It’s no secret that there have been numerous cyber attacks on the shipping industry over the past few months and years. There are countless, well publicised attacks that have brought shipping lines to a standstill for days and weeks at a time, resulting in crippling effects on global supply chains.
What is less talked about are cyber attacks on vessels themselves. It’s easy to assume that because a ship is not physically connected to anything, in the same way that shore-based facilities are, that they are less vulnerable to attack, but we live in a world where everything is connected.
Cyber criminals do not need a physical connection to an asset to be able to successfully infiltrate and attack. A cyber attack on a vessel can inflict major damage to the vessel, the crew, the cargo, and the environment.
Container shipping is a good example. Every time a container ship enters a port, the terminal will provide the load plan to the Chief Officer. This is, more often than not, delivered in the form of a USB drive. That drive is plugged into the vessel loading and stability software so that the load condition can be checked, and the Chief Officer can ensure that the vessel is able to sail in a safe, and seaworthy condition. Updated load plans are delivered to the vessel multiple times during the port call.
From a cyber security perspective, we do not know what protocols the terminal has in place. We do not know how many other vessels that USB drive has been used on and we don’t even know where the USB drive came from in the first place. Is it the property of the terminal or is it a private drive that is being used by the terminal planner?
From a pure cargo data perspective, if the container information is being manipulated then it is all too easy for the vessel to think that the vessel is safe and seaworthy when the reality is far from that. Heavy containers may be loaded in the higher tiers, hazardous cargo may not be properly segregated, refrigerated containers may not show up on the plan and might therefore not get plugged in once loaded.
Since all the vessel’s stability calculations are based on this data, this is an extremely vulnerable link in the cyber security chain. In some of the worst-case scenarios, a vessel can lose containers overboard in heavy weather or be at a higher risk of onboard fires due to unknown hazardous cargo being loaded under deck in locations that are not permitted.
Even minor changes to the data, such as incorrect refrigerated container information can lead to large cargo insurance claims. Given the high value of refrigerated cargoes, if the load plan doesn’t show that a particular container is a live reefer, the crew won’t know to connect it to the ships power supply and monitor it. A single reefer container insurance claim can easily run into the millions of dollars.