Motivation Monday: home internet security - KFOX El Paso [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Medical records of 26m patients at risk because of GP surgeries' failing internet security - The Sun [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Free Internet Security | Why Comodo Internet Security Suite ... [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Internet Security Software | Trend Micro USA [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Fix crap Internet of Things security, booms Internet daddy Cerf - The Register [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Internet of Things security: What happens when every device is smart and you don't even know it? - ZDNet [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- CUJO is cuter than Wall-E, and it's the only internet security device you'll ever need - Yahoo News [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- The Senate just voted to undo landmark rules covering your Internet privacy - Washington Post [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- What the Cloudbleed disaster says about the state of internet security - Information Age [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Google Has Declared Symantec Harmful To Internet Security - UPROXX [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Internet Security Analysts: North Korea Is Planning a Global Bank Heist - Breitbart News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Internet Security Firm Confirms WikiLeaks 'Vault 7' At Least 40 Cyberattacks Tied to the CIA - The Ring of Fire Network [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Homeland Security warns of 'BrickerBot' malware that destroys unsecured internet-connected devices - ZDNet [Last Updated On: April 20th, 2017] [Originally Added On: April 20th, 2017]
- A Global Industry First: Industrial Internet Consortium and Plattform Industrie 4.0 to Host Joint IIoT Security ... - Business Wire (press release) [Last Updated On: April 20th, 2017] [Originally Added On: April 20th, 2017]
- Mucheru urges private sector to boost investment in internet security - The Standard (press release) [Last Updated On: April 25th, 2017] [Originally Added On: April 25th, 2017]
- Cloudflare debuts a security solution for IoT - TechCrunch [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- Russian-controlled telecom hijacks financial services' Internet traffic - Ars Technica [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- Avira Internet Security Suite v15.0.26 - TechCentral.ie [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- NSA To Limit Some Collection Of Internet Communication - NPR [Last Updated On: April 29th, 2017] [Originally Added On: April 29th, 2017]
- Report Indicates '10 Concerts' Facebook Trend Could Compromise Your Internet Security - Complex [Last Updated On: April 29th, 2017] [Originally Added On: April 29th, 2017]
- "Improving the World" through Internet Security: Chatting with David Gorodyansky, CEO of AnchorFree - Huffington Post [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Don't Fall For This Tech Support Scam Targeting PC Users - KTLA [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Yikes! Antivirus Software Fails Basic Security Tests - Tom's Guide [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Watch Hackers Sabotage an Industrial Robot Arm - WIRED [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Decoding Internet Security: Spear phishing - Washington Post [Last Updated On: May 5th, 2017] [Originally Added On: May 5th, 2017]
- From the Desk of Jay Fallis: To internet vote, or not to internet vote - BarrieToday [Last Updated On: May 7th, 2017] [Originally Added On: May 7th, 2017]
- Crippling cyberattack continues to spread around the world - Los Angeles Times [Last Updated On: May 14th, 2017] [Originally Added On: May 14th, 2017]
- Cyber Security Experts: Russia Disproportionately Targeted by Malware - Voice of America [Last Updated On: May 14th, 2017] [Originally Added On: May 14th, 2017]
- The Latest: 29000 Chinese institutions hit by cyberattack - ABC News [Last Updated On: May 15th, 2017] [Originally Added On: May 15th, 2017]
- Cyberattack Aftershock Feared as US Warns of Its Complexity - New York Times [Last Updated On: May 15th, 2017] [Originally Added On: May 15th, 2017]
- This week's poll: Priorities for improving internet security - The Engineer [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Akamai Releases First Quarter 2017 State of the Internet / Security Report - PR Newswire (press release) [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Do Macs get viruses? - PC Advisor [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Massive Ransomware Attack Underscores Threats To Internet Security - Benzinga [Last Updated On: May 19th, 2017] [Originally Added On: May 19th, 2017]
- Security News This Week: Hoo-Boy, Mar-a-Lago's Internet Is Insecure - WIRED [Last Updated On: May 20th, 2017] [Originally Added On: May 20th, 2017]
- Internet security firm calls for law to compel information sharing to ... - The Star, Kenya [Last Updated On: May 22nd, 2017] [Originally Added On: May 22nd, 2017]
- Check It Out: No need to unplug after reading books on internet security - The Columbian [Last Updated On: May 22nd, 2017] [Originally Added On: May 22nd, 2017]
- How to beat security threats to 'internet of things' - BBC News - BBC News [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Best Mac antivirus 2017 - Macworld UK [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Avira, Kaspersky Top Windows 10 Antivirus Tests - Tom's Guide [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Paranoid about internet security? Here are the most secure OS options - The American Genius [Last Updated On: May 28th, 2017] [Originally Added On: May 28th, 2017]
- Blockchain Offers Hope for the Broken Internet - Fortune [Last Updated On: May 28th, 2017] [Originally Added On: May 28th, 2017]
- New uses for RFID and security for the internet of things - Phys.Org [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Security Best Practices for the Internet of Things - Web Host Industry Review [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Internet infrastructure security guidelines for Africa unveiled - Premium Times [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- In addressing internet security issues, make sure to provide solutions - Minneapolis Star Tribune [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Whistic Partners with the Center for Internet Security to Extend the ... - PR Web (press release) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Internet Security Alliance: NIST framework metrics should focus on threats - Inside Cybersecurity (subscription) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- China cyber-security law will keep citizens' data within the Great Firewall - The Register [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Cyber security: Africa gets Internet security guidelines - TheNewsGuru [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- China to Implement Its First Law on Internet Security After Ransomware Attack - Sputnik International [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Decoding Internet Security: Ransomware - Washington Post [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Internet security upgrade on course - Business Daily (press release) (blog) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- What's the Safest Laptop For Internet Security? - HuffPost [Last Updated On: June 2nd, 2017] [Originally Added On: June 2nd, 2017]
- Every Day Is Internet Security Day - The Chief-Leader [Last Updated On: June 3rd, 2017] [Originally Added On: June 3rd, 2017]
- 5 Reasons why internet security is crucial in 2017 - Techworm [Last Updated On: June 3rd, 2017] [Originally Added On: June 3rd, 2017]
- Are Pop-Ups An Internet Security Threat? - Good Herald [Last Updated On: June 4th, 2017] [Originally Added On: June 4th, 2017]
- 3 Ways Software Programs Can Help With Internet Security in 2017 - Geek Snack [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]
- Inside Social Security: Make every day your internet security day - Santa Ynez Valley News [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]
- SOCIAL SECURITY: Every day is internet security day - Palm Beach Post [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]