The intentional misdirection of shipping vessels in the Black Sea, the jamming of GPS along South Korea, and the multiple collisions of the United States Seventh Fleet are almost certainly unrelated, but these events do begin to illustrate the possibility of a link. We’re seeing a worrisome trend emerge lately, the public demonstration and discussion of the benefits of affecting sea vessel movements.
Many have raised the specter of a cyberattack causing the US Navy’s mishaps in Asia. The more likely cause, however, is the overstrained workforce conducting the freedom of navigation operations, while also attempting deter North Korea. But, unfortunately, people are focusing on the wrong vessels when considering the specter of cyberattacks against ships. A naval vessel is the most challenging target to infiltrate on the high seas. Commercial and private ships, however, are more likely targets for cyberattacks. Over the last five years, dozens of reports have discussed how vulnerable merchant vessels are to hacking.
A survey from Futurenautics, a firm that researches technology trends in maritime businesses, found that 40% of officers have sailed on a vessel that’s been infected with malware. Penetration testers focused on this industry and repeatedly find that ships run outdated, unpatched, insecure software.
A ship’s onboard computers are the easiest targets to compromise and give attackers the most control over a vessel. Infiltration can be done by either going after individual ships, or carrying out a supply chain attack to ensure that the attacker can control entire classes of vessels. Proof of concept attacks that show how these systems can be accessed have been publicized for quite some time. Security researchers most recently figured out how to track and attack ships over their live VSAT connections. IOActive found two vulnerabilities into AmosConnect 8 that would “provide deep access into a ship’s systems for an attacker with a gateway onto the ship’s network.”
To date, we have only seen proof of concept intrusions. However, the potential of these vulnerabilities, which impact merchant fleets around the world, cannot be understated. The ability to affect the physical location, speed, and ballast of a ship at sea or in a harbor creates significant options for an attacker.
The ability to penetrate ship infrastructure and then pivot to control systems is no longer a hypothetical that government agencies use to induce fear and compliance with new standards. It is a reality that has been demonstrated.
GPS Spoofing has been a known vulnerability for several years. Proof of concept attacks have been conducted for years, but this past August this type of attack was seen in the wild. In that incident, more than 20 ships in the Black Sea ended up severely off course. While this method is effective, it is costly and requires significant signal amplification that would allow for rapid retaliation through vectoring. This type of attack also requires attackers to be near the targeted ship and creates problems when out of range.
The concept of attacking merchant vessels for profit has been around since the early 1990s. Port authorities have seen significant activity led by organized crime either attempting to smuggle goods through ports or in the case of Somali pirates, figure out which ships and containers provide the largest payday. The risk of multi-million dollar losses to this type of activity cannot be downplayed, especially as autonomous shipping becomes more mainstream. However, this cost pales when compared to the loss of an entire ship as nation-state actors leverage the combat advantages of using cyberattacks to hijack merchant fleets.
First, merchant fleets could temporarily block ports and important shipping channels. Given that most global navy’s operate out of ports located in extremely busy shipping lanes, the global civilian fleets have the potential to act as a drone navy for whomever decides to leverage these massive vulnerabilities. Several large tankers or cruise ships could block a port for several hours, delaying the departure of a fleet attempting to get underway. A worse scenario is the possibility of scuttling ships in critical choke points-this threat is being recognized by some national governments. In September, the British government issued a cyber security code of practice for ships. The code calls out the possibility of Britain’s unsecure shipping industry being attacked and having a commercial vessel sunk as a result.
Given the speed of conflict, delaying capital assets such as naval ships for hours, days, and potentially weeks means the difference between victory and defeat. Few nations other than the U.S. have the capability to keep adversaries away from desired shores and fight completely in another theater of war. Cyber is the great equalizer for time and distance. Cyberattacks have the potential to turn existing, poorly protected vessels into a localized force in another theater of war-without the adversary ever transporting troops or building physical systems.
Second, nation-state actors can impact military movements by studying merchant vessels. Privately-owned U.S. flag commercial vessels and their civilian U.S. citizen crews have transported more than 90% of the cargo needed to support U.S. military operations and rebuilding programs in Iraq and Afghanistan. The U.S. and British militaries cannot fight a war abroad without a heavy reliance on civilian shipping. Even minor shipping delays can hamper military action and force a more defensive posture as supplies dwindle. Chinese actors have been targeting maritime infrastructure for years. North Korea has been systematically attempting to gain access to South Korean transportation networks over the last few years.
Unlike SCADA systems, where evidence of probing is just now coming to light, transportation networks and ports have been consistent, confirmed victims of hacking for at least five years now. Executing an attack against merchant vessels is not a hypothetical scenario. The means, access, and capability have all been demonstrated. The only unknown is whether nation-states have the will to use ships as accidental combatants.
Vulnerabilities in civilian shipping fleets will continue to be discovered. For years, experts have warned of not if, but when a large capital asset will get hijacked. The most recent research continues to highlight how vulnerable this entire industry is now. Given the rising global tensions and increased soft cyber targeting globally, the shipping industry and those who operate or rely on global supply lines, must start planning to manage this risk.
Time and distance no longer assure safety, and the level of access and proven vulnerabilities make this type of activity very appealing, especially for adversaries who are outclassed when it comes to war-fighting capabilities. The implications of the research published over the last five years is far more worrisome than any individual vulnerability. Our ability to guarantee the integrity of these large, expensive assets should now be in doubt. Anyone who’s involved in trafficking the high seas must figure out redundant “dumb” fail safes, or risk being an unwitting weapon in someone else’s conflict.