Experts warn that the global shipping industry is vulnerable to cyber-attack
Security experts warn that the sector transporting 90 per cent of world trade is highly vulnerable
PUBLISHED : Thursday, 24 April, 2014, 10:03pm
The next hacker target appears likely to be the open seas and the oil tankers and container vessels that ship 90 per cent of the goods moved around the planet.
Hackers recently shut down a floating oil rig by tilting it, while another rig was so riddled with computer malware that it took 19 days to make the rig seaworthy again.
Somali pirates help choose their targets by viewing navigational data online, prompting ships to turn off navigational devices or fake the data so it looks like they are somewhere else. Also, hackers attacked the Belgian port of Antwerp, located containers, made off with their smuggled drugs and deleted the records.
While data on the extent of the maritime industry’s exposure to cyber-crime is sparse, a study of the energy sector by insurance brokers Willis this month found that the industry “may be sitting on an uninsured time bomb”.
Globally, it estimated that cyber attacks against oil and gas infrastructure would cost energy companies close to US$1.9 billion by 2018. The British government says cyber attacks already cost its oil and gas companies £400 million (HK$5.2 billion) a year.
In the maritime industry, the number of known cases is low as attacks often remain invisible to the company, or businesses do not want to report them for fear of alarming investors, regulators or insurers, security experts say.
There are few reports that hackers have compromised maritime cyber security. but epxerts say there are holes in the three key navigation technologies: GPS, marine Automatic Identification System (AIS), and a system to view digital charts called Electronic Chart Display and Information System (ECDIS).
“Increasingly, the maritime domain and energy sector has turned to technology to improve production, cost and reduce delivery schedules,” a Nato-accredited think-tank wrote in a recent report. “These technological changes have opened the door to emerging threats and vulnerabilities as equipment has become accessible to outside entities.”
A recent study by security company Rapid7 found more than 100,000 devices, from traffic signal equipment to oil and gas monitors, were connected to the internet using serial ports with poor security.
“The lines get blurry, and all industries and all technologies need to focus more on security,” said Mark Schloesser, one of the authors of the study.
Mark Gazit, chief executive of ThetaRay, an internet security company, said an attacker managed to tilt a floating oil rig off the coast of Africa, forcing it to shut down. It took a week to identify the cause and fix, he said, mainly because there were no cyber security professionals aboard.
Shipping companies generally played down the potential threat from hackers.
“Our only concern at this stage is the possible access to this information by pirates, and we have established appropriate countermeasures to handle this threat,” said Ong Choo Kiat, president of U-Ming Marine Transport, a Taiwan firm that owns and operates 53 dry cargo ships and oil tankers.
A spokeswoman for Maersk Line, the world’s top shipping container group, said: “Yes, we consider cyber risk a threat, but vessels are no more vulnerable to such attacks than onshore systems and organisations. We are taking this risk seriously and ensuring that we are protected against such threats.”
Researchers from the University of Texas demonstrated last July that it was possible to change a ship’s direction by faking a GPS signal to dupe its onboard navigation system.
In January, British cyber security research firm NCC Group found flaws in a vendor’s ECDIS software allowing an attacker to access and modify files, including charts. “If exploited in a real scenario,” it said, “these vulnerabilities could cause serious environmental and financial damage, and even loss of life.”
This article appeared in the South China Morning Post print edition as Global shipping industry next cyber-attack target?