In a world where young men are willing to pounce on VLCCs using only guts, wooden boats and rusty Kalashnikovs, the threat to shipping and maritime may now also be coming in a much more subtle manner from the computer hacker.
Cyber security may be right at the top of the international agenda, exemplified by Barack Obama’s 2013 statement that the “cyber threat is one of the most serious economic and national security challenges we face”. But - like most things cyber - shipping has not been taking it particularly seriously until recently. Last week, International Maritime Bureau took time out of battling corporeal pirates to warn shipping about the risks of digital ones, which warned shipping is becoming the “next playground for hackers”.
In fact, it arguably has been for some time, after it was discovered in October last year that for two years, hackers had been intercepting drug shipments at the Port of Antwerp and disappearing containers from its systems.
Later that month it was found that, using less-than-$1,000 technology, hackers could interfere with easily-accessible ship AIS systems to make entire ships disappear altogether from tracking systems, make non-existent vessels appear, or in this particular case make a ship’s reported course spell out “PWNED” (or “I own you” in online gaming parlance).
Not every system is as easy to access as AIS, however. In spite of the Hollywood-perpetuated myths, most networks – such as port control systems – are independent of the World Wide Web and are more than a flurry of improbably-fast typing away. In these cases, more rudimentary tactics are required, such as e-mail viruses, or famous hacker Kevin Mitnick’s strategy of simply phoning up and sounding authoritative: “A company can spend hundreds of thousands of dollars on firewalls… but if an attacker can call one trusted person within the company, and that person complies… then all that money spent on technology is essentially wasted,” he once remarked.
“We see incidents which at first appear to be a petty break-in at office facilities,” said TT Club Insurance claims expert Mike Yarwood in a recent TOC presentation. “The damage appears minimal – nothing is physically removed. More thorough post incident investigations however reveal that the ‘thieves’ were actually installing spyware within the operator’s IT network.”
In June, the US’ Global Accountability Office (GAO) criticised the nation’s Coast Guard, Federal Emergency Management Agency (FEMA) and lawmakers for failing to address cyber security despite the fact that its ports handle at least $1.3trn worth of cargo every year. “The operations of these ports are supported by information and communication systems, which are susceptible to cyber-related threats,” the report stated.
The report went on to highlight the possible directions from any given cyber-threat could spring, listing hackers – who “break into networks for the thrill of the challenge, bragging rights in the hacker community, revenge, stalking, monetary gain, and political activism,” and who could “download attack scripts and protocols from the Internet and launch them against victim sites”, alongside organised crime syndicates, rival logistics firms, disgruntled employees, other nations, and – of course – terrorists, who could “destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the economy, and damage public morale.”
“Until the Coast Guard completes a thorough assessment of cyber risks in the maritime environment, the ability of stakeholders to appropriately plan and allocate resources to protect ports and other maritime facilities will be limited.”
If one were of a mind to destabilise the global economy, attacking 90% of world trade might not be a bad place to start. But the more immediate risk is that of losing money. While some will be comforted by the lack of case-studies for shipping cyber-attacks, many suspect that this doesn’t reflect the reality of the situation. No company wants to admit that its cyber-security has been compromised, but information-sharing, ironically, may turn out to be the best defence as we move into an ever-more digital future.